ASRs via Intune not working (only on Windows 11 Clients)

Copper Contributor

We have been using some ASR rules in our company for a longer period of time. We have set these up via Intune.
Since we have been using Windows 11, we have had some problems with a few ASR rules.

one Example:

Block all Office applications from creating child processes does not work under Windows 11.

 

Now I have seen under the Security Recommendations that Intune is probably only possible for Windows 10.

 

2024-05-17_13h19_35.png


Has anyone had similar experiences? And do I now have to completely rebuild my policies?

I would be very grateful for any input.

 

8 Replies

That's just a UI thing. The ASR you mentioned is supported on W11: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rul...

Hi @Jordi_Koenderink, the problem is that even when I hunt for the ASRs in MS Defender, it shows that the setting Block all Office applications from creating child processes is off(there are 2 more settings). But according to our settings, this should not be the case. It also works on the Windows 10 devices, as set.

Not sure what you're saying here. The ASR is showing as Off in the Advanced Hunting tab but you set it to On regardless? If so, what does your query look like?

Yes, the notebooks are all in the same configuration group and all get the same settings.
On the Windows 10 devices, the three settings are set to Audit. On the Windows 11 devices, they are displayed as off.
See as an example a Win10 device and a Win11 device. The remaining settings are all the same.
See also the query in the screenshot.

 

Query.png

an other query:

david0K_0-1716544761947.png

 

Are you sure the devices have had enough time to receive the ASR policy? Also, please show me a screen of the ASR.

Hi @Jordi_Koenderink, sorry for the late reply. 

We've had the szenario for over 2 months now. That means there has definitely been enough time.

We have set the ASR to All Devices via the Defender Baseline:

2024-06-05_10h17_02.png

2024-06-05_10h16_56.png

 

 Scoped to All Devices:

2024-06-05_10h18_10.png

What is the policy compliance state of the baseline and on the devices in question? Are the devices Hybrid or Entra ID only?

Hi @rahuljindal-MVP 

sorry for the late reply.
All Settings and Baselines are Compliant on these Notebooks. In this case we are talking about over 150 Notebooks. All 150 Notebooks compliant and all have problems with these 3 ASRs on audit.

Does the audit setting of these ASRs simply not work in Windows 11?