Enabling ASR Rules
Start course

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


When implementing ASR Rules, aside from the prerequisites reviewed in earlier lectures, there are a number of other settings to consider. Each ASR rule contains one of five settings not configured, which means the rule has not been set up. Block, which means the ASR rule has been enabled. Audit, which allows us to evaluate how the ASR rule would impact our organization if enabled. Disable, which disables the rule. And Warn, which enables the ASR rule but allows the end user to bypass the block.

Enterprise-level management programs such as, in tune or Microsoft Endpoint Manager, are recommended to implement these rules as they will overwrite any conflicting group policy or power shell settings on startup. We can also exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect our devices.

Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run and no report or event will be recorded. If ASR rules are detecting files that we believe shouldn't be detected, we should use Audit mode first to test the rule. To enable ASR rules and in tune, we select Endpoint security, then attack surface reduction. Then we choose an existing ASR rule or create a new one.

In the configuration settings pane, we select the Attack surface reduction rule, then select the desired setting for each ASR rule. We can also add specific callouts using the options at the bottom for a list of additional folders that need to be protected, list of apps that have access to protected folders, and exclude files and paths from attack surface reduction rules. Once complete, we select "Next" on the next three configuration panes and select "Create," if this is a new policy or safe if we are editing an existing policy. At this point, our rule is ready for testing and implementation.

About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.