How to Deploy Attack Surface Reduction Rules in Intune

How to Deploy Attack Surface Reduction Rules in Intune

Attack Surface Reduction, or ASR, rules are one of the most practical ways to harden Windows devices in Microsoft Intune. They are designed to block behaviors that malware commonly abuses, such as suspicious script activity, risky Office behavior, and app actions that do not normally occur in everyday work. In Intune, ASR rules are managed from Endpoint security > Attack surface reduction, and Microsoft’s newer ASR profiles use the modern settings format rather than the older legacy profile structure. (Microsoft Learn)

If you manage Windows devices with Intune, ASR rules deserve a place near the top of your security baseline. They add protection against common attack paths without requiring you to build custom detections from scratch. They also work best when Microsoft Defender Antivirus is the primary antivirus, with real-time protection enabled and cloud-delivered protection available. (Microsoft Learn)

Why ASR rules matter

Traditional antivirus catches known threats and suspicious files, but many attacks rely on legitimate tools and trusted applications. That is where ASR rules help. Microsoft describes them as controls that help prevent actions malware often abuses to compromise devices and networks. In practice, that means you can reduce exposure to macro abuse, suspicious scripts, credential theft techniques, risky child-process behavior, and other attack patterns that show up repeatedly in real environments. (Microsoft Learn)

This makes ASR rules especially valuable in Intune-managed estates where you want a strong, repeatable baseline for Windows 10, Windows 11, and in some scenarios Windows Server through Defender security settings management. (Microsoft Learn)

Where to configure ASR rules in Intune

To deploy ASR rules in Intune:

1. Open the Microsoft Intune admin center.
2. Go to Endpoint security.
3. Select Attack surface reduction.
4. Click Create policy.
5. Choose Platform: Windows.
6. Choose Profile: Attack Surface Reduction Rules.

This is the recommended Intune path for ASR rule deployment, and Microsoft notes that newly created ASR profiles use the newer settings format. (Microsoft Learn)

Start with a naming standard

Before touching the settings, give the policy a clear name and description. A simple naming pattern makes reporting and troubleshooting much easier later.

Example:

• Name: Windows ASR Baseline
• Description: Core ASR policy for Intune-managed Windows devices with phased rollout from Audit to Block

That matters because ASR policy usually evolves over time. You might later create separate policies for pilot devices, finance users, kiosk endpoints, or devices with approved exceptions.

Choose the right rollout strategy

This is the part that matters most.

Each ASR rule can generally be set to Not configured or Disabled, Block, Audit, or Warn. Audit is especially useful because it lets you see what a rule would have affected without actually blocking the action. Microsoft recommends enterprise management such as Intune or Configuration Manager for ASR, and it specifically notes that enterprise-level management overrides conflicting Group Policy or PowerShell settings at startup. (Microsoft Learn)

For production, the safest approach is:

• Start with Audit
• Review detections and events
• Identify any legitimate app behavior
• Add only necessary exclusions
• Move stable rules to Block

That approach gives you hardening without surprising users or breaking business-critical add-ins and scripts. Microsoft also notes that audited entries are written to the Windows Defender Operational event log, which makes validation easier during testing. (Microsoft Learn)

When to use Warn mode

Warn mode sits between Audit and Block. It allows the rule to intervene while still giving the end user a bypass experience. That can be useful during gradual rollouts. However, Microsoft notes that Warn mode is not supported for three ASR rules when configured through Intune, and on older Windows versions, rules configured as Warn can effectively run in Block mode instead. (Microsoft Learn)

Because of that, Warn is helpful, but it should not be your only rollout plan. Audit is still the cleaner first step when you are unsure about impact.

Per-rule exclusions and ASR-only exclusions

Intune gives you two useful exclusion concepts here.

