none
Exploit Guard settings not being updated when GPO deployed settings XML is changed RRS feed

  • Question

  • I was trialing Exploit Guard on a machine today by deploying the settings XML included with the 1709 security baselines. I noticed it was blocking OneDrive.exe so I got the settings XML included with the 1803 security baselines, and replaced the xml in the location I've specified in Group Policy (UNC path). My machine would not pickup the settings in the new xml. In the end I had to disable the GPO setting and run the script to remove all process mitigations from here https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations and then re-enable the GPO. After this the settings in the new xml were applied.

    This behaviour doesn't give me much confidence deploying this to production. I obviously can't go through a similar process for 2000+ machines everytime I want to update the xml. Is there something I'm doing wrong?

    And on a related note, we use the latest version of SCCM, would it be better to manage the Exploit Guard settings here rather than GPO?

    Wednesday, June 6, 2018 5:29 AM

All replies

  • Hi Daniel,

    I checked the link you paste here for troubleshooting, it records: the configuration export and import process does not remove all unwanted mitigation. So it recommend to manually remove unwanted mitigation or use script to remove all mitigation and import a baseline configuration. So I think your action is correct and meaningful. But for the issue why OneDrive.exe is blocked at first time, I would recommend to check the program settings again.

    At last, you said that you prefer to know more about Exploit Guard configuration on SCCM. I recommend to ask for help from SCCM forum support, they might have more resources to help you.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 7, 2018 8:27 AM
    Moderator