Microsoft keeps surfacing opportunities to configure ASR rules, to the point that now it’s confusing where you should configure them! Where should you configure ASR rules? I had this question, so I asked a contact in Endpoint Management at Microsoft.
Attack Surface Reduction (ASR) rules are the single best thing you can configure to limit device vulnerability. In EndPoint Manager you can now configure them in Device/Configuration Profiles, Security baselines or from the new Manage menu item. So which one should you choose?
I use my own production tenant to test new configurations because then I have a close to real-world sample of what the impact is going to be before we roll it out to clients. Initially I had trouble with the Security baselines and we found them overly-restrictive for day-to-day work and difficult to manage. I then moved to Configuration Profiles which is now our preferred method. For ASR though, Microsoft suddenly surfaced it into the Manage menu and when I clicked on it I found it to not be a view of the policies I had already deployed but rather a whole new place to configure and manage ASR.
Because I like to experiment with new methods I moved all of our ASR rules over to this new place. But then I wondered, if I’m already using Configuration Profiles to manage ASR should I now be managing them here instead?
One ASR rule or one rule for each ASR?
Also previously I had ONE ASR configuration policy that configured the whole set. This new ASR location seemed to want me to create a policy for each ASR rule individually. Was I reading that right?
I leveraged my MVP status and ability to reach into Microsoft to chat with program managers and developers and asked the question. The answer came back as Yes, I read that right. This is a space for creating ASR rules individually for ease of on-going management and troubleshooting.
So now this is what my ASR rules look like. You can migrate to this new location at your leisure. The other ways aren’t wrong, they just aren’t preferred anymore.
It seems as if Microsoft is releasing more and more ASR rules, so I think that this approach makes sense. This way will be easier to troubleshoot and apply the rules in the granular method that you might need for different work areas.
If you like this content please join our Endpoint Manager, Lighthouse & Defender group. https://www.facebook.com/groups/endpointmanager
All we do is support IT professionals. Microsoft 365 technical assistance, Super Secret News, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, Kits, papers, Business consulting and more. https://www.thirdtier.net
2 thoughts on “Where should you configure ASR rules?”
Good idea here. I set this up for us but leaving unused settings in each individual ASR rule as “Not Configured” (as well as in the baseline itself) may be overriding those set to “Block”, resulting in compliance errors. Can anyone shed light on this? “Not Configured” actually seems to mean default which is generally “Disabled”.