Forum Discussion

Francois_Papillon's avatar
Francois_Papillon
Copper Contributor
Mar 30, 2023

ASR Exclusions

Hi all,   I've been experiencing with ASR exclusions at several clients with same results...   1. Rules in Audit mode, exclusion added but file keep comming back in report for all exclusions... ...
microsoft defender for endpoint
  • SABBIR_RUBAYAT's avatar
    SABBIR_RUBAYAT
    Apr 21, 2023
    In this scenario I will recommend you to open a premier ticket . I am 100 sure normal ticket wont help you brother . I am sorry
SABBIR_RUBAYAT's avatar
SABBIR_RUBAYAT
Iron Contributor
You can run ASR as audit mode or block mode. But its better to run in audit mode first. Audit mode lets you see a record of what would have happened if you had enabled the feature. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time. The features won't block or prevent apps, scripts, or files from being modified.
Please do not forget to mark helpful if you find my comment helpful
Francois_Papillon's avatar
Francois_Papillon
Copper Contributor
Apr 21, 2023
Allready running in audit mode, but audit or block, exceptions never get to endpoints and every exceptions will still show up in the list... exceptions simply dont work at all, I got over 10 clients in the excact same position. ASR is unusable without exceptions
  • SABBIR_RUBAYAT's avatar
    SABBIR_RUBAYAT
    Iron Contributor
    Apr 21, 2023
    I think ASR works better with intune . I have deployed ASR exclutions for some devices which are managed by intune and I had better experience .
    NB : Intune devices were enrolled with autopilote as many feature will not work based on which why you have enrolled your devices . same rule didnt worked for teh devices which are managed by local AD . you can give it a try
    • Francois_Papillon's avatar
      Francois_Papillon
      Copper Contributor
      Apr 21, 2023
      Maybe it was onclear in my first post, all endpoints are onboard to intune all asr excpetions are set through intune, using provided csv or manually with wildcards...

      enpoints are hybrid ad joined and co-managed with workload in intune, no exploit guard setting in mecm in the past

      using powershell command Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids & AttackSurfaceReductionRules_Actions we can see wich rules are configured and set to block mode

      Get-MpPreference | select AttackSurfaceReductionOnlyExclusions never show any exclusions in audit nor in block mode on the endpoint... this is the issue

      Using Set-MpPreference -AttackSurfaceReductionOnlyExclusions will work partially... will show in the previous command but the excluded item still show up in the intune report... so not excluded from my point of view
      • SABBIR_RUBAYAT's avatar
        SABBIR_RUBAYAT
        Iron Contributor
        Apr 21, 2023
        In this scenario I will recommend you to open a premier ticket . I am 100 sure normal ticket wont help you brother . I am sorry

Resources