I'm working with a client who has 14 Attack Surface Reduction (ASR) rules applied to their computer, but only 6 of these are showing up in Intune. It's puzzling because I also noticed that there are no ASR configurations in Intune's endpoint security under security baselines, and the same goes for MDE—there's nothing listed in the configuration management's enforcement scope. I have the setting to enforce security config from Intune turned on, yet I can't find where these additional policies are coming from. I'm really stuck and would appreciate any guidance on this issue!
3 Answers
Have you checked the Endpoint Security section under Attack Surface Reduction? If nothing shows up there, it might be an indication that the policies are being applied from another source.
It might be worth checking for local policies that could be adding these rules. Sometimes users run things that modify the registry directly. A good spot to look is ```HKLMSOFTWAREPoliciesMicrosoftWindows DefenderWindows Defender Exploit GuardASRRules```.
You could try resetting the policies using PowerShell to see if they get reapplied. Excluding the client from all Intune policies temporarily might also help to identify how these settings are being enforced.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures