Exam MD-102 topic 1 question 196 discussion

Box1: audit Box2: disabled Attack surface reduction rules for managed devices now support behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged, while those that are in conflict aren't added to the superset of rules. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#policy-conflict

correct audit disable: When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device. ref https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#policy-conflict

Audit and Audit. Endpoint/intune will take precedence. https://learn.microsoft.com/en-us/answers/questions/1461718/which-policy-applies-over-the-other-security-basel

Box 1: Audit mode Box 2: Disable Block Office applications from creating executable content: Both profiles have this setting in Audit mode. Effective setting: Audit mode. Block Win32 API calls from Office macro: MDM Security Baseline: Disable ASR Endpoint Security: Audit mode Effective setting: Disable. (Disable takes precedence over Audit mode)

Block Office App from creating executable content: Audit Mode Both are set to Audit so that's what it will do. Block Win32 API calls from the Office Macro: Audit If you set the Baseline policy as Disable or Not Configured (same thing), and you have any other setting in the ASR, the ASR configuration will take over. That's how enterprise environments enforce granular controls of policies that are enforced for a smaller subset of the employee population. The article below (Jan 27, 2024) outlines the scenario and provides comments about this. In theory this also makes sense. If the baseline policy is configured to do nothing, and the ASR policy is configured to Audit, Block or Warn, I should think the ASR policy setting will take over the configuration. .

MDM Security Baseline takes precedence over ASR Endpoing Security

Yes, in the context of Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection), the MDM security baseline takes precedence over ASR (Attack Surface Reduction) rules. This means that if there are conflicting settings between the MDM security baseline and ASR, the settings defined in the MDM security baseline will take precedence.

From reading this: Attack surface reduction rules for managed devices now support behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged, while those that are in conflict aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. From here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#policy-conflict - Non apply?

Audit Audit The MDM security baseline and ASR endpoint security should work together to provide comprehensive protection for your devices. The MDM security baseline is a set of predefined security settings that you can apply to your devices to help protect them from malware and other threats. ASR endpoint security is a feature of Microsoft Defender for Endpoint that helps to protect your devices from known and zero-day threats by blocking malicious behaviors and files. In general, the MDM security baseline will take precedence over ASR endpoint security. However, if there are any conflicting settings, then the settings in ASR endpoint security will take precedence. This is because ASR endpoint security is a more specific set of settings that are tailored to protect devices from known and zero-day threats.

anyone can explain this?