Master Attack Surface Reduction (ASR) Rules in Intune – MD-102 Guide
Lock Down Windows Like a Pro: The Ultimate Guide to Attack Surface Reduction (ASR) in Microsoft Intune (MD-102 Edition)
If you’re studying for the MD-102: Endpoint Administrator exam or simply want to stop malware before it even lands, Attack Surface Reduction (ASR) rules are your new best friend. These aren’t just another checkbox — they’re behavioral shields that catch the exact tricks attackers use every single day.
Think of ASR as the bouncer that says:
“Yeah, that Office macro trying to spawn powershell.exe? Not today.”
Let’s break it down like a blog post you’d actually want to read (and bookmark before your exam).
What Exactly Is Attack Surface Reduction?
ASR is a built-in capability of Microsoft Defender Antivirus that blocks common malware techniques — even for zero-day and fileless attacks. Instead of waiting for a signature update, ASR looks at behavior and says “nope.”
You manage everything from Intune → Endpoint security → Attack surface reduction.
The 5 ASR Profiles You Can Deploy Today
| Profile | What It Stops | Exam Frequency |
|---|---|---|
| Attack Surface Reduction Rules | Malicious Office macros, script abuse, LSASS dumping | ★★★★★ |
| Exploit Protection | Buffer overflows, ROP chains, DEP/ASLR bypass | ★★★★ |
| Application Control (WDAC) | Unsigned apps, malicious drivers | ★★★★ |
| Device Control | Rogue USB drives, data exfil via removable media | ★★★ |
| App & Browser Isolation | Drive-by downloads in Edge (Application Guard) | ★★★ |
The Four Modes Every MD-102 Candidate Must Memorize
| Mode | What Happens | When to Use It |
|---|---|---|
| Block | Action stopped. Full stop. | Production (after testing) |
| Audit | Lets it run, but logs everything | Pilot phase — your best friend |
| Warn | Shows a toast; user can click “Allow once” | High-business-impact apps |
| Disabled | Off completely | Only when retiring a rule |
The Top 10 ASR Rules That Appear on Nearly Every Exam
- Block Office applications from creating child processes → Goodbye 95% of macro malware
- Block executable content from email/webmail → Stops phishing payloads cold
- Block credential stealing from LSASS → Mimikatz cries in the corner
- Block Win32 API calls from Office macros → Another macro killer
- Block JavaScript/VBScript from launching downloaded executables → Drive-by blocker
- Block persistence through WMI event subscription → Stops living-off-the-land
- Block all Office apps from creating executable content → Triple-tap on Office abuse
- Block execution of potentially obfuscated scripts → PowerShell & JS protection
- Block process creations from PSExec and WMI commands → Lateral movement blocker
- Block abuse of exploited vulnerable signed drivers → BYOVD defense
Start in Audit for 2–4 weeks, analyze the reports, then flip the high-confidence ones to Block.
Licensing Reality Check (Yes, They Ask This)
| Capability | M365 E3 / EMS E3 | M365 E5 / Defender for Endpoint Plan 2 |
|---|---|---|
| Deploy ASR rules via Intune | Yes | Yes |
| Block + Audit mode | Yes | Yes |
| Real-time alerts & advanced hunting | No | Yes |
| Detailed ASR rule reports in portal | Basic | Full dashboard + incident creation |
Step-by-Step: Deploy ASR Like You’re in the Exam Lab
- Intune admin center → Endpoint security → Attack surface reduction
- Create policy → Windows 10 and later → Attack Surface Reduction Rules
- Name it clearly: “Global – ASR Rules – Phase 2 – Block”
- Configuration settings → Set rules to Audit first (except the obvious ones)
- Add exclusions only when you have a support ticket and a good reason
- Assign → Pilot group first → then All Devices
- Create and celebrate
Where to See What’s Actually Happening
- Intune: Your policy → Device status or Per-setting status
- Microsoft Defender portal → Reports → Attack surface reduction rules
- Local device: Event Viewer → Windows Defender → Operational
→ Event ID 1121 = Blocked | 1122 = Audited
MD-102 Cheat Sheet (Tape This to Your Monitor)
| Question You’ll See | Correct Answer |
|---|---|
| How to test impact without breaking anything? | Set rules to Audit mode |
| Users blocked from legitimate app? | Add exclusion or switch to Warn |
| Need alerts when a rule fires? | Requires Microsoft 365 E5 or Defender Plan 2 |
| Best combo against ransomware? | Block credential stealing + Block untrusted exes |
| Policy not applying? | Check for WDAC/Application Control conflict |
Final Words
ASR rules are one of the highest-ROI security controls you can deploy today. They’re built-in, free with basic Defender, and devastatingly effective when tuned properly.
Start with Audit → learn your environment → move to Block → sleep better at night.
You’ve got this. Now go make attackers sad. 🛡️
