Block Vulnerable Signed Drivers Using Intune ASR Rules

In this post, you will learn how to Block Vulnerable Signed Drivers Using Intune ASR Rules. Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks.

This rule prevents an application from writing a vulnerable signed driver to disk. In the wild, vulnerable signed drivers can be exploited by local applications that have sufficient privileges to gain access to the kernel.

Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise. The Block abuse of exploited vulnerable signed drivers rule doesn’t block a driver already existing on the system from being loaded.

Patch My PC

Use audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications.

Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity.

Block Vulnerable Signed Drivers Using Intune ASR Rules

The following steps help you to Block Vulnerable Signed Drivers using Intune MEM Portal –

  • Sign in to the Endpoint Manager Intune portal https://endpoint.microsoft.com/
  • Select Endpoint security, Navigate to Attack Surface Reduction > Create Policy

Note – The policy settings can also be accessible by selecting Devices > Windows > Configuration profiles > Create profile.

Create Policy - Block Vulnerable Signed Drivers Using Intune ASR Rules 1
Create Policy – Block Vulnerable Signed Drivers Using Intune ASR Rules 1

In Create Profile, Select Platform, Windows 10 and later, and ProfileAttack Surface Reduction Rules. Click on Create button. 

Create a Profile - Block Vulnerable Signed Drivers Using Intune ASR Rules 2
Create a Profile – Block Vulnerable Signed Drivers Using Intune ASR Rules 2

On the Basics tab, enter a descriptive name, such as Policy ASR Policy to Block Abuse of Exploited Vulnerable Signed Drivers. Optionally, enter a Description for the policy, then select Next.

Create a Profile - Block Vulnerable Signed Drivers Using Intune ASR Rules 3
Create a Profile – Block Vulnerable Signed Drivers Using Intune ASR Rules 3

On the Configuration settings page, configure the following settings and click Next.

Block abuse of exploited vulnerable signed drivers – Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise. The Block abuse of exploited vulnerable signed drivers rule does not block a driver already existing on the system from being loaded.

Block abuse of exploited vulnerable signed drivers - Signed Drivers Using Intune ASR Rules 4
Block abuse of exploited vulnerable signed drivers – Signed Drivers Using Intune ASR Rules 4

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.

Under Assignments, In Included groups, select Add groups and select groups to include one or more groups. Select Next to continue.

Assignments - Block Vulnerable Signed Drivers Using Intune ASR Rules 5
Assignments – Block Vulnerable Signed Drivers Using Intune ASR Rules 5

In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Review Policy - Block Vulnerable Signed Drivers Using Intune ASR Rules 6
Review Policy – Block Vulnerable Signed Drivers Using Intune ASR Rules 6

A notification will appear automatically in the top right-hand corner with a message. You can see that the Policy “ASR Policy to Block Abuse of Exploited Vulnerable Signed Drivers” created successfully. The policy is shown in the Endpoint security.

Policy Created - Block Vulnerable Signed Drivers Using Intune ASR Rules 7
Policy Created – Block Vulnerable Signed Drivers Using Intune ASR Rules 7

Intune MDM Event Log

The Intune event ID 814 indicates that a string policy is applied on Windows 11 or 10 devices. You can also see the exact value of the policy being applied to those devices.

Your groups will receive your profile settings when the devices check in with the Intune service the policy applies to the device.

MDM PolicyManager: Set policy string, Policy: (AttackSurfaceReductionRules), Area: (Defender), EnrollmentID requesting merge: GUID

Events logs - Intune MDM Event Log
Events logs – Intune MDM Event Log

You can review the Windows event log to view events generated by attack surface reduction rules, details will be present in the Event Viewer, Windows Defender > Operational.

  • 5007 -> Event when settings are changed.
  • 1121 -> Event when rule fires in Block-mode.
  • 1122 -> Event when rule fires in Audit-mode.

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.