Forum Discussion
ASR Only Per Rule Exclusions doesn't work - AsrOfficeCommAppChildProcessBlocked - global did
Hello,
I'm trying exclude an application from ASR rule "Block Office communication application from creating child processes" but it doesn't work. ASR global exclusion ("Attack Surface Reduction Only Exclusions") works. I tried for both same exe but it didn't work when per rule exclusion was defined.
There is policy on affected device:
and screen from advanced hunting:
So I tried exclude same exe (C:\Program Files (x86)\Bentley\ProjectWise\bin\pwc.exe) in "
Attack Surface Reduction Only Exclusions" so for all asr rules and it worked.
Any ideas what I'm missing?
"
9 Replies
- Its been a while since i looked into this, asking Bing Chat i get the following:
Within Microsoft Endpoint Manager (MEM), it’s not possible to add per-rule exclusions to an existing policy. Instead, the workaround is to create a new policy in MEM, effectively replacing the existing one to incorporate the desired per-rule exclusions. While this approach may seem cumbersome, it’s the current implementation for achieving the desired configuration.- Hi Thomas,
I don't know where you found this but I found different information. I read documentation: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy
and there si:
"ASR policies do not support merge functionality for ASR Only Per Rule Exclusions and a policy conflict can result when multiple policies that configure ASR Only Per Rule Exclusions for the same device conflict. To avoid conflicts, combine the configurations for ASR Only Per Rule Exclusions into a single ASR policy. We are investigating adding policy merge for ASR Only Per Rule Exclusions in a future update."- Yes that is true, but modify a policy to add exclusions never worked properly, i had to delete the exclusion policy and recreate it with the new modifications to make it work, but this was almost a year ago when i had to do this.
its one of the many MS stuff that comes out which is not really as ready as it should be. beta versions.
- Curious if you are using GPO or Intune? I was under the impression per rule exclusions only worked when leveraging Intune.
- Hi there! It would be great if you could provide more details. Have you already deployed any GPO or ASR policies on that device? Don't you have any other ASR with a per-rule exclusion for that device? If so, combine the configurations for ASR per rule exclusions into a single ASR policy.
checkout
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy#exclusions-for-attack-surface-reduction-rules- Hi,
there is only one ASR policy. I work with this policy and adding exclusion directly to this policy. It is hybrid device, but all MDE policies are managend in Intune.- We use Intune as source for ASR and other security policies.
