Cybersecurity

How to Enable Attack Surface Reduction Rules via Intune

Published 18 October 2025 · 8 min read

Attack Surface Reduction (ASR) rules block specific behaviours that malware commonly uses - Office macros spawning processes, scripts downloading executables, credential stealing. Enabling them is one of the most effective endpoint hardening steps for Windows 10/11.

What ASR rules do

ASR rules target techniques attackers use after initial access:

Audit vs Block mode

📊
ASR rule modes
Disabled
No protection, no logging
AuditAlways start here
Logs what would be blocked - does not block
BlockEnable after Audit testing
Actively blocks the behaviour
Warn
Shows warning but allows override
⚠️
Use Audit mode first
Switching directly to Block without Audit testing can break legitimate applications, especially older Office macros. Run in Audit for 1-2 weeks first.

Enable via Intune

Endpoint Security → Attack Surface Reduction → + Create policy → Windows 10 and later → Attack Surface Reduction Rules
🛡️
High-value ASR rules
Block Office apps from creating child processesStops most macro-based malware
Block
Block credential stealing from LSASSStops Mimikatz
Block
Block executable content from email
Block
Block JS/VBScript from launching executables
Block
Block untrusted processes from USB
Block
Block Office apps from injecting into other processesMay affect some Office add-ins
Audit first

Monitor results

Microsoft 365 Defender → Reports → Security report → Attack surface reduction rules

The ASR report shows which rules triggered, on which devices, and against which processes in Audit mode - identify false positives before switching to Block.

Frequently Asked Questions

Q: Will ASR rules break Microsoft Office?

Some rules can affect Office with complex macros. Test in Audit mode first. Most modern Office usage is not affected.

Q: Can I exclude specific folders from ASR rules?

Yes. ASR rules support exclusions by file path or process. Add exclusions only for confirmed false positives.

Q: Do ASR rules replace antivirus?

No. ASR rules are a complementary layer to antivirus. They block malicious behaviours regardless of whether malware is known to AV.

Related Guides
-> Cyber Essentials Setup-> Defender for Endpoint-> Block App Installations
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages