This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 27%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all,
for the whole last week, I have a very strange and recurring problem.
Environment: Location EU0501, most devices HAADJ, some devices autopiloted entra only, Windows 10 and 11 on 22H2 or 23H2, Patchlevel 2024-02 or 2024-03 - so up to date. hybrid devices have a GPO which sets 5 ASRs, entra only get their ASRs from Intune "Endpoint Security | Attack Surface Reduction" and for hybrid devices they do not collide and exactly match.
So all devices looked like this all the time.
What happened the last week:
Defender for Endpoint portal suddenly told me, to enable all the ASRs on hundreds of devices. So after lots of syncing and looking and wondering, and confirming in Intune, that everything is set as it should be and status is success, the number of devices to remediate slowly dropped again. OK, some weird thing, fixed now.
Well... until the number dramatically raised again.
(That's just an example. All ASR look the same)
So I again started to look and found, that in Intune, I set the ASRs in "Endpoint Security | Security Baseline for Windows 10 and later", "Endpoint Security | Microsoft Defender for Endpoint Baseline" and "Endpoint Security | Attack Surface Reduction". But all were set exactly the same. So no conflict. Status for alle policies in Intune was "success". But as I don't need the same rules three times, I removed them from both the baselines. And it looked great. Devices synced, ASRs were shown and devices to remediate dropped again.
Until... they raised again
in all these troubleshooting, I also noticed, that it is definitely not just the number on Defender console. I can actually see it in my local powershell.
It should look like above. But the same powershell windows had it correctly and one hour later it return nothing. Starting another powershell as administrator, the list was complete. Until an hour later, when the same window returned nothing anymore. Some time later, the ASRs were listed again. For hybrid devices, the 5 ARs set by GPO are always listed correctly.
Screenshot on entra only device as administrator
And this happens to all devices in my tenant.
What is going on?!
That's the very same graph today
As you can see, the raise which was clearly visible on Friday is now now an even further drop. So the same settings which made ASR rules active aren't right now.
new additional information:
this is how my ConfigMgr Co management EndpointProtectionAgent.log looks like since the problem occurs
There were no warnings before.
and it keeps falling. which is kinda "funny" because if it was actually something I deployed, it would have hit bottom low instantly and not step by step.
and like every day, it looks great in the morning, graph raising und until devices lose their policies.
I even restarted the CCM service to trigger a scan and it said like before "Verified that Intune has set Defender policy, will not apply SCCM policy."
And in the afternoon BAAAAM,
Defender not detectedEndpoint protection workload is migrated to Intune, but no MDM policies exist yet. SCCM will apply policy.
Device is a workstation, no need to check for downlevel defender
Defender not detected
I am currently at a point where the most likely issue is, that Defender cannot handle 24hour format!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 48%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK6%3C/text%3E%3C/svg%3E)
What version of SCCM do you run?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 41%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDO%3C/text%3E%3C/svg%3E)
@AndAuf
I can confirm that I am seeing the same type of behavior with the ASR rules.
It seems that it started just after latest CM release upgrade (CM 2309 with HF KB25858444).
Have you found the solution or a way around it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 76%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZP%3C/text%3E%3C/svg%3E)
@AndAuf @Daniel Olsson
I can confirm this behavior, we also have the latest SCCM version (2309 with hotfix).
We are currently trying a solution posted here (but no result yet): https://twitter.com/KiPos_info/status/1773328129508999603
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 34%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETF%3C/text%3E%3C/svg%3E)
@Ziemke Philipp : we do face exact same issue (after upgrade of SCCM -> same version including hotfix). Do you have any result from your testing to disable the two sccm settings as describe in the twitter posts? does it help? thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 30%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBC%3C/text%3E%3C/svg%3E)
Having the same issue here. On SCCM 5.00.9122.1018. Testing excluding the Endpoint Protection client policy from deploying to comanagement pilot group collection Edit: Excluding the comanagement pilot group collection from the Endpoint Protection Client policy - or targeting one with a higher priority that forces SCCM to not manage endpoint fixes the issue. Hopefully Microsoft fixes this in the next release.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@AndAuf, Thanks for posting in Q&A. From your description, I find ASR rules will disappear on lots of devices last week. And the ASR rules have not changed anything. things look strange. Could you check if any application bulk installed on the devices? Or if any other policies deployed to the devices?
If the answer is yes, I suggest remove the app and the policy we deployed last week to see if the issue is resolved. if the answer is no, I suggest open case to look into the issue:
https://learn.microsoft.com/en-us/mem/get-support
Thanks for your understanding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I opened a support request in Intune last week and got told, that as the policy is successful, the keys are created and it is no Intune problem - case dismissed.
And yes, there were a few changes like new remediation (disable Acrobat AI, unhide file extensions, ...) scripts, but they do not interact with Defender at all
@AndAuf, Thanks for the reply. When the policy deployed successfully on these devices, And these devices also receive these settings. then Intune has finished its work. But it disappears lately. It can be something on the device side which can cause the deletion of these settings.
For these changes, are they also occurring on the devices on which ASR policies are deployed via GPO?
Meanwhile, for the log you provided, It shows the Endpoint protection workload changes to Intune and the Defender not detected. Could you confirm if the logs record after we apply the ASK policies?
This applies partially to hybrid devices with GPOs. Those devices also lose their Intune policy but the GPO policies remain active
"Could you confirm if the logs record after we apply the ASK policies?" I'd say yes, but I'm not sue what the question actually is. The log records repeat every so many minutes, so of course they eventually are applied after ASR.
@AndAuf. Thanks for the reply. Based as i know, GPO take precedence than Intune policies. For the devices, will they have the issue the ASR policies will be removed when we query via PowerShell.?
Meanwhile, from the log you provided, I find this is a co-managed device and the workload is switched to Intune. At the beginning, it detects Defender policy in Intune and apply it. But lately, in the log, it shows the no Defender policy in Intune and it tries to apply Defender policy in SCCM. Could you confirm if it is the time the ASK policy disappears in PowerShell?
It also shows Defender not detected. At that time, was the Defender still on the device?
