Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Feb 16, 2024
Solved

Implementing ASR - Block credential stealing

Hi experts,   I'm about to deploy ASR policy via Intune... running them in Audit mode to see how it will affect end users... And from what I can see, 99% of all "hits" there are for "Block credenti...
endpoint security
microsoft 365 defender
security
  • G_Wilson3468's avatar
    G_Wilson3468
    Feb 16, 2024

    sumo83 

    Yes, this is expected. As a default, ASR policies are supposed to be conservative. There are some malicious activities that behaves in a similar way to legitimate activity. Microsoft defaults on the side of caution and alerts on these files. This is not unusual. 

    I suggest that you add exceptions for necessary Windows files, so you don't encounter a situation where you block critical processes. 

     

    The best practice here would be to review these policies on a scheduled basis. Digital environments can change and policies should be reviewed to ensure they are still relevant.  

sumo83's avatar
sumo83
Iron Contributor
Feb 16, 2024
thanks!.... no problem at all... I review ASR reports regularly so that is not an issue... Was just not expecting it will block regular windows files.... But yea, make sense from security point of view 🙂

will be adding exceptions for them..
G_Wilson3468's avatar
G_Wilson3468
Iron Contributor
Feb 16, 2024
Anytime, glad I could help. Could you mark this as the best answer if it fits that description?

Resources