I was recently working with a client that had deployed ASR rules across the organisation, through Microsoft Intune policy. They were set to a mix of audit and block mode.
While this had been working well in the past, it soon became clear that all devices reverted back to ‘off’ mode. The ASR rules were no longer applying.
As it transpired, Intune handles ASR rule config a little differently to regular policy, in that if they are configured in two or more places (i.e. a Baseline Security policy and an Attack Surface Reduction Rules policy), instead of the most restrictive winning precedence, or a conflict being highlighted, the device simply defaults to ‘off’.
While troubleshooting the issue, I needed a quick snapshot view of the status of all devices, before and after remediating the policies so that they only existed in one place.
Use the following Advanced Hunting Query to print out a list of all Windows devices in a tenant, with each ASR rule and it’s status listed in the same row.
| |