cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ASR Exclusions

Francois_Papillon
Occasional Contributor

‎Mar 30 2023 01:39 PM

‎Mar 30 2023 01:39 PM

ASR Exclusions

Hi all,

 

I've been experiencing with ASR exclusions at several clients with same results...

 

1. Rules in Audit mode, exclusion added but file keep comming back in report for all exclusions...

2. Using Get-MpPreference on endpoint do not show any exclusion at all

Endpoints are W10/11 22h2

 

My questions are

 

1. Do exclusions only get pushed to endpoint on block mode?

2. Exclusions are being added to the asr policy, do i need to set them some place else? GPO?

3. If I create a audit policy and a block policy with different group assignment,  setting same exclusions in both.  Moving endpoint from the audit group to the block group. Will this work?  Ive been told only one asr policy can be in place audit or block....

4. Per rule exclusions,  ive been told not to use... not working...  is this true?

 

Thank you

581 Views
1 Like
9 Replies
Reply
9 Replies
mikhailf

‎Mar 30 2023 11:49 PM

‎Mar 30 2023 11:49 PM

Re: ASR Exclusions

It would be great to have an answer from Microsoft about ASR.
It seems that ASR doesn’t work as it should.
We have done several tests and sometime exclusions do not apply, sometimes, Block/Audit configuration doesn’t apply.
0 Likes
Reply
Francois_Papillon

‎Apr 20 2023 11:33 AM

‎Apr 20 2023 11:33 AM

Re: ASR Exclusions

Really no one are using ASR exclusions? Microsoft ?
0 Likes
Reply
SABBIR_RUBAYAT

‎Apr 20 2023 01:40 PM

‎Apr 20 2023 01:40 PM

Re: ASR Exclusions

You can run ASR as audit mode or block mode. But its better to run in audit mode first. Audit mode lets you see a record of what would have happened if you had enabled the feature. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time. The features won't block or prevent apps, scripts, or files from being modified.
Please do not forget to mark helpful if you find my comment helpful
1 Like
Reply
Francois_Papillon

‎Apr 21 2023 04:58 AM

‎Apr 21 2023 04:58 AM

Re: ASR Exclusions

Allready running in audit mode, but audit or block, exceptions never get to endpoints and every exceptions will still show up in the list... exceptions simply dont work at all, I got over 10 clients in the excact same position. ASR is unusable without exceptions
1 Like
Reply
SABBIR_RUBAYAT

‎Apr 21 2023 10:58 AM

‎Apr 21 2023 10:58 AM

Re: ASR Exclusions

I think ASR works better with intune . I have deployed ASR exclutions for some devices which are managed by intune and I had better experience .
NB : Intune devices were enrolled with autopilote as many feature will not work based on which why you have enrolled your devices . same rule didnt worked for teh devices which are managed by local AD . you can give it a try
1 Like
Reply
Francois_Papillon

‎Apr 21 2023 12:38 PM

‎Apr 21 2023 12:38 PM

Re: ASR Exclusions

Maybe it was onclear in my first post, all endpoints are onboard to intune all asr excpetions are set through intune, using provided csv or manually with wildcards...

enpoints are hybrid ad joined and co-managed with workload in intune, no exploit guard setting in mecm in the past

using powershell command Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids & AttackSurfaceReductionRules_Actions we can see wich rules are configured and set to block mode

Get-MpPreference | select AttackSurfaceReductionOnlyExclusions never show any exclusions in audit nor in block mode on the endpoint... this is the issue

Using Set-MpPreference -AttackSurfaceReductionOnlyExclusions will work partially... will show in the previous command but the excluded item still show up in the intune report... so not excluded from my point of view
1 Like
Reply
best response confirmed by Francois_Papillon (Occasional Contributor)
SABBIR_RUBAYAT

‎Apr 21 2023 01:03 PM

‎Apr 21 2023 01:03 PM

Solution

Re: ASR Exclusions

In this scenario I will recommend you to open a premier ticket . I am 100 sure normal ticket wont help you brother . I am sorry
2 Likes
Reply
Francois_Papillon

‎Apr 25 2023 12:30 PM

‎Apr 25 2023 12:30 PM

Re: ASR Exclusions

I now have a client who got it fixed from microsoft premier ticket but microsoft will not supply the resolution information... apperently its on their side and wont say why its broken in first place...
1 Like
Reply
SABBIR_RUBAYAT

‎Apr 26 2023 06:04 AM

‎Apr 26 2023 06:04 AM

Re: ASR Exclusions

I agree . this is there back end issue . but definitely we need more people like you who bring this issues Infront so Microsoft will take this things seriously. Best of luck brother
1 Like
Reply