Attack Surface Reduction (ASR) rules not showing any conflicts

Pavel yannara Mirochnitchenko 13,341 Reputation points MVP
2024-12-03T18:16:08.7466667+00:00

I am testing deeply some ASR scenarios and I discovered, that if I create 2 different objects behind Endpoint Security, one will audit X rule and another will block X rule, the Intune monitoring does not show any conflict. While working just with rules, I see no conflicts (I try to do so by purpose), but if I organize OFF/ON conflict within Controlled Folders, I will see the conflict.

Just wondering, is that by design? I apply both Audit and Block rules to All Devices collection (this is a test lab).

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Intune | Security
Microsoft Security | Intune | Configuration
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 13,341 Reputation points MVP
    2024-12-04T08:55:36.8266667+00:00

    I managed to get the conflict in monitoring by setting ALL asr rules to block and in another to audit. Conflict appeated immidiatelly. Now the question is, why some specific rule does not cause it, but some other does. The single rule I played before was WMI & PSexec block, that did not cause a conflict.

    I also monitored local event logs with asr rules xml, and unfortunatelly that does not display the conflict coming from Intune policies.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.