Enable and Monitor Attack Surface Reduction (ASR) With Intune

In this Microsoft Defender for Endpoint and Intune article, we will enable the Attack surface reduction (ACR) rule on Windows devices and monitor them.

Microsoft Defender for Endpoint (MDE) ACR rules allow us to limit the attack surface malicious code and cybersecurity vulnerabilities that impact endpoint devices.

ACR rules protect the areas a malicious code can launch an attack inside an endpoint and limit the capabilities of an attacker from starting an attack. For example, ACR blocks scripts that attempt to download and run executables on an endpoint.

Audit Mode

To minimise the disruption of ASR online 0f business applications that are legitimate when introducing ASR, we highly recommend using it in Audit mode.

Nothing is being blocked in audit mode, and all ASR rules are recorded and can be viewed later in the reporting portal.

To create an ACR rule, Open Microsoft Intune

Click on Endpoint Security

Click on Attack surface reduction

Create a profile for Windows 10, Windows 11 and Windows Server.

In the configuration page, enable all the rules or specific ones and set them to Audit

View Audit Events

To view the audit reports, follow the steps below.

 Microsoft 365 Defender portal 

Click on Reports

Click on Attack surface reduction rules

Wait a few hours and review the rules and add exclusions as needed.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.