Forum Discussion
Removing attack surface reduction rules not possible
Hi We have implemented attack surface reduction rules in my company on all windows 10 pc's. We audited for a few months and created exclusions which worked well. Now we have a new program th...
Like there is already another response, the main reason could be some of the ASR rules being assigned historically via other source - ConfigMgr, GPO, MEM, etc., BLOCK (1) always prevails if the policies were tattoed. You may do a simple search in Registry with ASR rule names and see the count of results appearing.
GPO/SCCM/MEM:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
MDM/Intune:
HLKM\SOFTWARE\Microsoft\Windows Defender\Policy Manager
Set-MpPreference / Add-MpPreference
HKLM\SOFTWARE\Microsoft\Windows Defender