May 17 2024 04:36 AM
We have been using some ASR rules in our company for a longer period of time. We have set these up via Intune.
Since we have been using Windows 11, we have had some problems with a few ASR rules.
one Example:
Block all Office applications from creating child processes does not work under Windows 11.
Now I have seen under the Security Recommendations that Intune is probably only possible for Windows 10.
Has anyone had similar experiences? And do I now have to completely rebuild my policies?
I would be very grateful for any input.
May 17 2024 06:59 AM - edited May 17 2024 07:24 AM
That's just a UI thing. The ASR you mentioned is supported on W11: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rul...
May 21 2024 12:46 AM
Hi @Jordi_Koenderink, the problem is that even when I hunt for the ASRs in MS Defender, it shows that the setting Block all Office applications from creating child processes is off(there are 2 more settings). But according to our settings, this should not be the case. It also works on the Windows 10 devices, as set.
May 22 2024 10:57 AM
May 24 2024 02:53 AM - edited May 24 2024 02:59 AM
Yes, the notebooks are all in the same configuration group and all get the same settings.
On the Windows 10 devices, the three settings are set to Audit. On the Windows 11 devices, they are displayed as off.
See as an example a Win10 device and a Win11 device. The remaining settings are all the same.
See also the query in the screenshot.
an other query:
May 25 2024 08:44 AM - edited May 25 2024 08:44 AM
Are you sure the devices have had enough time to receive the ASR policy? Also, please show me a screen of the ASR.
Jun 05 2024 01:21 AM
Hi @Jordi_Koenderink, sorry for the late reply.
We've had the szenario for over 2 months now. That means there has definitely been enough time.
We have set the ASR to All Devices via the Defender Baseline:
Scoped to All Devices:
Jun 05 2024 03:18 AM
Jun 20 2024 01:04 AM
sorry for the late reply.
All Settings and Baselines are Compliant on these Notebooks. In this case we are talking about over 150 Notebooks. All 150 Notebooks compliant and all have problems with these 3 ASRs on audit.
Does the audit setting of these ASRs simply not work in Windows 11?