Forum Discussion
Solved
ASR: Block abuse of exploited vulnerable signed drivers
Hey there, I am seeing a recommendation to apply the ASR Rule as listed above. It looks like a fairly new edition to the series of 16 ASR rules that can be configured. However, on closer insp...
James_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile. We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.
Thanks,
Jake
James_Gillies Has there been an update to this and does the new version mdmsense work correctly. I have matched both policies and was thinking about switching to the new one. Does anyone have experience with the results of doing this?
- We switched our ASR policy over to the new "modern" MEM policies that target mdm and MicrosoftSense about 1 month ago. MEM enrolled devices successfully receive the policies however devices like servers that are only enrolled in MDE (MicrosoftSense) do not yet receive these policies and we have had to use our RMM tools to deploy the ASR policies via PowerShell. Hopefully in the future devices that are only MDE enrolled will also get these policies (as the target of mdm,microsoftsense suggests they should)
mcoombe Are your servers correctly hybrid joined? This is a prereq.
- We are using the new MDE Security Configuration Management which is supposed to deploy MEM policies for AV and FW to devices that are only enrolled in MDE with the Microsoft Sense service installed. So far both the AV and FW policies are working fine on MDE only devices such as servers and enpoints that are not enrolled in MEM (AAD Joined or Hybrid Joined) but the ASR policies are not being deployed to these same machines. The documentation does not yet state that ASR is included under this configuration and I am just assuming this is on the roadmap as the target for the new ASR policy states mdm,microsoftSense (same as the AV and FW policies that work. 🤞
https://docs.microsoft.com/en-us/mem/intune/protect/mde-security-integration
mcoombe I have noticed that I am currently seeing all of my devices with a Check-in error status of error. I will give it 24 to 48 hours to clear up. I know all of the rules are matched to the same settings as the old policy. I think it is odd that if all worked fine on the old MDM policy why they would not work fine on the new MDM, MicrosoftSense policy. This can be so frustrating.
- You could try using MEM/ Monitor / Assignment Failures to see if you can find more detail on error or conflicts with other policies trying to apply the same settings. We have found with our testing for ASR that you can only have one policy that defines the ASR rules and even if you have two policies that are identical one or both will not work.
https://devicemanagement.portal.azure.com/?ref=AdminCenter#blade/Microsoft_Intune_DeviceSettings/DevicesMonitorMenu/assignmentFailures
Hi, I swapped our policies over into a new mdmsense Intune policy, seems to work fine - no issues so far, change was made about 2 weeks ago now.
- I am happy to hear that. I will give it a try.
