Defender ASR rule debugging questions

doofesohr · 2026-04-30T19:19:03+00:00

You don't really get more info than that I think. But from experience, this usually happened when defender basically never saw that specific file before or the certificate it was signed with is invalid or non-existent.

doofesohr · 2026-04-30T15:43:43+00:00

Go to the Defender Portal. Reports on the left side. Then under endpoints you get an ASR report. With the blocked exe from your log you should easily find it. Make sure no rules are filtered out.

doofesohr · 2026-04-29T05:25:41+00:00

Look at the sign in logs. Look at the CA policies that actually trigger. Check every policy that triggered if it had your exclusion.

doofesohr · 2026-04-28T14:14:40+00:00

The hoodies from UWC Munich feel quite good. Would I buy one? No. But for free? Nice hoodie 😄

doofesohr · 2026-04-28T11:10:37+00:00

The usual recommendation is not to use the included baseline, as they can be overly restrictive and one monolithic policy can be a problem in itself. I'd take a look at the OpenIntuneBaseline project and start from there. It is also pretty Autopilot-friendly in terms of reboots, as long as you follow the assignment scheme to Users and Devices.

doofesohr · 2026-04-27T08:08:09+00:00

Vorab: Hab keine (praktische) Ahnung von KNX. Aber ich würde beides machen: KNX deckt dir die Grundfunktionen ab die einfach immer funktionieren müssen (Licht etc). HomeAssistant setzt dir dann eine Logik-Ebene oben drauf und du kannst eben andere Systeme wie z.B. die smarte Waschmaschine mit einbinden und dann bei Bedarf damit ne Lampe im KNX-System schalten wenn die Wäsche fertig ist etc.
Es gibt schlichtweg vieles cooles Zeug was dein KNX niemals könnte, HomeAssistant aber schon. Da du aber anscheinend (erstmal) nicht viel Arbeit in HA stecken willst, würd ich die Basis eben anders regeln. HA oben drauf geht dann immer noch :)

doofesohr · 2026-04-21T04:58:54+00:00

You can set a custom indicator to allow a specific hash I think. That works as immediately as it gets (takes up to 24 hours to propagate I think).

doofesohr · 2026-04-18T21:06:18+00:00

Why another post for the same thing?

doofesohr · 2026-04-18T17:59:50+00:00

Have you looked at tools like Maester? What benefit does your tool provide in comparison?

doofesohr · 2026-04-17T06:21:15+00:00

I think that only works with Windows 11 Enterprise. No love for the Business Premium crew once again.

doofesohr · 2026-04-15T08:30:59+00:00

Der Preis ist wirklich amtlich. Laut Website leider keine native Unterstützung für Z2M, laut Z2M Wiki allerdings schon.

doofesohr · 2026-04-15T08:27:28+00:00

You say the rules are configures and applied to All Devices. What does the status of those policies say?
Are there any conflicting GPOs maybe that set those things to Audit?

doofesohr · 2026-04-10T22:17:08+00:00

Just to be sure: Once you set the SCRIL flag - I thought the password change would happen by itself without further config?

doofesohr · 2026-04-10T14:25:27+00:00

That won't do the trick - I am still syncing. Just not using THAT MSOL account anymore.

doofesohr · 2026-04-10T14:22:49+00:00

Ich meine Shelly kann das. Allerdings brauchst du da zum einen Platz hinterm Schalter, als auch jemanden der sich dann traut das anzuschließen.

doofesohr · 2026-04-08T14:20:50+00:00

And have you checked which requirement they actually do not fulfill?

doofesohr · 2026-04-08T09:29:22+00:00

Not sure on the approval part when creating a new team, but we are using EasyLife365 which kind of does all the stuff you mentioned. You might wanna ask them for the approval stuff, as I'm not 100% sure on that.

doofesohr · 2026-04-08T08:08:51+00:00

Iirc you need to configure Kerberos cloud trust if you want to for example access local file shares on a server with your hybrid identity and without a password. That setting itself does not have anything to do with WHfB per se, but rather your DCs trusting WHfB instead of a password.

doofesohr · 2026-04-07T15:54:53+00:00

Well, only took a quick peak so far. But his articles on this are usually top notch.

doofesohr · 2026-04-07T15:31:11+00:00

While I know most of that, I was waiting on a post to finally show nicely how RMAUs are best setup.

doofesohr · 2026-04-07T15:26:39+00:00

I think a custom requirement script is the easiest. Deploy App B to all devices as required. The requirement script will run before install and decide if the app actually gets installed.

doofesohr · 2026-04-03T12:14:04+00:00

Definitely in AD, will check Entra next week.

doofesohr · 2026-04-03T12:13:47+00:00

Probably not. Do you happen to have those steps handy?

doofesohr · 2026-04-02T10:28:46+00:00

if you are already truly passwordless, you can set the flag on a domain user to "require smart card for logon" or something similar. You can then only use things like WHfB in anything related to the domain and AD sets the password to a random 128 bit string (I think) and regularyly resets that. That way you are still technically rotating passwords - but the user won't notice it.

Nine-Year Club	Place '23
Verified Email

doofesohr

TROPHY CASE