Defender Attack Surface Reduction Per-Rule Exception

This guide will show an administrator how to prevent a granular block or check being enforced on a specified directory path for the ASR rule.

Role Requirements

Procedure Scope: Administrators

Required Group Membership: Admin.Security

Handbook Reference

Package: Device Security

Domain: Attack Surface Reduction Management

Modifies: Attack Surface Reduction Per Rule Process Exclusions

Defender ASR Per-Rule Exclusion

  1.  Navigate to the Attack Surface Reduction – Intune portal, locate and select the Security Essentials Attack Surface Reduction policy or an equivalent ASR policy. 
  2. Scroll down to Configuration Settings and select Edit.
  3. The default rules will be displayed. Each rule (except for one; Block Persistence Through WMI Event Subscription) will have an ASR Only Per Rule Exclusions option displayed, select the Add button below the previously listed header. A text box will be generated where you can specify the necessary folder path. Select Next to continue.
  4. From the Review section, you will be able to select the Settings dropdown to verify that the necessary exclusions are properly generating. Select Save to finalize the necessary per rule exclusion. Rule changes propagate in less than 24 hours.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.