Windows 10: Question about ASR Rules and Defender for Endpoint P1

I am looking for some clarification on the ASR rule configuration and how it plays into the Defender for Endpoint P1 license. I recently bought a P1 license to test ASR rules on endpoints, configured a GP with ASR rules configured to apply to my endpoint, then applied the license to me. Soon after, my developer let me know that he was being blocked from executing a visual basic app. It was one of the rules I set for myself, but I noticed the GP also included another set of users by accident. He did not have a P1 license, nor was his endpoint onboarded in the Windows Security dashboard.Question

:)

 

Microsoft Defender will soon block Windows password theft

ASR is really a Server (and Client) based, Microsoft Endpoint protection feature that needs careful configuration.

Only some elements are implemented on the W10 home/professional client level at least so far - in Windows Defender.

See this example here.. It's complex.

Strictly FYI - I suggest not to pursue it, unless you have a complete, restorable backup of your entire system and a great deal of intestinal fortitude.

How to use Windows Defender Attack Surface Reduction rules | CSO Online

HTH...

*Busted

 

Defender - MpComputerStatus

I can't help you with all the parameters you outlined because I never researched them, surely if you dig hard enough then you can harvest this info, surely this is not some top MS secret.

Except for ASR (Attack Surface Reduction) rules, you can take a look at my ASR scripts below:

Example how to configure ASR rules on local or remote computer: Deploy-ASR.ps1
Example how to display current status of ASR rules on local or remote computer: Show-ASR.ps1

For more information on how to configure ASR rules see link below:
https://learn.microsoft.com/en-us/mi...ide#powershell

For your other WD parameters, the docs which you are looking for is here:
https://learn.microsoft.com/en-us/mi...o365-worldwide

Use side bar on the left to search for details, this are all configurations for WD for endpoint, you can find a lot of info there because under the hood most of the stuff applies to standard WD configuration trough GPO or with PowerShell, but I don't have direct links because my interest was only ASR and ATP.

 

WD ASR : Block executable files from running unless they meet a prevalence, age, or trusted list criteria.

I can't choose the forum for you since I don't know your configuration or exactly what you're trying to accomplish and I'm not sure that you do either.

All you've done here is mention an Attack Surface Reduction (ASR) rule that's typically managed via Windows Defender Advanced Threat Protection (Windows Defender ATP), but not whether you're actually using Windows Defender ATP. However, if you were I suspect
that you'd already have resources available to answer this question.

If instead you're trying to manually manage ASR rules within either an enterprise network or on a single Windows 10 Enterprise system, then the question of whether such ASR rules have any true value is less clear, since you'd have no method to manage them
from what I've read.

So the answer to your question is tied up in those additional questions and which TechNet forums might apply as well, since those with Windows Defender ATP appear to have access to a special secure dashboard, while those without this product can simply browse
the Security Solutions -
Windows Defender Advanced Threat Protection information page to understand what this product entails.

Rob