The first is Attack Surface Reduction Only Exclusions, which lets you exclude paths from ASR evaluation more broadly within the ASR policy area. The second is per-rule exclusions, where you scroll to a specific ASR rule, change it from Not configured to Block, Audit, or Warn, and then add an exclusion path for that rule only. Microsoft documents both approaches in its exclusions guidance. (Microsoft Learn)

Per-rule exclusions are usually the better choice when only one application needs relief. They let you keep the rest of the ASR posture intact. Microsoft also warns that exclusions can significantly reduce protection, and excluded items do not generate the same protection events, so they should be added carefully and only after testing. (Microsoft Learn)

Assignment strategy

When you reach the Assignments page, think in terms of personas and business workflows, not just convenience. A finance department with a legacy Office add-in may need a slightly softer policy than a general corporate Windows baseline. That does not mean weakening ASR for the entire organization. It means using targeted groups and policy design so that the exception stays narrow.

Microsoft also documents merge behavior for ASR rules. If a device receives ASR settings from multiple supported policy sources, non-conflicting settings can merge into a policy superset, while conflicting settings are not added to the effective set. That is useful, but it also means you should keep your policy design clean to avoid confusion during troubleshooting. (Microsoft Learn)

Monitoring and reporting

After deployment, do not stop at “policy created.”

Microsoft provides an Attack Surface Reduction Rules report in the Microsoft Defender portal. The report shows enforced rules, detected threats, blocked threats, devices that are not configured with the standard protection rules, and gives you a way to drill in and add exclusions. In the Defender portal, the report is under Reports > Endpoints > Attack surface reduction rules. (Microsoft Learn)

From the Intune side, you can also review the policy’s device status and per-setting status. Microsoft documents that you can drill into a policy to see device check-in status, per-setting success or error counts, and details that can expose a conflicting policy. (Microsoft Learn)

That combination is strong:

• Intune tells you whether the policy was delivered and where conflicts exist
• Defender reporting tells you what the ASR rules are actually doing

Automation and Graph note

You included a Microsoft Graph beta example, and the overall pattern is still right: create the configuration policy, define the ASR setting values, then assign the policy to a Microsoft Entra group. The main caution is that ASR profiles have moved to the newer settings format for new profile creation, so any older beta sample should be validated in your own tenant before production use. That is especially important when you are mixing older scripts with current Intune templates and settings definitions. (Microsoft Learn)

Production advice

In a lab, setting everything to Block can make sense because there are no legacy apps to protect. In production, that is rarely the best first move. Start with high-value rules in Audit mode, review results, and promote them to Block once you know the impact. Use exclusions sparingly. Keep targeting tight. Watch for policy overlap with baselines or older endpoint protection profiles. Microsoft’s reporting and per-setting status views are there for exactly this reason. (Microsoft Learn)

Final thoughts

ASR rules are one of the best “low drama, high value” security controls you can deploy in Intune. They are built to stop common malicious behaviors, they integrate cleanly with Microsoft Defender, and they can be rolled out in phases so you do not have to choose between security and usability. If you treat them as a structured rollout rather than a one-click hardening step, they become a strong part of a modern Windows baseline. (Microsoft Learn)

---

20 MD-102-Style Practice Questions and Answers

These are practice questions aligned to the topic, not official exam items.

1. Where in Intune do you create an ASR rules policy?

Answer: Endpoint security > Attack surface reduction > Create policy > Attack Surface Reduction Rules
Explanation: Microsoft documents ASR rules under the Endpoint security Attack surface reduction node in Intune. (Microsoft Learn)

2. What is the main purpose of ASR rules?

Answer: To block or reduce behaviors that malware commonly abuses
Explanation: Microsoft describes ASR rules as protections against actions malware often uses to compromise devices and networks. (Microsoft Learn)

3. Which antivirus state is required for the full ASR feature set?

Answer: Microsoft Defender Antivirus must be the primary antivirus
Explanation: Microsoft lists Defender Antivirus as primary, real-time protection on, and cloud-delivered protection available among the prerequisites. (Microsoft Learn)

4. Which mode should you usually start with in production if you are unsure about app impact?

Answer: Audit
Explanation: Audit lets you see what would have been blocked without interrupting the user. Microsoft supports this testing approach and records the events in the Windows Defender Operational log. (Microsoft Learn)

