When last time you tried to implement something new from security recommendation and ASR on production tenant?
I got a task to implement something new – like ASR and Security baselines. I know that those topics are very urgent and not easy to deploy. I need to think multiple times about it. Especially about settings and conflicts.
So I started with reviewing the configuration and adjusting it to Customer requirements. Security Baselines looked properly and were adjusted accordingly. Were deployed to the test Ring – no issues.
Now I was asked to deploy the ASR – Attack Surface Reduction rules. They were implemented earlier in audit mode. But the requirement was to configure in block mode.
So old polices were unassigned from test Ring and new polices were created with block mode, assigned to the test Ring… Everything was looking properly – new settings was applied to the device if I was looking to the Intune report.
But…
After that, I decided to use one of the open source script ( Office365/win10-asr-get.ps1 at master · directorcia/Office365) to check polices in my device. And the report wasn’t looks good.
Not found? Why? I’m quite sure that I configured the block action, so why not found it?
After many of hours of investigation and checking Event viewer for additional information I found that:
New value is empty? What the hell?
Next hours was spent to find the issue. GPO maybe? It is a hybrid environment. So that was a point worth checking.
But not this time. Nothing in GPO. Ufff.
So what? Polices in Intune properly configured. changed to audit, to block – no changes.
And finally – there was a small idea!
There are Security Baselines configured! Worth to check…
And yes, on the MDfE Security Baseline are rules responsible for ASR.
So you can enable ASR in BOTH places. And Intune will not report a conflict.
Due to my mistake during initial configuration – I’ve lost multiple hours to investigate that issue, but Intune should report a conflict in a polices.
That’s a look at properly configured settings for ASR after I found the issue.
So below is a brief summary:
Always do the double check of polices which you’re configuring especially when polices were implemented earlier.
In this case – in Security Baseline ASR was configured to Audit, but I want to use in Block mode. And that was reason why System configuring it via empty value instead of block.