ASR Rules Are the Ransomware Defense You Already Own. Roll Them Out Without Breaking Payroll.
TL;DR
- Attack Surface Reduction rules operate at the application layer, blocking unauthorized macros, scripts, and processes that traditional antivirus may never flag.
- Devices must be enrolled in Microsoft Defender before ASR rules can be enforced through Intune.
- Microsoft recommends starting every ASR rule in Audit mode, which logs what would have been blocked without blocking anything.
- The Attack Surface Reduction report in the Defender portal supplies ready-made exclusion paths under its Add Exclusions tab.
- Exclusions written against specific user paths should be generalized with path variables so one rule covers every device.
Somewhere in your client base, a Word document with a hostile macro is going to get opened. Whether that moment becomes a ticket or a ransomware incident often comes down to a set of controls most tenants already license and few have turned on: Attack Surface Reduction rules.
ASR rules are quietly effective and loudly dangerous, in the sense that a careless rollout can flag a finance team's payroll macros as a threat and halt business operations. This guide covers how the rules work, the Intune deployment sequence, and the audit-first approach that gets you to Block mode without the support fire.
What ASR rules catch that antivirus does not
ASR rules work like tripwires set ahead of malicious behavior, stopping an action before it completes rather than recognizing a file signature after the fact. An Office macro spawning a process, an attacker pulling down a payload, both get interrupted before they can do damage.
The rules are part of the Microsoft Defender suite, aimed at securing devices against ransomware, phishing, and malicious scripts. They operate primarily at the application layer, focusing on blocking unauthorized macros, scripts, and processes, including ones traditional antivirus solutions never flag. That last part is the point: signature-based tools need to recognize the malware, while ASR rules block the behavior pattern regardless of what is executing it.
The deployment sequence in Intune
Three steps stand between you and a working policy.
Step 1: Confirm Defender enrollment. Devices must be enrolled in Microsoft Defender before ASR rules can be enforced. No enrollment, no enforcement. Microsoft's ASR rules deployment overview (opens in new tab) covers the enrollment prerequisites step by step.
Step 2: Find the policy home. In the Intune admin center, navigate to Endpoint Security and open the Attack Surface Reduction section. This is where the policy that applies ASR rules across the organization lives.
Step 3: Create and configure the policy. Inside the Attack Surface Reduction section, click Create Policy, choose your platform (for example, Windows), and select the ASR rules profile to enforce. Each rule then offers several options, including Off, Audit, and Block.
That third step is where rollouts go right or wrong, which brings us to the mode choice.
Why Audit mode is not optional
Flipping everything straight to Block is tempting and a mistake. Block mode can prevent legitimate applications and processes from running, and every one of those is a support ticket with an angry user attached.
Microsoft recommends starting with the Audit setting for all ASR rules, and we agree. Audit blocks nothing. It logs every activity that would have been blocked, giving you a preview of the false positives and legitimate business processes the rules would catch.
The practice that works: audit across the organization, review the results, resolve the flagged legitimate processes, and only then move rules to Block, gradually.
Read the telemetry, then write the exclusions
With rules running in Audit mode, the Defender portal becomes your review queue. The Attack Surface Reduction report shows detailed reports on detected activities, so if a document's macro gets flagged, it appears here with the telemetry you need to tune rules and refine exclusions over time.

The report does half the exclusion work for you. The Add Exclusions tab supplies the exact exclusion paths you can add to the ASR rule:

One refinement worth making: when an exclusion is written against a particular user or an overly specific file path, generalize it with path variables so it applies fleet-wide instead of to one machine. Compare the user-specific version:

with the generalized syntax:

This is also your false positive playbook in general. When a trusted process gets flagged, OneDrive's setup file during deployment is a classic example, exclude it from detection while the broader policy stays intact. Legitimate workflows keep moving and the endpoints stay covered.
The rollout principle: start small, scale on evidence
The misconfiguration risk deserves restating plainly, because it is the reason ASR adoption stalls: a rule that flags the finance department's payroll macros can halt business operations. The defense against that outcome is the sequence above. Begin with auditing, review the results, resolve the flags, and tighten gradually until the configuration has earned Block mode.
For MSPs and IT teams, the takeaway is to get ASR rules into your security baselines now, audit-first, rather than waiting for the incident that proves you needed them. The attacks they stop are exactly the ones that slip past traditional antivirus, and ransomware crews know which tenants left the door open.
Reference material
Frequently asked questions
Will ASR rules break legitimate business applications?
They can if you skip Audit mode. A finance team's payroll macros are exactly the kind of legitimate process that Block mode can flag. Audit first, review what would have been blocked, add exclusions, then enforce.
What is required before deploying ASR rules from Intune?
Devices must be enrolled in Microsoft Defender. Without that enrollment, ASR rules cannot be enforced. Microsoft's deployment overview covers the enrollment steps.
How do you handle false positives in ASR rules?
Use the exclusion feature to whitelist trusted processes, files, or directories. The ASR report's Add Exclusions tab provides the exact paths, and generalizing user-specific paths keeps a single exclusion working across the fleet.
Is ASR actually deployed across your client tenants?
ASR rules belong in every security baseline, and baselines drift. CloudCapsule checks 250+ controls per Microsoft 365 tenant in 60 seconds, including the endpoint protections that stop ransomware before the helpdesk hears about it.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


