Question about ASR Rules and Defender for Endpoint P1

Nick Ziff 0 Reputation points
2023-05-11T14:41:08.96+00:00

I am looking for some clarification on the ASR rule configuration and how it plays into the Defender for Endpoint P1 license.

I recently bought a P1 license to test ASR rules on endpoints, configured a GP with ASR rules configured to apply to my endpoint, then applied the license to me. Soon after, my developer let me know that he was being blocked from executing a visual basic app. It was one of the rules I set for myself, but I noticed the GP also included another set of users by accident. He did not have a P1 license, nor was his endpoint onboarded in the Windows Security dashboard.

Question is, if I don't need a license for ASR rules, then what is the point of the P1 license (as it pertains to the ASR rules, not the other features that come with the license)

Thank you for any assistance in clarifying my understanding!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,808 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2023-05-11T18:49:59.4666667+00:00

    I think you can set the 15 ASR rules using a GPO without MDE. The process for setting the rules can be a bit daunting. You start with auditing, though there are a few always-block recommendations. After reviewing the audit, you can determine what to block and where to avoid business interruption. The GPO is also not easy to manage using GUIDs rather than rule names. Collecting and making a decision based on the ASR audit events is not easy.

    MDE collects all of the ASR rule logs. If you use Intune it makes management easier. You can even manage ASR rules to a degree in the M356D portal. I don't believe there are out of the box alerts for ASR Rule blocks but you can create a custom rule for alerting. More importantly, MDE gives you reporting and recommendations on where to safely apply blocks. With advanced hunting you can see ASR Rule activity from all devices in one place.

    Also consider that Attack Surface Reduction is a term in MDE that goes far beyond the 15 ASR rules. Things like Device Control, Web Protection, Network Protection, etc.
    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1?view=o365-worldwide#attack-surface-reduction

    0 comments No comments