In this section, I would like to discuss one of MDE’s important set of settings and how to set these up. Namely ASRs rules or Attarck Surface Reduction rules. As the name implies, it helps closes any security holes in the device.
Some notes on ASR rules to keep in handy
- Windows 10 Pro, version 1709 or later
- Windows 10 Enterprise, version 1709 or later
- Windows Server, version 1803 (Semi-Annual Channel) or later
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2022
To use the entire set of rules, you require below
- Windows Defender Antivirus as primary AV (real-time protection on)
- Cloud-Delivery Protection on (some rules require that)
- Windows 10 Enterprise E5 or E3 License
Key settings of an ASR rule
- Not configured | Disabled: Disable the ASR rule
- Block: Enable the ASR rule
- Audit: Evaluate how the ASR rule would impact your organization if enabled
- Warn: Enable the ASR rule but allow the end user to bypass the block
Warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM)
In a policy between MDM and Group Policy, MDM will take precedence
Although there are few ways to setup ASR rules, I will look at how to configure the rules using Microsoft Endpoint Manager (MEM)
It is advisable to enable the ASR rules in the audit mode first so you will not run in to issues. You can understand the behavior and what gets blocked and whether they are legitimate data or an action of a bad actor. Once you have a better view, then go ahead and enable them to be active rules.
How to configure ASR rules from MEM’s Endpoint Security node?
While you have many options to setup ASR rules within Intune and MEM, I would like to expore the Endpoint Security node in the MEM.
For this method to work, the devices should be Hybrid AAD or AAD Joined and must be enrolled in Intune.
Attarck Surface Reduction rules can be found under Manage section in Endpoint Security
From here go to Create Policy and Select Windoes 10 and later as the Platform and Attarck Surface Reduction Rules as the Profile and hit Create
From there give a meaningful name and select Next
Now you will see all the ASR rules in one place.
If you hover your mouse over the rules little information sign, you can know more about that individual rule
Set your rules as required
You will be presented with all 4 key settings for the rule that we saw above.
Set to Audit to test the rule and set the required rules and press Next
Add Scope Tags if required
In the next step, set the device asignment with the relavent Device Groups
When you are done, press Next and Create to complete the steps.
How to Audit ASR rules
Go to https://security.microsoft.com and Hunting > Advanced Hunting > run the below KQL command to see the alerts
| where ActionType startswith ‘Asr’
If there are any results, they will list down in the Results tab.
Also you can go to Reports in the same Defender portal and select Attarck Surface Reduction Rules and check under Detections a summary graph
And if you go to the Configueration tab, you will see the device based settings and what has ben captured with the rules
What is the Warn mode?
With this mode a “toast notification” will appear on the desktop if an ASR rule blocks a malicious activity or a file. However the user can still Unblock and start performing the same activity and further actions to perform
ASR rules can basically be your best pal or your greatest enemy as this can be a powerful tool to close security holes or for a poor user experience. Audit, test 1st and when you 100% aware of the behavior of each rule, enable it
8 thoughts on “How to Configure Attack Surface Reduction (ASR) Rules using MEM”
This is a great feature, but all of the ASR rules I make and target to Windows 2019 and 2022 do not apply, the state “Not Applicable”. AV policies work just fine. Any suggestions?
The main issue there is ASR policies can target only Windows 10 and later whereas AV policies can target Windows Servers as well. That comes up when you try to create the policy under Platform. Hope this answers your question.
Hello Shehan, when you say AV policies for Servers, are you talking about Device Configuration Profiles? I’m trying to implement ASR rules onto my Servers in Intune. I’m moving away from GP.
It’s the AV policy for Servers. In Intune you can go to Endpoint Security > Antivirus and create a server related policy.
We are talking about ASR policies here. Not Antivirus policies.
I would like to apply ASR policies via Intune to my Servers.
Sorry about that. Since the Endpoint Security policies in Intune don’t support Servers when it comes to ASR rules, you can create an Administrative Policy by using Intune Config profiles. “Configure Attack Surface Reduction rules” should be the setting to use. In there you have to set the rule itself by adding its GUIDs. GUIDs can be found in this article https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules?view=o365-worldwide#test-files
And set the action 1=block, 0=off, 2=audit.
Hope I answered your question this time.
Do you know how we can check the logs via KQL to see who changed an ASR rule from Block to Audit, or made any changes to a rule.
Example, my ASR Rule is called, ‘ASR Rules – All Windows OS v2’, and someone changed the ‘Block Win32 API calls from Office macros’, from Block to Audit.
I can’t seem to find many great Intune type queries around except for info on devices and how many are in compliance. Really want to be able to query what users with Admin access in Intune are doing.
I have Intune logs set correctly in Tenant Admin>Diagnostic Settings, so just need to know how to start querying those logs to get what I need.
Thank you. Ideally, this should be included in the Intune Audit Logs as this comes down to a policy change.