How to Configure Attack Surface Reduction (ASR) Rules using MEM

In this section, I would like to discuss one of MDE’s important set of settings and how to set these up. Namely ASRs rules or Attarck Surface Reduction rules. As the name implies, it helps closes any security holes in the device.

Some notes on ASR rules to keep in handy

Device COmpatibility

  • Windows 10 Pro, version 1709 or later
  • Windows 10 Enterprise, version 1709 or later
  • Windows Server, version 1803 (Semi-Annual Channel) or later
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2022

To use the entire set of rules, you require below

  • Windows Defender Antivirus as primary AV (real-time protection on)
  • Cloud-Delivery Protection on (some rules require that)
  • Windows 10 Enterprise E5 or E3 License

Key settings of an ASR rule

  • Not configured | Disabled: Disable the ASR rule
  • Block: Enable the ASR rule
  • Audit: Evaluate how the ASR rule would impact your organization if enabled
  • Warn: Enable the ASR rule but allow the end user to bypass the block

Warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM)

policy Conflict

In a policy between MDM and Group Policy, MDM will take precedence

Although there are few ways to setup ASR rules, I will look at how to configure the rules using Microsoft Endpoint Manager (MEM)


It is advisable to enable the ASR rules in the audit mode first so you will not run in to issues. You can understand the behavior and what gets blocked and whether they are legitimate data or an action of a bad actor. Once you have a better view, then go ahead and enable them to be active rules.

How to configure ASR rules from MEM’s Endpoint Security node?

While you have many options to setup ASR rules within Intune and MEM, I would like to expore the Endpoint Security node in the MEM.

For this method to work, the devices should be Hybrid AAD or AAD Joined and must be enrolled in Intune.

Attarck Surface Reduction rules can be found under Manage section in Endpoint Security

From here go to Create Policy and Select Windoes 10 and later as the Platform and Attarck Surface Reduction Rules as the Profile and hit Create

From there give a meaningful name and select Next

Now you will see all the ASR rules in one place.

If you hover your mouse over the rules little information sign, you can know more about that individual rule

Set your rules as required

You will be presented with all 4 key settings for the rule that we saw above.

Set to Audit to test the rule and set the required rules and press Next

Add Scope Tags if required

In the next step, set the device asignment with the relavent Device Groups

When you are done, press Next and Create to complete the steps.

How to Audit ASR rules

Go to and Hunting > Advanced Hunting > run the below KQL command to see the alerts

| where ActionType startswith ‘Asr’

If there are any results, they will list down in the Results tab.

Also you can go to Reports in the same Defender portal and select Attarck Surface Reduction Rules and check under Detections a summary graph

And if you go to the Configueration tab, you will see the device based settings and what has ben captured with the rules

What is the Warn mode?

With this mode a “toast notification” will appear on the desktop if an ASR rule blocks a malicious activity or a file. However the user can still Unblock and start performing the same activity and further actions to perform

Final words

ASR rules can basically be your best pal or your greatest enemy as this can be a powerful tool to close security holes or for a poor user experience. Audit, test 1st and when you 100% aware of the behavior of each rule, enable it


8 thoughts on “How to Configure Attack Surface Reduction (ASR) Rules using MEM

  1. This is a great feature, but all of the ASR rules I make and target to Windows 2019 and 2022 do not apply, the state “Not Applicable”. AV policies work just fine. Any suggestions?


    1. Hi Tony,
      The main issue there is ASR policies can target only Windows 10 and later whereas AV policies can target Windows Servers as well. That comes up when you try to create the policy under Platform. Hope this answers your question.


      1. Hello Shehan, when you say AV policies for Servers, are you talking about Device Configuration Profiles? I’m trying to implement ASR rules onto my Servers in Intune. I’m moving away from GP.


  2. Hi Shehan,

    We are talking about ASR policies here. Not Antivirus policies.

    I would like to apply ASR policies via Intune to my Servers.


    1. Hi Keith,
      Sorry about that. Since the Endpoint Security policies in Intune don’t support Servers when it comes to ASR rules, you can create an Administrative Policy by using Intune Config profiles. “Configure Attack Surface Reduction rules” should be the setting to use. In there you have to set the rule itself by adding its GUIDs. GUIDs can be found in this article

      And set the action 1=block, 0=off, 2=audit.

      Hope I answered your question this time.


  3. Hi,

    Great article.

    Do you know how we can check the logs via KQL to see who changed an ASR rule from Block to Audit, or made any changes to a rule.

    Example, my ASR Rule is called, ‘ASR Rules – All Windows OS v2’, and someone changed the ‘Block Win32 API calls from Office macros’, from Block to Audit.

    I can’t seem to find many great Intune type queries around except for info on devices and how many are in compliance. Really want to be able to query what users with Admin access in Intune are doing.

    I have Intune logs set correctly in Tenant Admin>Diagnostic Settings, so just need to know how to start querying those logs to get what I need.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.