MT.1178 - Ensure ASR Rules are configured correctly
Overviewβ
Ensure at least one Intune Attack Surface Reduction (ASR) policy has rules configured in Block or Audit mode.
ASR rules reduce the attack surface of applications by preventing behaviors commonly abused by malware and threat actors. These rules target specific techniques such as:
- Office macros spawning child processes or injecting code into other processes
- Credential theft from LSASS (Local Security Authority Subsystem Service)
- Script-based attacks using obfuscated JavaScript, VBScript, or PowerShell
- Email-borne threats executing content from Outlook or webmail
- Ransomware advanced protection heuristics
- USB-based attacks running untrusted unsigned processes
- Persistence through WMI event subscriptions
Each ASR rule can operate in one of four modes:
- Block: Actively prevents the behavior (recommended for production after testing)
- Audit: Logs the event without blocking (recommended for initial rollout)
- Warn: Warns the user before allowing the behavior to proceed
- Disabled: Rule is not active
The test passes if every rule in the Microsoft Defender ASR Standard Protection baseline is configured in Block or Audit mode across the union of all ASR policies in the tenant. The Standard Protection baseline is the minimum recommended set Microsoft publishes for initial ASR deployment:
- Block abuse of exploited vulnerable signed drivers
- Block credential stealing from LSASS
- Block persistence through WMI event subscription
See the Microsoft Defender ASR rules deployment guide for the canonical baseline definition.
Additional ASR rules detected in tenant policies are reported for visibility but do not affect the pass/fail result. Warn is a supported ASR rule state but does not satisfy the baseline. Baseline rules in Audit mode will trigger an informational note recommending a transition to Block mode.
Remediation action:β
- Navigate to Microsoft Intune admin center.
- Go to Endpoint security > Attack surface reduction.
- Click + Create policy.
- Set Platform to Windows 10 and later and Profile to Attack Surface Reduction Rules.
- Enter a policy name (e.g., "ASR Rules - Audit Mode").
- Configure individual ASR rules β start with Audit mode for all rules:
- Block abuse of exploited vulnerable signed drivers
- Block Adobe Reader from creating child processes
- Block all Office applications from creating child processes
- Block credential stealing from Windows LSASS
- Block executable content from email client and webmail
- Block executable files unless they meet prevalence, age, or trusted list criteria
- Block execution of potentially obfuscated scripts
- Block JavaScript or VBScript from launching downloaded executable content
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block Office communication app from creating child processes
- Block persistence through WMI event subscription
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Win32 API calls from Office macros
- Use advanced protection against ransomware
- Assign the policy to your device groups and click Create.
- Monitor audit events in Microsoft Defender for Endpoint > Reports > Attack surface reduction rules for 2β4 weeks before transitioning rules to Block mode.
Related linksβ
- Microsoft Intune - Attack Surface Reduction
- Microsoft Learn - ASR rules reference
- Microsoft Learn - Enable ASR rules in Intune
- Microsoft Learn - ASR rules deployment guide
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1178 |
| Severity | High |
| Suite | Maester |
| Category | Intune |
| PowerShell test | Test-MtIntuneASRRules |
| Tags | Intune, Maester, MT.1178 |
Sourceβ
- Pester test:
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 - PowerShell source:
powershell/public/maester/intune/Test-MtIntuneASRRules.ps1