Hi all,
for the whole last week, I have a very strange and recurring problem.
Environment: Location EU0501, most devices HAADJ, some devices autopiloted entra only, Windows 10 and 11 on 22H2 or 23H2, Patchlevel 2024-02 or 2024-03 - so up to date. hybrid devices have a GPO which sets 5 ASRs, entra only get their ASRs from Intune "Endpoint Security | Attack Surface Reduction" and for hybrid devices they do not collide and exactly match.
So all devices looked like this all the time.
What happened the last week:
Defender for Endpoint portal suddenly told me, to enable all the ASRs on hundreds of devices. So after lots of syncing and looking and wondering, and confirming in Intune, that everything is set as it should be and status is success, the number of devices to remediate slowly dropped again. OK, some weird thing, fixed now.
Well... until the number dramatically raised again.
(That's just an example. All ASR look the same)
So I again started to look and found, that in Intune, I set the ASRs in "Endpoint Security | Security Baseline for Windows 10 and later", "Endpoint Security | Microsoft Defender for Endpoint Baseline" and "Endpoint Security | Attack Surface Reduction". But all were set exactly the same. So no conflict. Status for alle policies in Intune was "success". But as I don't need the same rules three times, I removed them from both the baselines. And it looked great. Devices synced, ASRs were shown and devices to remediate dropped again.
Until... they raised again
in all these troubleshooting, I also noticed, that it is definitely not just the number on Defender console. I can actually see it in my local powershell.
It should look like above. But the same powershell windows had it correctly and one hour later it return nothing. Starting another powershell as administrator, the list was complete. Until an hour later, when the same window returned nothing anymore. Some time later, the ASRs were listed again. For hybrid devices, the 5 ARs set by GPO are always listed correctly.
Screenshot on entra only device as administrator
And this happens to all devices in my tenant.
What is going on?!