Endpoint Privilege Management in Intune: a deployment that actually sticks

Endpoint Privilege Management (EPM) is the cleanest answer Microsoft has shipped for the local-admin problem. Done well, it lets your tenants run as standard users while still installing approved apps and updating drivers — auditable, just-in-time, no helpdesk ticket. Done badly, you ship a half-configured agent that produces noise, breaks line-of-business apps, and convinces the customer that “least privilege” is somebody else’s problem. Here is how to make EPM stick at an MSP.

The licensing trap nobody warns you about

EPM is not included in Microsoft 365 Business Premium. It needs Microsoft Intune Plan 1 plus either the Intune Suite add-on or the standalone EPM add-on. If your customer is on BP only, you have a quoting conversation before you have a deployment conversation. Confirm assignments under Tenant administration → Intune add-ons before you create a single policy.

While you are there, validate the other prerequisites people skip: devices must be Microsoft Entra joined or hybrid joined, Intune-enrolled (or ConfigMgr co-managed), 64-bit only, and on supported builds — Windows 11 24H2/23H2/22H2/21H2 or Windows 10 22H2/21H2 with the listed cumulative updates. EPM also needs clear line of sight to its endpoints without SSL inspection — this single item kills more pilots than anything else.

See EPM deployment planning for the full prerequisite matrix.

Where to configure

Everything lives in the Intune admin center at Endpoint security → Endpoint Privilege Management. There are two policy types you need to understand:

Elevation settings policy — provisions the EPM agent on the device, sets the default elevation response, and turns on reporting. One per device-targeted persona.
Elevation rules policy — defines which binaries can elevate, how (Automatic, User confirmed, Support approved, or Elevate as current user), and using which signal (file hash, certificate, or metadata). Up to 100 rules per policy.

Do not configure rules first. The agent does not exist on the endpoint until the settings policy lands. See the EPM overview.

The rollout pattern that actually works

Three rings, audit-first — same as every other Intune deployment that survives contact with users:

Audit ring (week 1–2). Deploy only an elevation settings policy to a pilot device group. Set Default elevation response = Require support approval, Send elevation data = Yes, Reporting scope = Diagnostic data and all endpoint elevations. No rules yet. Let it bake. EPM data is processed once every 24 hours, so resist the urge to declare it broken on day one.
Pilot ring (week 3–4). Use the Overview dashboard and the Frequently unmanaged elevations and Frequently approved by support tiles to identify the real top 5–10 elevation candidates. Build rules for those — prefer publisher certificate + file path over file hash, because hashes change with every app update. Roll into a 20–30 user pilot.
Production ring (week 5+). Widen progressively. Once managed-elevation coverage is high, deploy an account protection policy to remove standing local admin from the user group on those devices. That is the actual goal — the rules are just the bridge.

Build rules from Creating elevation rules. Watch coverage from EPM reports.

Top pitfalls

Certificate-rule sprawl. A certificate-only rule allows any binary signed by that publisher to elevate. Some vendors sign their entire catalogue — including tools you did not intend to elevate — with one cert. Always pair certificate with file name or path.
SSL inspection on the proxy. EPM telemetry travels over a pinned channel. Decrypt it and the device reports as “not applicable” with no useful error. Add an exclusion before you blame the agent.
Forgetting to remove local admin. Shipping rules without ever taking standing admin off the user group means EPM is theatre, not control. The whole point is the standard user.

Get those three right and EPM is a near-magical capability for an MSP. Get them wrong and it is just another agent on the box.

Copilot image generation in PowerPoint

One of the ways I like to test new image models is to give them the same prompt to create an image of an expresso machine. You can see the last iteration here:

https://blog.ciaops.com/2026/05/05/revisiting-copilot-image-generation-analysis/

More advanced image options have made their way into PowerPoint and it allows me to use the image model of my choice per:

So to test, I took exactly the same prompt I had used before to create images and used it inside PowerPoint with each model. Here’s the result from using GPT-Image-1.5

and Flux.2 Flex

These output are now beginning to revival dedicated image creation tools and they are backed right into PowerPoint and probably soon, all other desktop apps thanks to Copilot!

