ASRs via Intune not working (only on Windows 11 Clients)

Question

We have been using some ASR rules in our company for a longer period of time. We have set these up via Intune.
Since we have been using Windows 11, we have had some problems with a few ASR rules.

one Example:

Block all Office applications from creating child processes does not work under Windows 11.

Now I have seen under the Security Recommendations that Intune is probably only possible for Windows 10.

Has anyone had similar experiences? And do I now have to completely rebuild my policies?

I would be very grateful for any input.

jordi_koenderink · Answer

That's just a UI thing. The ASR you mentioned is supported on W11: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rules-supported-operating-systems

david0k · Answer

Hi&nbsp;Jordi_Koenderink, the problem is that even when I hunt for the ASRs in MS Defender, it shows that the setting&nbsp;Block all Office applications from creating child processes&nbsp;is off(there are 2 more settings). But according to our settings, this should not be the case. It also works on the Windows 10 devices, as set.

jordi_koenderink · Answer

Not sure what you're saying here. The ASR is showing as Off in the Advanced Hunting tab but you set it to On regardless? If so, what does your query look like?

david0k · Answer

Yes, the notebooks are all in the same configuration group and all get the same settings.On the Windows 10 devices, the three settings are set to Audit. On the Windows 11 devices, they are displayed as off.See as an example a Win10 device and a Win11 device. The remaining settings are all the same.See also the query in the screenshot.&nbsp;an other query: &nbsp;

jordi_koenderink · Answer

Are you sure the devices have had enough time to receive the ASR policy? Also, please show me a screen of the ASR.

Forum Discussion

ASRs via Intune not working (only on Windows 11 Clients)

8 Replies

Resources