Attack Surface Reduction – UAM Exclusions

Attack Surface Reduction – UAM Exclusions

When Nerdio Manager deploys UAM packages, the packages are run from a local PC. The two main directories for these packages are:

  • For most Nerdio Manager UAM packages: C:\Windows\Temp\NME-SHELL-FILE-CACHE\

  • For UAM packages deployed on Intune devices: C:\Windows\Temp\NMWLogs\

To protect proprietary information, the code used to run scripts is often obfuscated or hidden. However, this obfuscation can pose a security risk for certain Attack Surface Reduction (ASR) rules and platforms. When these scripts are blocked or restricted, Nerdio Manager cannot perform its automation tasks on Intune devices or session hosts.

The two main ASR rules that commonly cause conflicts are:

Below are examples of errors that may occur in the Nerdio Manager logs:

  • Intune reported script state: Fail. Code: 99. Error description: Set-LocalUser : An unspecified error occurred: status = 3221226252 At C:\WINDOWS\TEMP\NMWLogs\Nerdio.NMW.UAM.PSRemoting.psm1:122 char:28

  • Intune reported script state: Fail. Code: 99. Error description: Invoke-AppManagement : The term 'Write-ExtendedLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Both methods blocked by the ASR rule can be used by legitimate and malicious sources. Therefore, it's crucial to ensure that only information from trusted sources is allowed to run.

While each ASR tool may differ, they typically provide functionality to add exclusions for files or folders permitted to execute trusted functions.

Modify Your Microsoft Defender ASR Restrictions

The instructions below explain how to modify Microsoft Defender ASR restrictions via an Intune policy. The same concept generally applies to other ASR platforms as well.

Note:

  • While Nerdio uses wildcard exclusions, you can define your exclusions as explicitly as desired. However, the more explicit your exclusions are, the more diligent you must be in keeping them up to date and verifying their accuracy as software editions change. For more details about wildcard exclusions, see Microsoft Defender Antivirus Exclusions.

  • Although it is technically possible to apply these ASR exclusions to all devices, we recommend that you apply them only to devices that run Nerdio Manager's Unified Application Management packages.

To modify Microsoft Defender ASR restrictions:

  1. In the Intune Admin Center, navigate to Endpoint Security > Attack surface reduction > [Attack Surface Reduction Policy].

  2. In the list of rules, find Block execution of potentially obfuscated scripts.

  3. Set the Action to Block.

  4. In the ASR Only Per Rule Exclusions, add the following exclusions:

    • C:\Windows\Temp\NME-SHELL-FILE-CACHE\*

    • C:\Windows\Temp\NMWLogs\*

  5. In the list of rules, find Block process creations originating from PSExec and WMI commands.

  6. Set the Action to Block.

  7. In the ASR Only Per Rule Exclusions, add the following exclusions:

    • C:\Windows\Temp\NME-SHELL-FILE-CACHE\*

    • C:\Windows\Temp\NMWLogs\*

  8. In the Assignments blade, verify the policy is correctly assigned to your AVD Host Security group.

    Note: It is recommended to use dynamic device groups based on your host pool naming scheme.

  9. Review and save your policy changes.

Note:

  • Generally, after making these exceptions, and redeploying your hosts, the deployment errors should be resolved. However, additional exceptions may be needed depending on your other ASR settings.

  • If you are still experiencing issues when deploying UAM apps, see Troubleshoot common UAM deployment issues.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.