The magnificent ASR Rules

The magnificent ASR Rules

Windows Defender is one of the key pillars within Microsoft’s security products. Windows defender is enabled out of the box when deploying Windows 10. But only relying on the basic configuration is not the best practice.

As mentioned in my last blog, it’s very important to harden your Office apps. A good addition is “attack surface reduction” (ASR). ASR can be configured by setting the ASR rules in the device endpoint manager. By default, they’re not configured, so you’re not protected against more sophisticated attacks. These ASR rules can be configured by creating an endpoint protection device configuration or by creating a new attack surface reduction policy within the endpoint security settings.

What to know about ASR Rules?

-The ASR rules can be: on/not configured or audit mode

-You can configure them with PowerShell: Set-MPPreference -AttackSurfaceReductionRules_Ids

-Exclusions will affect every ASR rule. But not all ASR rules support exclusions. Two of them do not support exclusions:

-Only enable the ASR rule: “block process creations originating from PSExec and WMI commands” when using Intune or another MDM solution! Microsoft Endpoint Manager is incompatible, because this rule blocks WMI commands.

-Cloud delivered protection has to be enabled as a requirement for the rule: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”. Admins can not specify anything with this rule, because it’s owned by Microsoft.

-A Windows 10 Pro/Enterprise/Education license is required

-ASR rules configured in Intune do support wildcard and environmental variables exclusions. Beware, ASR rules don’t support user context exclusions, as they’re running in system context. Also, it’s very nice that some exclusions are already built-in.

– Windows event log is the key when you want to wisely audit the ASR rules first.

-Check the registry when you deployed the ASR rules. Every GUID corresponds to an ASR rule.

-Test your ASR rules:

-Do you fancy reports as well? Go check out the ASR reports after you tested on the Microsoft playground. You will find it in the portal.

How to deploy ASR rules on the go?

Just download this zip file. It contains a JSON file and a PowerShell Script.

The JSON file contains all ASR settings, you can modify these according to your business needs. Afterwards just launch the PowerShell script to deploy the settings.

Open Intune device configurations to notice a new device configuration policy has just been created.


Not setting the ASR rules when you have the proper licensing for it, that could be a mistake… ASR rules are a very successful way to block more sophisticated attacks. But of course, ASR rules are just another barrier which can be bypassed. I’ll tell you more in my next blog…

3 thoughts on “The magnificent ASR Rules

  1. Pingback: The forgotten fruits of securing your Windows 10 Endpoint - Call4Cloud
  2. What about deploying ASR using Intune ATP security baseline? according to Microsoft baselines are the recommended configuration in terms of security posture, or am I missing something?
    The only thing that’s isn’t include within is WDATP tamper protection (which is wired).

    1. Hi

      Of course, that is a good option. But I prefer to work with standalone configurations. When enabling the atp baseline, options like hello/firewall/device installation/bitlocker are enabled by default. I have got 1 device configuration profile for BitLocker, 1 profile for hello etc. I find it easier to troubleshoot instead of 1 profile with all settings defined.

Leave a Reply

Your email address will not be published. Required fields are marked *

36  +    =  37