Test-MtIntuneASRRules
SYNOPSIS
Ensure the Microsoft Defender ASR Standard Protection baseline rules are configured in Block or Audit mode.
SYNTAX
Test-MtIntuneASRRules [-ProgressAction <ActionPreference>] [<CommonParameters>]
DESCRIPTION
Checks Intune Endpoint Security Attack Surface Reduction policies (configurationPolicies API) for ASR rule configurations.
ASR rules reduce the attack surface of applications by preventing behaviors commonly abused by malware, such as Office macros spawning child processes, credential theft from LSASS, or execution of obfuscated scripts.
Each ASR rule can be set to one of four modes:
- Block: Actively prevents the behavior (recommended for production)
- Audit: Logs the event without blocking (recommended for testing)
- Warn: Warns the user before allowing the behavior
- Disabled/Not configured: Rule is inactive
Pass criteria: The test passes if every rule in the Microsoft Defender for Endpoint ASR Standard Protection baseline is configured in Block or Audit mode in at least one ASR policy. The Standard Protection baseline is the minimum recommended set Microsoft publishes for initial ASR deployment:
Block abuse of exploited vulnerable signed drivers 2. Block credential stealing from LSASS 3. Block persistence through WMI event subscription
Additional ASR rules detected in tenant policies are reported for visibility but do not affect the pass/fail result.
EXAMPLES
EXAMPLE 1
Test-MtIntuneASRRules
Returns true if every Standard Protection baseline rule is configured in Block or Audit mode across the union of all ASR policies in the tenant.
PARAMETERS
-ProgressAction
{{ Fill ProgressAction Description }}
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.