As a slight variation, I asked Copilot in PowerPoint to create a complete slide rather than just a single image and here’s what I got:

GPT-Image-1.5

and Flux.2 Flex

CIA Brief 20260516

Security & Threat Intelligence

Configuration becomes vulnerability: Exploitable misconfigurations in AI apps (14 May) Microsoft Defender researchers found that AI and agentic apps deployed on Kubernetes (Mage AI, kagent, AutoGen Studio, MCP servers, and others) are frequently exposed to the internet with weak or missing authentication, enabling remote code execution, credential theft, and data exposure without any zero-day exploit. Defender for Cloud signals show >50% of cloud-native workload exploitations stem from these misconfigurations. https://www.microsoft.com/en-us/security/blog/2026/05/14/configuration-becomes-vulnerability-exploitable-misconfigurations-ai-apps/(opens in new window)
Kazuar: Anatomy of a nation-state botnet (14 May) Deep technical analysis of Kazuar, a Russian state actor (Secret Blizzard) malware family that has evolved from a traditional backdoor into a modular peer-to-peer botnet with Kernel/Bridge/Worker components, leader-election for stealth, and multiple fallback C2 channels (HTTP, WebSockets, Exchange Web Services). Used to target government and diplomatic organisations in Europe, Central Asia, and Ukraine. https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/(opens in new window)
Undermining the trust boundary: Stealthy intrusion through third-party compromise (12 May) Microsoft Incident Response details a 100+ day intrusion in which attackers abused a compromised third-party IT services provider and the legitimate HPE Operations Agent platform to deploy VBScripts, malicious network providers, and password filter DLLs on domain controllers, harvest credentials, and persist via web shells and ngrok tunnels — all without malware-heavy techniques. https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/(opens in new window)

Microsoft 365 & Teams

Goodbye Together mode, hello simplified meeting layouts in Microsoft Teams (15 May) Microsoft is retiring Together mode (and its scenes/seat assignments) from Teams on 30 June 2026. The modern Gallery view — which scales up to 49 participant tiles and adapts to device capability — becomes the single meeting layout, freeing engineering effort for video quality, super-resolution, denoising, and colour accuracy improvements. https://techcommunity.microsoft.com/blog/microsoft365insiderblog/goodbye-together-mode-hello-simplified-meeting-layouts-in-microsoft-teams/4519312(opens in new window)

Windows

Improving Windows quality: Making Taskbar and Start more personal (15 May) Windows Insiders in the Experimental channel can now move the taskbar to the top, left, or right of the screen (with matching icon alignment and Start flyout positioning), enable a smaller compact taskbar, and use new section-level toggles for Pinned / Recommended / All in the Start menu. “Recommended” is also being renamed to “Recent”. https://blogs.windows.com/windows-insider/2026/05/15/improving-windows-quality-making-taskbar-and-start-more-personal/(opens in new window)

Power Platform

What’s new in Power Platform: May 2026 feature update (15 May) Power Fx user-defined types (UDTs) and the Grid container control are now generally available. New previews include custom MCP-powered tools and rich Fluent UI widgets for app-based Copilot conversations, generative pages with input context, a new high-performance Data Grid modern control, OnSelect on the Icon control, and a PowerCAT skill for migrating retired InfoPath forms to Canvas Apps using AI coding agents. https://www.microsoft.com/en-us/power-platform/blog/2026/05/14/whats-new-in-power-platform-may-2026-feature-update/(opens in new window)

AI & Copilot

Microsoft tests ‘ClawPilot’ AI agent for 3,000 staff (9 May) Microsoft is piloting an OpenClaw-based “ClawPilot” AI agent with more than 3,000 employees, aiming to deliver always-on assistants that handle tasks across Microsoft 365 — part of a broader industry push around agent governance. https://www.msn.com/en-us/news/other/microsoft-tests-clawpilot-ai-agent-for-3000-staff/gm-GM67972661

After hours

Reimagining the mouse pointer with AI – https://www.youtube.com/watch?v=pZNzfQLgGsA

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

If You Want a Successful MSP, You Need a Mirror and a Map

After working with MSPs for years, one pattern keeps repeating itself. The businesses that grow sustainably don’t necessarily have better tools, smarter engineers, or bigger marketing budgets.

