I am running into an issue with adding an #AttackSurfaceReduction rule exclusion.

Last week, a team member called saying an Adobe plugin wouldn't work. I checked the Windows #Defender logs and it stated that the plugin's executable was attempting to create a child process from Adobe. I added an #ASR Only Per Rule Exclusions entry for the fully qualified path of the plugin's executable as it was displayed in the Windows Defender warning.

The ASR Rule Block Adobe Reader from creating child processes is in Block mode.

I opened the device in Intune and clicked Sync.

A few days later, the team member contacts IT again and says that they are getting the same error as previously (and that it never was working).

I ran the #ASRAnalyzer (https://github.com/4D5A/MDATP_PoSh_Scripts/blob/master/ASR/ASR_Analyzer_v2.2.ps1) on the team member's computer and it did not show any ASR Exclusions.

As a temporary workaround, I changed the ASR Rule so it is in Audit mode. Oddly, the computer updated and sees the ASR Rule is in Audit mode, but it still does not see the ASR Per Rule Exclusion.

Has anyone else seen this issue?

I added the ASR Per Rule Exclusion in two formats, and neither one is listed on the computer. I used the fully qualified path without quotation marks (i.e. C:\Program Files (x86)\Vendor\Application.exe) and the fully qualified path with quotation marks (i.e. "C:\Program Files (x86)\Vendor\Application.exe").

Thank you in advance for any suggestions!