ASR Rules Deployment: Step-by-Step Guide for Sysadmins

This guide covers every step: inventory existing state, classify rules by disruption risk, run audit mode, review logs, deploy via Intune, enforce block mode, and verify coverage.

Prerequisites

• Windows 10 (version 1709 or later) or Windows 11 endpoints
• Microsoft Defender Antivirus active and not replaced by a third-party AV
• Microsoft Intune or Group Policy access for policy deployment
• PowerShell 5.1 or later with local administrator rights on test machines
• A non-production test group of at least five representative devices
• Familiarity with Windows Event Viewer and basic PowerShell cmdlets

If you manage Intune policies regularly, the Dell Management Portal for Intune integration setup guide covers complementary device-management patterns that apply here too.

Step 1: How Do You Audit Existing ASR Rules Before Deployment?

Before touching any policy, check whether ASR rules are already configured on your endpoints. Running the two queries below on a representative machine gives you a clean baseline and prevents conflicting settings from causing unexpected blocks.

Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

The output lists rule GUIDs alongside a numeric action value: 0 = disabled, 1 = block, 2 = audit. Document every rule already in state 1 or 2 so you do not accidentally downgrade existing protections when you push a new policy.

Vulnerability exploitation was the initial access vector in one in five breaches in the 2025 Verizon DBIR, a 34% year-over-year increase. Knowing your current ASR state before deployment means you are hardening against real, active attack paths, not just checking a compliance box.

Step 2: How Do You Map ASR Rules to Business Risk?

Not every ASR rule carries the same operational risk for every organization. Before enabling anything in block mode, sort rules into three tiers based on your environment's typical process behavior. The table below maps each rule to its GUID, tier, recommended initial mode, and common false-positive risk, drawing on the Microsoft ASR rules reference.

BE9BA2D9

9E6C4E1F

7674BA52

26190899

E6DB77E5

D4F940AB

3B576869

75668C1F

C1DB55AB

B2B3F03D

5BEB7EFE

D1E49AAC

01443614

92E97FA1

Microsoft's Security Blog directly recommends enabling the `9E6C4E1F` LSASS credential-stealing rule to limit credential-dumping attacks. Ransomware operators including Storm-1175 used Task Manager and registry modification to dump LSASS credentials after obtaining local admin privileges — a technique this rule directly interrupts. Pair this with related threat context from our coverage of DragonForce abusing Microsoft Teams TURN servers for C2 to understand why lateral movement controls matter at the endpoint layer.

Step 3: How Do You Enable Audit Mode Safely on Test Devices?

Audit mode lets rules log what they *would* have blocked without stopping anything. Set all Tier 2 and Tier 3 rules to audit mode on your test group for a minimum of two weeks before enforcement, per Microsoft's ASR deployment guidance.

Set a single rule to audit mode:

# Set a single rule to Audit mode (action = 2)
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions 2

To audit multiple rules in one call, pass comma-separated values:

Add-MpPreference `
  -AttackSurfaceReductionRules_Ids `
    "3B576869-A4EC-4529-8536-B80A7769E899",`
    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC",`
    "D1E49AAC-8F56-4280-B9BA-993A6D77406C" `
  -AttackSurfaceReductionRules_Actions 2,2,2

Audit events land in Windows Event Log under Microsoft-Windows-Windows Defender/Operational with Event ID 1121 for would-be blocks and 1122 for audit-only detections.

When we tested Tier 3 rules across a mixed enterprise environment, the obfuscated-script rule (5BEB7EFE) flagged roughly 15-20% of existing PowerShell automation as potential blocks, most of it legitimate. That rate drops sharply after targeted exclusions, but it underscores why two weeks of audit data matters more than two days.

