Configure Attack Surface Reduction rules using Microsoft Intune
Attack Surface Reduction, or ASR, rules help reduce common attack techniques that malware and malicious apps use to compromise devices. Instead of waiting for malicious activity to run, ASR rules can block or audit risky behaviors. Suspicious script execution, credential theft attempts, or executable content launched from Office apps can be flagged as suspicious behavior. ASR rules are part of Defender's attack surface reduction capabilities and are managed for Windows devices through Microsoft Intune endpoint security policies.
Understand Attack Surface Reduction rules
ASR rules are security controls that target behaviors commonly used in attacks. They help reduce the number of ways an attacker can exploit a device, especially through Office apps, scripts, executable content, credential theft techniques, and suspicious child processes. ASR rules are especially useful because many attacks begin with everyday user tools being misused. For example, an attacker might use a document macro, script, or downloaded executable to start malicious activity. ASR rules help block these behaviors before they lead to compromise.
Common ASR rule scenarios include:
- Blocking Office apps from creating child processes.
- Blocking executable content from email and webmail.
- Blocking credential stealing from the Windows local security authority subsystem.
- Blocking JavaScript or VBScript from launching downloaded executable content.
- Blocking abuse of vulnerable signed drivers.
- Blocking persistence through WMI event subscription.
- Blocking use of copied or impersonated system tools. This type of rule helps reduce Living-off-the-Land techniques where attackers copy, rename, or impersonate legitimate Windows system tools to evade detection or gain privileges.
ASR rules are available for supported Windows devices. In Intune, ASR rules are configured from the Endpoint security workload by using an Attack surface reduction policy.
Plan an ASR deployment
Before you enforce ASR rules, plan how they should be tested and deployed. Some ASR rules can affect line-of-business applications if those apps use behaviors that look similar to malware techniques.
A recommended deployment approach is:
- Start with a pilot group.
- Configure selected ASR rules in Audit mode.
- Review reported events and user impact.
- Add exclusions only when required.
- Move rules from Audit to Warn or Block.
- Expand deployment to larger device groups.
Audit mode is useful because it shows what would have happened if a rule were enforced, without blocking user activity. This mode helps administrators understand the effect of each rule before applying it broadly.
ASR rules can use different actions, depending on the rule and platform support:
| Mode | Purpose |
|---|---|
| Not configured | This policy doesn’t configure the rule. In many cases, the Windows default is off unless another policy configures it. |
| Off | The rule is disabled. |
| Audit | The rule logs what would have been blocked but doesn’t block it. |
| Warn | The rule blocks the behavior and might allow the user to bypass the block. |
| Block | The rule blocks the risky behavior. |
Create an ASR policy
To create an ASR policy:
- Sign in to the Microsoft Intune admin center.
- Go to Endpoint security > Attack surface reduction.
- Select Create policy.
- For Platform, select Windows.
- For Profile, select Attack Surface Reduction Rules.
- Enter a name and description for the policy.
- Configure the ASR rules required by your organization.
- Set initial rules to Audit mode when testing.
- Configure exclusions only when needed.
- Assign the policy to a pilot device group.
- Review and create the policy.
The Attack Surface Reduction Rules profile lets you configure rules that target behaviors malware and malicious apps commonly use to infect devices. Intune endpoint security policies are designed to manage specific security areas, which makes them a good place to manage ASR settings separately from unrelated device configuration settings.
Monitor ASR rule activity
After deployment, monitor ASR activity to understand the rule's effects and confirm that policies are working as expected. Use Microsoft Intune to review policy deployment status and device assignment results. This helps confirm whether the ASR policy reached the targeted devices and whether any devices report errors or conflicts.
Use the Microsoft Defender portal to review ASR detections, alerts, and reports. The Attack Surface Reduction Rules report provides insights into rules enforced on devices, detected threats, blocked threats, and devices that aren’t configured to use standard protection rules.