Push ASR rules with Security Settings Management on Microsoft Defender for Endpoint managed devices

In May 2022, we announced the general availability of Security Settings Management for Microsoft for Endpoint. This release empowered security teams to configure devices with their desired antivirus, EDR and firewall settings without needing to deploy and implement additional tools or infrastructure. 

As we continue our momentum around Security Settings Management, we are excited to announce that we are expanding this capability to help cover more scenarios with support for Reduction (ASR) rules, now in public preview. This release will allow all for Endpoint managed devices to receive ASR rules via Microsoft Intune.

NOTE: If you already have Defender for Endpoint managed devices in scope of an ASR rule, this rule will start applying automatically. For more details, see Expanding support for Attack surface reduction rules with Microsoft Intune.

How does it work?

For testing purposes, we recommend you create a dedicated Azure () group for all Defender for Endpoint managed devices. This can be done by leveraging dynamic grouping capabilities.

ASR Rules

In the Intune , create an ASR rule following the usual flow. 

DanLevyMS_0-1663851737694.png

When prompted to target the rule, select the group you've created for testing purposes, and which includes only Defender for Endpoint managed devices.

DanLevyMS_1-1663851737696.png

Confirm the creation process and wait for a success indication in the Intune

DanLevyMS_2-1663851737699.png

Note that policies are typically enforced within an hour after configuration. On the client, run the Get-MpPreference command utility to validate these settings have effectively been assigned.

Frequently Asked Questions

Q/ Can I use this to target MDE managed servers with ASR rules?

A/ Yes, Windows servers that are in scope for MDE settings management (2012 R2 and up) will be able to receive ASR rules via this feature.

Q/ I have Azure AD groups that include devices managed by Intune as well as devices managed by Defender for Endpoint – do I need to recreate or review my entire grouping construct in Azure AD?

A/ As Microsoft Intune's policy distribution mechanism is agnostic to the device's management channel, using Security Settings Management in Defender for Endpoint does not require thoroughly reviewing your existing Azure AD grouping construct.

However, if you have attempted to target Defender for Endpoint managed devices with ASR rules prior to this preview announcement, you will have noticed that the settings failed to apply on the devices. With this feature now available, these devices will start successfully enforcing ASR policies.

 

This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.