I work as a Microsoft Security Solution Architect and one
pattern I keep seeing is organizations that deploy ASR rules in audit mode and then never flip them to block. Audit gives you visibility, not protection. I recently wrote up the migration approach we use with clients, how to read the audit data, identify rules that need exclusions, and run a phased rollout by rule rather than all at once.
Curious to hear what others have run into when making the
switch:
- Which rules caused the most legitimate app blocks after
going to block mode that didn't show up in audit? (Like a followup process)
- Any rules you ended up rolling back to audit because the
business impact was too high?
- Did you do a phased rollout per rule, or all at once with a
pilot group of devices?
The "block executable files unless they meet prevalence, age, or trusted list" rule is the one I'm most cautious about, that one catches a lot of dev tooling and custom software in my experience.
Anyone got war stories or things you wish you'd known before making the switch?