I have Attack surface reduction

Muhammad Zeeshan 100 Reputation points
2024-04-16T07:16:22.6433333+00:00

I have create two rules in ASR in one rule i have set audit and in other rule i have set block for same configuration

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

but when i see report from defender its show off

so is it set to eb only one either audit or block for same device ?

Microsoft Security | Intune | Security
Microsoft Security | Microsoft Defender | Microsoft Defender for Identity
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2024-04-16T08:20:56.5166667+00:00

    @Muhammad Zeeshan, Thanks for posting in Q&A. In General, Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Settings that aren't in conflict are merged, while settings that are in conflict aren't added to the superset of rules.

    And it is not recommended to set both audit and block mode for the same rule on the same device. This can cause conflicts and unexpected behavior. It's best to choose one mode or the other for each rule on each device. If you want to test a rule before enabling it, it's recommended to use audit mode first.

    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy#devices-managed-by-intune

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.