Skip to content

Attack Surface Reduction

ASR rules are a key component to protecting your Windows endpoints if MDE is your primary EDR. This report is most useful during the deployment phase of ASR as it contains detections, device configurations, and assists with adding exclusions for rules.

Detections

The detection page will show you an overview of audited and blocked detections over the past 30 days for all of your Windows devices. By default, the report is filtered to Standard protection which is only 3 of the currently 20 ASR rules. Adjust this filter to All so you can utilize the rule filter to assist with checking detections for a specific rule. You can also add a filter for the Device group and detection type.

There is an option to GroupBy in the upper right-hand corner which can be helpful however it only aggregates about 200 of the records that have been loaded on the page so depending on how many detections you are working with you will either need to scroll till all records load or you can just export a spreadsheet and create a pivot table.

All columns can be useful, but it is important to note there is a Source app column. While the ASR rule works on the Detected file it can be good to see the source app that may have functionality impacted, this is dependent on the rule and some rules will have the detected file and source app being the same application.

Configuration

Use the configuration page to get an overview of the currently active ASR rules on your Windows devices. This can be useful in troubleshooting your deployed ASR policies as this shows the actual configuration on the device where reporting in Intune or SCCM might be showing successfully applied policies but not the effective configuration on the device. Similar to our detections page this defaults to Standard protection and in most cases you should switch to All to get a true understanding of your rule deployment.

Selecting an individual device will show all 20 ASR rules and their current configuration state. For items that are not applicable, this is commonly because SCCM is installed on the machine or the device is not a server.

KQL to get a full overview

The configuration page lacks an export button and while the columns are sortable, they are sorted as strings and not integers. Using Advanced hunting we can get a complete overview of our environment. Note that as of March 15th, 2025 this query only contains the 16 typical ASR rules and not the preview or server rules.

DeviceTvmSecureConfigurationAssessment
// ASR is only for Windows devices, note that contains is resource intensive so you may want to adjust this filter in larger environments
| where OSPlatform contains "Windows"
| join kind=rightouter (
    DeviceTvmSecureConfigurationAssessmentKB
    | where ConfigurationSubcategory == "Attack Surface Reduction") on $left.ConfigurationId == $right.ConfigurationId
| project DeviceId, DeviceName, OSPlatform, IsCompliant, IsApplicable, IsExpectedUserImpact, Context = Context[0][0], ConfigurationName, RiskDescription
| summarize Blocked = countif(Context == "Block" and IsApplicable == 1),
            Warn = countif(Context == "Warn" and IsApplicable == 1),
            Audited = countif(Context == "Audit" and IsApplicable == 1),
            Off = countif(Context == "Off" and IsApplicable == 1),
            NotApplicable = countif(IsApplicable == 0),
            Total = count()
            by ConfigurationName

Exclusions

Use this page to assist with adding exclusions to your ASR policies after using the detections page. Select all the files you wish to exclude for a particular rule and in the bottom right hand corner select Get selected exclusion paths. This creates a basic CSV file named AsrExclusionPaths, there are no headers and just the full file paths for all the detections.

Often time this will contain many rows for the same file, be sure to use wildcards and variables where possible to limit the number of entries you are adding. Once you have reviewed your selected file paths and removed any duplicates after adding wildcards, save this file and return to the exclusion report.

In the bottom right hand corner select Add exclusions, this will take you to the ASR policies in Intune under Endpoint security. If you are not managing your ASR policy here you will need to find your policy and add exclusions as necessary.

Select your policy, open up the configuration settings, find the rule you are adding exclusions for and import your saved CSV file. This should autopopulate the list of exclusions, you can now save your policy and the exclusions are now added.

Warning

Note that adding exclusions for a file with no path is very unsecure and depending on your device security and the file location even providing the full path can be quite unsecure. Depending on the exclusion scenario it may make more sense and be more secure to go back to the Detections page of this report, select the file you wish to exclude and select Open file page.

This will take you to the Defender record for this file where you can add the file hash as an allow indicator and even scope it to an MDE device group which is substantially more secure. You can also add indicators for a certificate however these are more prone to compromise.