In this section, I would like to discuss one of MDE’s important set of settings and how to set these up. Namely ASRs rules or Attarck Surface Reduction rules. As the name implies, it helps closes any security holes in the device.
Some notes on ASR rules to keep in handy
- Windows 10 Pro, version 1709 or later
- Windows 10 Enterprise, version 1709 or later
- Windows Server, version 1803 (Semi-Annual Channel) or later
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2022
To use the entire set of rules, you require below
- Windows Defender Antivirus as primary AV (real-time protection on)
- Cloud-Delivery Protection on (some rules require that)
- Windows 10 Enterprise E5 or E3 License
Key settings of an ASR rule
- Not configured | Disabled: Disable the ASR rule
- Block: Enable the ASR rule
- Audit: Evaluate how the ASR rule would impact your organization if enabled
- Warn: Enable the ASR rule but allow the end user to bypass the block
Warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM)
In a policy between MDM and Group Policy, MDM will take precedence
Although there are few ways to setup ASR rules, I will look at how to configure the rules using Microsoft Endpoint Manager (MEM)
It is advisable to enable the ASR rules in the audit mode first so you will not run in to issues. You can understand the behavior and what gets blocked and whether they are legitimate data or an action of a bad actor. Once you have a better view, then go ahead and enable them to be active rules.
How to configure ASR rules from MEM’s Endpoint Security node?
While you have many options to setup ASR rules within Intune and MEM, I would like to expore the Endpoint Security node in the MEM.
For this method to work, the devices should be Hybrid AAD or AAD Joined and must be enrolled in Intune.
Attarck Surface Reduction rules can be found under Manage section in Endpoint Security
From here go to Create Policy and Select Windoes 10 and later as the Platform and Attarck Surface Reduction Rules as the Profile and hit Create
From there give a meaningful name and select Next
Now you will see all the ASR rules in one place.
If you hover your mouse over the rules little information sign, you can know more about that individual rule
Set your rules as required
You will be presented with all 4 key settings for the rule that we saw above.
Set to Audit to test the rule and set the required rules and press Next
Add Scope Tags if required
In the next step, set the device asignment with the relavent Device Groups
When you are done, press Next and Create to complete the steps.
How to Audit ASR rules
Go to https://security.microsoft.com and Hunting > Advanced Hunting > run the below KQL command to see the alerts
| where ActionType startswith ‘Asr’
If there are any results, they will list down in the Results tab.
Also you can go to Reports in the same Defender portal and select Attarck Surface Reduction Rules and check under Detections a summary graph
And if you go to the Configueration tab, you will see the device based settings and what has ben captured with the rules
What is the Warn mode?
With this mode a “toast notification” will appear on the desktop if an ASR rule blocks a malicious activity or a file. However the user can still Unblock and start performing the same activity and further actions to perform
ASR rules can basically be your best pal or your greatest enemy as this can be a powerful tool to close security holes or for a poor user experience. Audit, test 1st and when you 100% aware of the behavior of each rule, enable it