Oct 08 2021 06:58 AM
Hey there,
I am seeing a recommendation to apply the ASR Rule as listed above. It looks like a fairly new edition to the series of 16 ASR rules that can be configured.
However, on closer inspection there doesn't yet appear to be an Intune/Endpoint Manager option to add this under the standard Endpoint Security / Attack Surface Rules section.
There's an "Intune name" and a GUID but... I don't want to push this out via a MEM OMA-URI, it fractures where all the policies are kept and makes things messy.
Can I ask when it is expected to have this baked into the main Attack Surface Reduction rules section?
Seems a bit daft to make recommendations to implement the setting across all your endpoints when it's not as easy as all the other rules to actually implement?
Thanks very much.
James
Oct 08 2021 01:06 PM
@James_Gillies I just got through the same path. You are right, this rules is not present in the WebGUI but it is yet configurable. Here's a good blog post about this : Configuring ASR Rules in Intune and how to automate it with PowerShell (call4cloud.nl)
Oct 13 2021 10:34 AM
Solution@James_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile. We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.
Thanks,
Jake
Oct 14 2021 12:51 AM
Jan 26 2022 08:13 AM
@Jake_Mowrer Hi Jake, any ideas on when this rule might be added to InTune? Thank you.
Feb 11 2022 02:26 PM
Mar 01 2022 12:57 PM
Mar 01 2022 01:01 PM
Mar 01 2022 01:13 PM
Mar 04 2022 07:16 AM
Apr 14 2022 07:05 AM
Apr 14 2022 01:42 PM
@robert_welsofd we recently managed to resolve this by removing all ASR rules from Endpoint Security as well as any ASR rules included under a Security Baseline profile and then used a Configuration Profile (Settings Catalog) to define all 16 (from recollection) ASR rules. After about 24/48 hours we then saw a significant improvement under MDE Security Recommendations and after 3-5 days we had 100% compliance on all ASR rules for all devices.
It appears to me that Configuration Profiles (Settings Catalog) are much more reliable at enforcing these controls than the GUI provided under Endpoint Security which is supposed to make management easier.
Hope this helps as it worked for us and we have now successfully rolled this out to a number of customers and now have a Device Secure Score of over 90% (our goal is to get a 90% score across all 3 categories in Secure Score)
I am happy to share screen clips etc if it helps so just reach out
Note- the key (and where we got stuck) was all ASR rules need to be defined in a single place and if you don’t remove the ASR rules from Security Baseline and Endpoint Security then the Configuration Profile did not appear to take affect and was trumped by one of the other policies
Apr 22 2022 06:25 AM - edited Apr 22 2022 06:27 AM
@mcoombe I've found something very interesting:
Have anyone tried creating a new Policy inside of Endpoint Security?
After creating a new rule there is whole new layout of the items, including a new item: Block abuse of exploited vulnerable signed drivers (Device)"
edit: in the "Target" column the new policy has the entry "mdm,microsoftSense" instead of "mdm".
This could go along with server management i guess?
:)
May 13 2022 11:27 AM
@Jake_Mowrer when is this coming?
May 22 2022 02:40 PM
Jun 13 2022 01:43 PM
Jun 28 2022 07:09 AM
@James_Gillies Has there been an update to this and does the new version mdmsense work correctly. I have matched both policies and was thinking about switching to the new one. Does anyone have experience with the results of doing this?
Jun 28 2022 07:14 AM
Hi, I swapped our policies over into a new mdmsense Intune policy, seems to work fine - no issues so far, change was made about 2 weeks ago now.
Jun 28 2022 07:55 AM
Jun 28 2022 02:41 PM
Oct 13 2021 10:34 AM
Solution@James_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile. We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.
Thanks,
Jake