Attack Surface Reduction - AVD Exclusions
Warning: This topic contains recommendations. Be sure to check with your security team before implementing any of the recommendations.
When Nerdio Manager deploys packages or runs scripts, we deploy and run them on the local VM or machine.
The main directories are:
C:\Packages\Plugins\Microsoft.PowerShell.DSC\<version>\DSCWork (for most Nerdio Manager packages)
C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\<version>\Downloads (for scripted actions and custom scripts)
Because we want to protect our proprietary information, we often obfuscate or hide our code that we use to run the scripts. This can manifest as a security risk for a lot of Attack Surface Reduction (ASR) rules/platforms. When this is blocked or restricted, it prevents Nerdio Manager from being able to perform its automation tasks on a session host.
The main ASR rules that we have seen cause conflicts are:
Both methods blocked by the ASR rule can be used by legitimate and nefarious sources, so it’s important to be sure you’re only allowing information to be run from trusted sources. While each ASR tool is different, they should all have similar functionality to be able to add exclusions for Files/Folders that are allowed to execute those trusted functions.
Error Examples
Below are a few examples of errors that may show-up in the Nerdio Manager logs:
-
Install Join ARM AVD extension
Error: An error occurred during Join ARM WVD extension installation: System.AggregateException: One or more errors occurred. (Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension '(VM Name)-join-arm-wvd-ext' (publisher 'Microsoft.Powershell' and type 'DSC').
Error message: "DSC Configuration 'AdditionalSessionHosts' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: This command cannot be run due to the error: Access is denied.
-
Error: An error occurred during FSLogix extension installation:
System.AggregateException: One or more errors occurred. (Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension '(VM Name)-install-fslogix-ext' (publisher 'Microsoft.Powershell' and type 'DSC'). Error message: 'The DSC Extension failed to execute: Error downloading https://nmmstorageaccount.blob.core.windows.net/vm-extensions/FSLogixSetup.5.1.0.zip after 29 attempts: Unable to connect to the remote server.
Modify your Microsoft Defender ASR Restrictions
The instructions below cover how to modify your Microsoft Defender ASR Restrictions, through an Intune policy, but the same concept should be able to be applied to other ASR platforms as well.
Notes:
While we use wildcard exclusions (see Microsoft Defender Antivirus Exclusions for details), you can get as explicit as you want with your exclusions. However, the more explicit you are, the more diligent you need to be in keeping your exclusions up to date and verifying the exclusions are still accurate as editions of software changes.
While you could technically apply these ASR exclusions to all devices, it’s recommended to only apply these exclusions to AVD hosts and/or devices that have Nerdio Manager scripted actions run against them.
To modify your Microsoft Defender ASR restrictions:
In the Intune Admin Center, navigate to Endpoint Security > Attach surface reduction > (Attack Surface Reduction Policy).
In the list of rules, find Block execution of potentially obfuscated scripts.
Set the Action to Block.
-
In the ASR Only Per Rule Exclusions add the following exclusions:
C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\*\Downloads\*
-
C:\Packages\Plugins\Microsoft.PowerShell.DSC\*\DSCWork\*
In the list of rules, find Block process creations originating from PSExec and WMI commands.
Set the Action to Block.
-
In the ASR Only Per Rule Exclusions add the following exclusions:
C:\Packages\Plugins\Microsoft.Computer.CustomScriptExtension\*\Downloads\*
-
C:\Packages\Plugins\Microsoft.PowerShell.DSC\*\DSCWork\*
-
In the Assignments blade, verify the policy is correctly assigned to your AVD Host Security group.
Note: Utilizing a Dynamic Device Groups based on your Host Pool Naming Scheme is recommended.
Review and save your Policy Changes.
Note: Generally, after making these exceptions, and redeploying your hosts, the deployment errors go away. However, additional exceptions may be needed depending on your other ASR settings.
Comments (0 comments)