Attack Surface Reduction Policies
ASR rules block common attack techniques used by malware and exploits. Deploy ASR policies through Intune to reduce the attack surface on Windows devices.
ASR Rules
Office-Based Rules
- Block Office apps from creating child processes
- Block Office apps from creating executable content
- Block Office apps from injecting code
- Block Win32 API calls from Office macros
Script and Email Rules
- Block executable content from email and webmail
- Block JavaScript/VBScript from launching downloads
- Block execution of obfuscated scripts
Credential and Process Rules
- Block credential stealing from LSASS
- Block process creations from PSExec and WMI
- Block untrusted processes from USB
Ransomware Protection
- Use advanced protection against ransomware
- Block executables unless they meet prevalence or trust criteria
Enforcement Modes
| Mode | Description |
|---|---|
| Not Configured | Rule is disabled |
| Block | Rule enforced; actions prevented |
| Audit | Events logged, actions not blocked |
| Warn | User warned but can bypass |
Tip: Start all rules in Audit mode. Review events for two weeks before switching to Block.
Controlled Folder Access
Protect important folders from ransomware. Documents, Pictures, Videos, Desktop protected by default. Add custom folders. Only trusted apps can modify.
Exploit Protection
Apply exploit mitigation at OS and application level: DEP, ASLR, SEHOP, heap protection, EAF.
Network Protection
Block connections to malicious domains and IPs. Integrates with SmartScreen. Modes: Block, Audit, Disabled.
Best Practices
- Deploy all rules in Audit mode first
- Review audit data for at least two weeks
- Enable Block for rules with no false positives
- Keep Controlled Folder Access enabled
- Monitor events for new false positives
API Reference
GET /api/devices/security/asr/policies— List policiesPOST /api/devices/security/asr/policies— Create policyGET /api/devices/security/asr/events— Get audit eventsGET /api/devices/security/asr/status— Get rule status
Last updated on