The ASR Rule "Block persistence through WMI event subscription" can not be configured via Intune.

Not via the "Devices | Configuration profiles" nor via "Endpoint security | Attack surface reduction"

However, this is advertised in Windows Defender ATP, Microsoft Secure Score, and docs.microsoft.com

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription

At the moment it is only possible to exclude files and processes based on filenames and folder locations.

For a higher security standard it should be possible to exclude the files based on a hash value.

Example: An attacker knows that a process is excluded from real-time-scanning. So the process-file can be exchanged by an attacker, because only the filename is checked by Defender AV. If the Hash value would be the exclusion value (maybe together with the filename) than an attacker would not be able to exchange just the file.

Through Windows device restriction policy from Intune, access to control panel to be blocked and it need to be applied user based. As of now, when this policy has been applied through user base, it gets blocked for all user account in the device logged in ( example it blocks in local administrator account as well, which is difficult for system admin to troubleshoot the device )

Please do not say go to client and run diagnostics it is **** and shows NOTHING! There's need to be an option in the portal itself to resolve baseline conflicts!!

Changing policies should not force the computer to reboot. They should offer a prompt to the user like Windows Update does with a deadline policy too

Malware detection data under Endpoint Security > Antivirus > Windows 10 detected malware is not accurate. Devices report that files are cleaned and harmful files were quarantined, blocked, or removed, but Endpoint Protection portal does not even after 24 hours.

A lockout is much more acceptable to an end user on their BYOD device than a wipe is.

At the moment to remove an ASR policy from a Windows 10 machine is to unenroll the computer from Intune.

Please change this so that an ASR Policy can be enabled/ disabled without disconnecting the machine from Intune.

Hello - @Intune Team

I'm the security administrator at our company, and we are preparing for our Cybersecurity Maturity Model Certification (CMMC). Microsoft recommends that we "document and enforce security configuration settings for information technology products employed within the information system using organizationally defined security configuration checklists". Per the Model, we are to document these configuration settings, but there is no way to export settings without using Powershell. In other words, Microsoft would further be compliant with DFARS if there was an 'easy button' to export configuration settings of compliance policy properties into a text file for documentation purposes.

The script described at https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-firewall-rule-tool is a great idea, however it is hard coded to authenticate to commercial Microsoft 365. Please release a script that works with GCC high.

Malware detection data under Endpoint Security > Antivirus > Windows 10 detected malware is not accurate. Devices report that files are cleaned and harmful files were quarantined, blocked, or removed, but Endpoint Protection portal does not even after 24 hours.

Because of Intune insidiously adding extra settings in our other configuration profiles,

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/40411027-configuration-profiles-should-not-include-more-set

some of our Windows computers appear to not perform catch-up scans on wake/restart, despite us cleaning up the rogue settings back to Not configured.

Thinking about it though, shouldn't those options afford Enabled instead of Block? Actually there are many more settings scattered all over that I don't understand why the only option is to block. Surely organisations would want more flexible options for their policies.

If you have previously configured Bitlocker (or any other sec. feature) under Devices Configuration Profiles, the existing settings will not flow down to the new Endpoint Security node. In that case we might end up in conflict, where new admin creates new Bitlocker policy, not looking under Configuration Profiles.

Add the possibility to sort firewall rules by network type and direction and apply order of processing. Option to export MDM firewall rules is missing.

Not possible to configure firewall rules for ICMP based on the type of ICMP traffic

Malware detection data under Endpoint Security > Antivirus > Windows 10 detected malware is not accurate. Devices report that files are cleaned and harmful files were quarantined, blocked, or removed, but Endpoint Protection portal does not even after 24 hours.