5. What does Warn mode do for supported ASR rules?

Answer: It enables the rule but allows the end user to bypass the block
Explanation: Microsoft defines Warn as a user-bypass mode for supported rules. (Microsoft Learn)

6. True or false: Warn mode is supported for every ASR rule in Intune.

Answer: False
Explanation: Microsoft says Warn mode is not supported for three ASR rules when configured through Intune. (Microsoft Learn)

7. What is the safer exclusion method when only one app needs an exception for one rule?

Answer: Per-rule exclusion
Explanation: Intune supports per-rule exclusions by changing the rule from Not configured to Block, Audit, or Warn and then adding the exclusion path for that rule. (Microsoft Learn)

8. Why should exclusions be used carefully with ASR?

Answer: Because they reduce protection and can suppress normal protection events for the excluded item
Explanation: Microsoft warns that exclusions can severely reduce protection. (Microsoft Learn)

9. A company has legacy Office add-ins only in the finance department. What is the best design choice?

Answer: Target a separate ASR policy or exclusions only to the finance group
Explanation: This keeps the broader organization on a stricter baseline while limiting exceptions to the users who need them. Microsoft supports group-based targeting and documents assignment as part of policy creation. (Microsoft Learn)

10. Which portal report is best for seeing blocked threats and ASR rule configuration?

Answer: The Attack Surface Reduction Rules report in the Microsoft Defender portal
Explanation: Microsoft says the report shows enforced rules, detected threats, blocked threats, and configuration details. (Microsoft Learn)

11. Where can you find audited ASR entries on a Windows client?

Answer: Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
Explanation: Microsoft explicitly lists that log location for audit-mode review. (Microsoft Learn)

12. What happens when enterprise management in Intune conflicts with local PowerShell or Group Policy ASR settings?

Answer: Enterprise-managed settings overwrite conflicting Group Policy or PowerShell settings at startup
Explanation: Microsoft recommends enterprise management for this reason. (Microsoft Learn)

13. A device receives ASR settings from two supported policy sources. What happens if the settings do not conflict?

Answer: They can merge into a superset of effective settings
Explanation: Microsoft documents merge behavior for ASR rules across supported policy sources. (Microsoft Learn)

14. What happens if two ASR policies conflict on the same setting?

Answer: The conflicting setting is not added to the effective superset
Explanation: Microsoft says non-conflicting settings merge, while conflicting settings are not added. (Microsoft Learn)

15. Why might an older Graph beta sample for ASR need validation before production use?

Answer: Because newer ASR profiles use the newer settings format
Explanation: Microsoft notes that newer ASR profiles replaced older ones with the newer settings format for new instances. (Microsoft Learn)

16. Which Intune view helps identify policy conflicts at the setting level?

Answer: Per setting status
Explanation: Microsoft documents per-setting status and device reports in Intune for managed endpoint security policies. (Microsoft Learn)

17. Which platform is selected when creating the standard Intune ASR rules policy?

Answer: Windows
Explanation: Microsoft’s Intune ASR policy guidance lists Windows as the platform for the standard enrolled-device profile. (Microsoft Learn)

18. What is a strong first-phase rollout model for ASR in production?

Answer: Pilot group, Audit mode, review results, then promote stable rules to Block
Explanation: That model follows Microsoft’s documented ASR modes and reporting flow while reducing disruption. (Microsoft Learn)

19. Can ASR be relevant to Windows Server in some Microsoft-managed scenarios?

Answer: Yes
Explanation: Microsoft documents Windows Server support through Defender security settings management scenarios, with caveats depending on version and support level. (Microsoft Learn)

20. What is the biggest operational mistake when deploying ASR broadly for the first time?

Answer: Setting everything to Block without testing
Explanation: Microsoft gives you Audit, Warn, reports, and exclusions specifically so you can test impact before enforcing rules broadly. (Microsoft Learn)