Forum Discussion

James_Gillies's avatar
James_Gillies
Brass Contributor
Oct 08, 2021
Solved

ASR: Block abuse of exploited vulnerable signed drivers

Hey there,   I am seeing a recommendation to apply the ASR Rule as listed above. It looks like a fairly new edition to the series of 16 ASR rules that can be configured.   However, on closer insp...
  • Jake_Mowrer's avatar
    Jake_Mowrer
    Oct 13, 2021

    James_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile.  We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.

     

    Thanks,

    Jake

mcoombe's avatar
mcoombe
Brass Contributor
Mar 01, 2022
Jake_Mowrer In our experience neither the OMA-URIs or PowerShell command to enable this ASR rule work when deployed using Intune and Tamper Protection is enabled in MSDE. All although ASR rules have been applied successfully using the MEM ASR rule configuration profile.
robert_welsofd's avatar
robert_welsofd
Copper Contributor
Apr 14, 2022
I have the same experience, I have all other ASR rules set in an Endpoint Security policy and when trying to enable this rule via any method it simply doe snot work and the vulnerability recommendation stays. Seems that if there was a plan to add this to the WebGUI as stated above in October 2021 is should be here by now??
  • mcoombe's avatar
    mcoombe
    Brass Contributor
    Apr 14, 2022

    robert_welsofd we recently managed to resolve this by removing all ASR rules from Endpoint Security as well as any ASR rules included under a Security Baseline profile and then used a Configuration Profile (Settings Catalog) to define all 16 (from recollection) ASR rules. After about 24/48 hours we then saw a significant improvement under MDE Security Recommendations and after 3-5 days we had 100% compliance on all ASR rules for all devices.

     

    It appears to me that Configuration Profiles (Settings Catalog) are much more reliable at enforcing these controls than the GUI provided under Endpoint Security which is supposed to make management easier.

     

    Hope this helps as it worked for us and we have now successfully rolled this out to a number of customers and now have a Device Secure Score of over 90% (our goal is to get a 90% score across all 3 categories in Secure Score)

     

    I am happy to share screen clips etc if it helps so just reach out

     

    Note- the key (and where we got stuck) was all ASR rules need to be defined in a single place and if you don’t remove the ASR rules from Security Baseline and Endpoint Security then the Configuration Profile did not appear to take affect and was trumped by one of the other policies

    • Amy Babinchak's avatar
      Amy Babinchak
      Copper Contributor
      Jun 13, 2022
      I have a similar problem. Using the new GUI location in Endpoint Manager, recommendations never update. however, I have verified that the rules are actually in place on the client PC;s. My score, however, sucks and the remediations are still showing that the ASR rules aren't deployed. Most annoying.
    • PatrickF11's avatar
      PatrickF11
      MCT
      Apr 22, 2022

      mcoombe I've found something very interesting:

      Have anyone tried creating a new Policy inside of Endpoint Security?

      After creating a new rule there is whole new layout of the items, including a new item: Block abuse of exploited vulnerable signed drivers (Device)"

       

      edit: in the "Target" column the new policy has the entry "mdm,microsoftSense" instead of "mdm".

      This could go along with server management i guess?

       

      🙂

      • Alex_AVN1711's avatar
        Alex_AVN1711
        Copper Contributor
        May 22, 2022

        PatrickF11 

         

        Thanks,

        Just have checked that. 

Resources