Forum Discussion
Explot Guard - Attack Surface Reduction Rules not reporting as Enabled in WDATP console
We have rolled out Attack Surface Reduction rules via GPO (including newst rule in v1809 so 14/14 rules). We have some in audit mode and some applying. I can verify systems have the policy via Get-MpPreference. But the WD ATP console does not report them as applying as it shows all systems need to "Turn on Attack Surface Reduction rules". What is the logic used for that? For Controlled Folder Access, we have it in audit mode and that adds points.
Does the ASR one not count any points unless ALL rules are in Enabled mode? If so, is there a way to change this behaviour as I do not feel 0 points is an accurate reflection of our position given over half the rules are in Enabled state, and it makes using the console to remediate machines with issues such as the GPO not applying useless.
Hi,
You are correct in your assumption.
We are currently in the process of changing this behavior and we will indicate the status for every Attack Surface Reduction rule separately.
- Jacques van ZijlMicrosoft
Doug Howell hi Doug,
did you also run the new baseline 1809 script, this will turn on more sensors and some you might missed.
.\BaselineLocalInstall.ps1 -Win10DomainJoined - for Windows 10 v1809, domain-joined
.\BaselineLocalInstall.ps1 -Win10NonDomainJoined - for Windows 10 v1809, non-domain-joined
- Doug HowellCopper Contributor
Jacques van Zijl I am not clear what connection the v1809 baselines (or any other version) have to my question. The clients are fully reporting into Defender ATP including Controlled Folder Access status which is another Exploit Guard feature, and I can verify on the systems the ASR rules are applied via GPO both by using GPResult and Get-MpPreference.
- Jacques van ZijlMicrosoft
Doug Howell my apologies, i thought you where referring to the ATP Score Card point, sometimes a miss configuration could lead not to add points in the Score Card.