Hello again and welcome to the second part in our blog series on demystifying attack surface reduction (ASR) rules. This blog post is focused on how to configure Microsoft Defender ATP ASR rules and ...
Updated May 05, 2020
Version 8.0
Blog Post
Thanks Antonio Vasconcelos
Just clarifying some feedback on Item #1
For creating the Security Baseline profile in Intune - this looks simple enough via:
https://portal.azure.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineMenu/securityBaselines
But once I review the settings under Microsoft Defender it is easy to see how this can be changed to either Audit mode or Block but what I wasn't seeing is how to add the ASR Exclusion rules once they have been identified by running in Audit mode? (here there are only 10 rules)
I then went back and reread the instructions at - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#group-policy and realised that I needed to create a new "Endpoint Protection" profile under Device Configuration profiles (here are the full 15 rules)
https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/DeviceConfigMainMenuViewModel/deviceConfiguration
So please be aware that it looks like the ASR Rules are surfacing in two locations in Intune - and it's under the Security Baseline where it appears to be incomplete where there is no place to submit the Exclusion Files/Paths? It might be that this area is still a "Work in Progress" but the Security Baseline would appear to be a more natural home for these settings perhaps?