Forum Discussion
Solved
ASR: Block abuse of exploited vulnerable signed drivers
Hey there, I am seeing a recommendation to apply the ASR Rule as listed above. It looks like a fairly new edition to the series of 16 ASR rules that can be configured. However, on closer insp...
James_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile. We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.
Thanks,
Jake
Jake_Mowrer
Microsoft
MicrosoftJames_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile. We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.
Thanks,
Jake
- Where is this? This is getting silly.
What is the problem with this setting?
I can see the policy just fine:
Try recreating the policy if you cannot see it inside of an old one.
- I have come across the same issue and in 2023 there is still no option to add this. Intune configuration policies are turning into a hot mess.
Jake_Mowrer when is this coming?
- Hi Jake, our customers and us are also very interested in having this in the UI.
The initial request was already half a year ago. 😉 - Jake_Mowrer In our experience neither the OMA-URIs or PowerShell command to enable this ASR rule work when deployed using Intune and Tamper Protection is enabled in MSDE. All although ASR rules have been applied successfully using the MEM ASR rule configuration profile.
- I have the same experience, I have all other ASR rules set in an Endpoint Security policy and when trying to enable this rule via any method it simply doe snot work and the vulnerability recommendation stays. Seems that if there was a plan to add this to the WebGUI as stated above in October 2021 is should be here by now??
robert_welsofd we recently managed to resolve this by removing all ASR rules from Endpoint Security as well as any ASR rules included under a Security Baseline profile and then used a Configuration Profile (Settings Catalog) to define all 16 (from recollection) ASR rules. After about 24/48 hours we then saw a significant improvement under MDE Security Recommendations and after 3-5 days we had 100% compliance on all ASR rules for all devices.
It appears to me that Configuration Profiles (Settings Catalog) are much more reliable at enforcing these controls than the GUI provided under Endpoint Security which is supposed to make management easier.
Hope this helps as it worked for us and we have now successfully rolled this out to a number of customers and now have a Device Secure Score of over 90% (our goal is to get a 90% score across all 3 categories in Secure Score)
I am happy to share screen clips etc if it helps so just reach out
Note- the key (and where we got stuck) was all ASR rules need to be defined in a single place and if you don’t remove the ASR rules from Security Baseline and Endpoint Security then the Configuration Profile did not appear to take affect and was trumped by one of the other policies
- That should have said "All other ASR rules have been applied successfully using the MEM ASR rule configuration profile."
- We are also waiting for this ASR rule, any news on this?
- Jake_Mowrer - we are also very keen for this ASR rule to be added to the MEM ASR Config Profile and don't want to start implementing OMA-URIs to remediate security recommendation in MSDE
Jake_Mowrer Hi Jake, any ideas on when this rule might be added to InTune? Thank you.
- Thanks Jake, that's great news. Will keep an eye on the MEM ASR rule configuration profile / announcements!
