ASR: Block abuse of exploited vulnerable signed drivers

Occasional Contributor

Hey there,


I am seeing a recommendation to apply the ASR Rule as listed above. It looks like a fairly new edition to the series of 16 ASR rules that can be configured.


However, on closer inspection there doesn't yet appear to be an Intune/Endpoint Manager option to add this under the standard Endpoint Security / Attack Surface Rules section.


There's an "Intune name" and a GUID but... I don't want to push this out via a MEM OMA-URI, it fractures where all the policies are kept and makes things messy.


Can I ask when it is expected to have this baked into the main Attack Surface Reduction rules section?


Seems a bit daft to make recommendations to implement the setting across all your endpoints when it's not as easy as all the other rules to actually implement?


Thanks very much.



3 Replies

@James_Gillies  I just got through the same path. You are right, this rules is not present in the WebGUI but it is yet configurable. Here's a good blog post about this : Configuring ASR Rules in Intune and how to automate it with PowerShell (


best response confirmed by James_Gillies (Occasional Contributor)

@James_Gillies we have not added this ASR Rule to the MEM ASR rule configuration profile.  We have plans to add this configuration option so you don't have to use OMA-URIs so stay tuned.




Thanks Jake, that's great news. Will keep an eye on the MEM ASR rule configuration profile / announcements!