Forum Discussion
Francois_Papillon
Mar 30, 2023Copper Contributor
ASR Exclusions
Hi all, I've been experiencing with ASR exclusions at several clients with same results... 1. Rules in Audit mode, exclusion added but file keep comming back in report for all exclusions... ...
- Apr 21, 2023In this scenario I will recommend you to open a premier ticket . I am 100 sure normal ticket wont help you brother . I am sorry
Francois_Papillon
Apr 21, 2023Copper Contributor
Maybe it was onclear in my first post, all endpoints are onboard to intune all asr excpetions are set through intune, using provided csv or manually with wildcards...
enpoints are hybrid ad joined and co-managed with workload in intune, no exploit guard setting in mecm in the past
using powershell command Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids & AttackSurfaceReductionRules_Actions we can see wich rules are configured and set to block mode
Get-MpPreference | select AttackSurfaceReductionOnlyExclusions never show any exclusions in audit nor in block mode on the endpoint... this is the issue
Using Set-MpPreference -AttackSurfaceReductionOnlyExclusions will work partially... will show in the previous command but the excluded item still show up in the intune report... so not excluded from my point of view
enpoints are hybrid ad joined and co-managed with workload in intune, no exploit guard setting in mecm in the past
using powershell command Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids & AttackSurfaceReductionRules_Actions we can see wich rules are configured and set to block mode
Get-MpPreference | select AttackSurfaceReductionOnlyExclusions never show any exclusions in audit nor in block mode on the endpoint... this is the issue
Using Set-MpPreference -AttackSurfaceReductionOnlyExclusions will work partially... will show in the previous command but the excluded item still show up in the intune report... so not excluded from my point of view
SABBIR_RUBAYAT
Apr 21, 2023Iron Contributor
In this scenario I will recommend you to open a premier ticket . I am 100 sure normal ticket wont help you brother . I am sorry
- Francois_PapillonApr 25, 2023Copper ContributorI now have a client who got it fixed from microsoft premier ticket but microsoft will not supply the resolution information... apperently its on their side and wont say why its broken in first place...
- SABBIR_RUBAYATApr 26, 2023Iron ContributorI agree . this is there back end issue . but definitely we need more people like you who bring this issues Infront so Microsoft will take this things seriously. Best of luck brother
- MI5-AgentDec 11, 2023Brass Contributor
ASR does not work as expected: exceptions on Windows 10 (Update 10/2023) are simply ignored. On Windows 2019 Server they work, but not on Windows 10.
After wasting a lot of time, I removed all the rules, it makes no sense.
Exceptions are reported to the clients via GPO, also get-mpprefence shows the list correctly, but saving a PS Script from OneNote to the any folder will still be blocked:
Pfad: C:\Users\Test\Downloads\myscript.ps1
Prozessname: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXEEvent ID 1121
3B576869-A4EC-4529-8536-B80A7769E899
The exception for onenote.exe is ignored.
After removing this ASR rule, everythink works again
it is really annoying