Windows Defender Attack Surface Reduction (ASR) Rules not staying enabled when deployed via Intune

What are ASR rules?

You may have noticed that some of the available configurations for Defender for Endpoint revolve around something called Attack Surface Reduction rules. But what are these?

The short version is that ASR rules lock down your device so that un-needed functions cannot be used to exploit vulnerabilities. An example of this would be blocking Office from launching child processes.

A great example of the usefulness of these rules would be the above rule being an effective mitigation against CVE-2022-30190 also known as “Follina”, as it would prevent the launch of MSDT by the Word process.

More info about the ASR rules can be found here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide

Intune and ASR errors

People have noticed that when deploying a set of ASR rules via Intune that include the rule “Block abuse of exploited vulnerability signed drivers” that you will receive an error and none of the ASR rules will apply correctly.

Checking the events on one of the effected devices will show the below which indicates the registry key is not being set correctly:

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\Windows Defender Exploit Guard\ASR\Rules\75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 = 0x1
New value:

Strangely this does not appear to be an issue if the setting is applied via GPO.

What about devices where GPO is not an option?

Although setting the policies via GPO is an option in some situations, for devices such as those that are Azure-AD joined we can not rely on GPO.

For these devices we can use a workaround to apply the policy until Microsoft fix the issue with the “Block abuse of exploited vulnerability signed drivers” rule.

The work around involves applying the rule via Local Group Policy Manager. By applying this rule via this method the conflict between the this and the rules pushed out via Intune can be avoided.

Lets talk about how to push this configuration change out via intune though, as we need to make use of another tool to allow us to script this change on a larger scale.

Intune Script to apply “Block abuse of exploited vulnerability signed drivers” local policy

Lets start creating our script to apply our rule via Local Group Policy.

For this we’re going to need something to allow PowerShell to interface with Local Group Policy. This tool is:

https://github.com/dlwyatt/PolicyFileEditor

The above PowerShell module is a great creation and is going to do most of the heavy lifting in our script.

Lets break down the script below

$MachineDir = "$env:windir\system32\GroupPolicy\Machine\registry.pol"
$UserDir = "$env:windir\system32\GroupPolicy\User\registry.pol"

Install-Module -Name PolicyFileEditor -Force

The above section sets our Local Policy locations for use later and installs our module mentioned above

$RegPath1 = 'Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'
$RegName1 = 'ExploitGuard_ASR_Rules'
$RegData1 = '1'
$RegType1 = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath1 -ValueName $RegName1 -Data $RegData1 -Type $RegType1

$RegPath2 = 'Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'
$RegName2 = '56a863a9-875e-4185-98a7-b882c64b5ce5'
$RegData2 = '1'
$RegType2 = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath2 -ValueName $RegName2 -Data $RegData2 -Type $RegType2

These two sections above create our ASR rule as needed. The first sections sets the policy to enable ASR rules. The second section corresponds to the GUID for the “Block abuse of exploited vulnerability signed drivers” rule and is used to enable this specific rule.

To implement this, save the whole script and deploy via Intune as needed. After the script has ran and the device has checked in with Defender you should notice your recommendations/secure score update to reflect this.

Leave a Reply

Your email address will not be published.