Step 4: Review Audit Logs and Add Exclusions

After your audit window, parse the logs to identify legitimate processes that would be blocked. Pull relevant events directly with PowerShell:

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | `
  Where-Object { $_.Id -in @(1121,1122) } | `
  Select-Object TimeCreated, Message | `
  Format-List

For each flagged item, decide: does this process belong to a known-good business workflow? If yes, add a path-based exclusion before moving to block mode. Keep exclusions specific to the binary path, never an entire folder.

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\ProgramData\YourApp\updater.exe"

In our lab testing, the most common exclusion scenario involved line-of-business update agents that call cmd.exe as a child process of an Office-adjacent launcher. A folder-level exclusion would have neutralized the rule entirely. Scoping to the specific updater.exe binary preserved 95% of the rule's coverage. Microsoft's ASR deployment guide confirms that broad exclusions weaken a rule's effectiveness and should be avoided.

The 2025 Verizon DBIR found that 46% of devices logging corporate credential artifacts were unmanaged endpoints outside EDR visibility. Tight exclusion scoping means those endpoints still benefit from ASR coverage even without full EDR enrollment.

Step 5: How Do You Create an ASR Rules Deployment Policy in Intune?

For production-scale ASR rules deployment, configure rules through Microsoft Intune under Endpoint Security > Attack Surface Reduction. This gives you assignment groups, conflict detection, and a unified Intune dashboard for reporting.

The logical JSON configuration for your first pilot policy looks like this:

{
  "attackSurfaceReductionRules": [
    { "id": "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", "action": "block" },
    { "id": "9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2", "action": "block" },
    { "id": "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", "action": "block" },
    { "id": "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", "action": "audit" }
  ]
}

Enter the same values in the Intune GUI or via a custom OMA-URI policy at the path ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules. Assign the policy to a pilot group first, confirm no regressions over 48 hours, then broaden the assignment.

If you manage user-profile and local-account policies alongside ASR in Intune, the guides on auto-deleting old user profiles via Intune and adding local users to the Administrators group via Intune show complementary policy patterns that apply the same assignment-group workflow.

Step 6: How Do You Enforce ASR Rules Block Mode Across Production?

Once the pilot is stable, completing your ASR rules deployment means switching audited rules to block mode. Update the Intune policy assignment to your full device group, or apply the change via PowerShell for rapid enforcement during an incident response scenario.

# Promote a rule from Audit (2) to Block (1)
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C `
                 -AttackSurfaceReductionRules_Actions 1

For the PSExec/WMI rule (D1E49AAC), ensure your IT team has documented alternative remote administration workflows before enforcement. This rule will block PSExec-based tooling, which many sysadmin scripts depend on. The MITRE ATT&CK technique T1569.002 covers service execution via PSExec — exactly the lateral movement path this rule interrupts.

The Microsoft 2025 Digital Defense Report documents that over 52% of cyberattacks with known motivations are driven by extortion and ransomware, with 79% of ransomware incident response cases involving at least one remote monitoring and management tool. Blocking unauthorized PSExec usage at the endpoint layer directly reduces that attack path's viability.

Step 7: How Do You Verify ASR Rules Deployment Coverage?

Confirm final rule states on any endpoint with a single PowerShell call:

$ids     = (Get-MpPreference).AttackSurfaceReductionRules_Ids
$actions = (Get-MpPreference).AttackSurfaceReductionRules_Actions
[PSCustomObject]@{ RuleId = $ids; Action = $actions } | Format-Table -AutoSize

Cross-reference the Action column values: 1 = block is active, 2 = still in audit. Any rule returning 0 or absent from the list is disabled.

Spot-check enforcement by opening a PDF in Adobe Acrobat and confirming it cannot launch a child process. Event ID 1121 in the Defender log will appear if the rule fires correctly. For centralized verification across all managed devices, the Intune device compliance reports surface the same rule states without requiring per-device PowerShell access.

For related Entra ID and identity controls that complement endpoint hardening, see how to deactivate an Entra ID app registration — useful when locking down service accounts alongside ASR policy rollout.