They have two things others avoid:

A mirror and a map.

One tells them who they really are.
The other tells them how they actually move forward.

Most MSPs struggle because they’re missing one—or both.

The Mirror: Getting Brutally Honest About Who You Serve

The mirror is uncomfortable, which is exactly why so many MSPs avoid it.

It forces you to answer questions like:

Who are we actually good at serving?
Which clients drain time, margin, and morale?
Where do we make money without constant firefighting?

Too many MSPs still operate on “we support anyone with Microsoft 365”. That’s not a niche. That’s a stress strategy.

I’m seeing this play out right now with Microsoft 365 Copilot. MSPs rush to “support Copilot” without asking whether their existing client base is even ready for it. Poor data hygiene, no governance, inconsistent security—and then Copilot gets blamed for messy outcomes.

The mirror reveals whether your ideal clients:

Care about productivity and outcomes, not just price
Are willing to change how they work
See IT as a business partner, not a helpdesk

If your clients won’t invest in structure, security, or user adoption, Copilot won’t fix that. It will simply surface the cracks faster.

The mirror isn’t about being perfect. It’s about being honest. Once you know who you want to serve, your decisions stop being reactive.

The Map: Turning Intent Into a Real Game Plan

Once the mirror gives you clarity, you need a map. Not a vision statement. Not a slide deck. A usable, day‑to‑day plan.

Many MSPs say they want to move “up the stack” or become “strategic advisors”, but their operating model still revolves around tickets and tools. That disconnect shows up everywhere—from pricing to staff burnout.

A good map answers practical questions:

What problems do we solve repeatedly?
What services are standardised—and which ones shouldn’t be sold at all?
What does success look like for our clients in 6 or 12 months?

Copilot is a great example here. Supporting it properly requires a map that includes data governance, identity hygiene, user readiness, and ongoing guidance—not a one‑time deployment fee.

Without a map, MSPs treat Copilot like the last shiny thing: Sell it. Deploy it. Move on. Deal with the fallout later.

With a map, Copilot becomes part of a broader productivity and decision‑making strategy—one that actually strengthens long‑term client relationships.

Where MSPs Get Stuck

The trap I see most often is MSPs trying to fix operational pain with more tools.

If margins are thin, they add another service. If tickets spike, they deploy another platform. If clients complain, they discount.

None of that works without the mirror and the map.

Copilot isn’t forcing this conversation—but it is accelerating it. It exposes poor information structures, vague ownership, and the absence of a clear game plan very quickly.

That’s uncomfortable. But it’s also an opportunity.

The Real Advantage

The MSPs that will win aren’t the ones rushing to tick “Copilot ready” checkboxes.

They’re the ones willing to:

Look honestly at who they serve
Draw a clear line around what they do—and don’t—support
Build services that focus on outcomes, not just activity

So if your MSP feels busy but stuck, don’t look for the next tool.

Pick up the mirror.
Then draw the map.

Everything else becomes easier after that.

Tamper Protection and EDR Block Mode: An Opinionated Rollout for Business Premium

If you manage Microsoft 365 Business Premium tenants and you are still treating Tamper Protection as a one-click toggle and EDR in block mode as an afterthought, you are leaving real protection on the table. Both are included with Defender for Business — there is no licence excuse — but the production rollout is more nuanced than the docs suggest.

Here is the playbook I run on every BP tenant.

Prerequisites that bite people

Before either feature does anything useful, devices must be onboarded to Microsoft Defender for Endpoint (or Defender for Business) and reporting healthy in the Defender portal. Until onboarding completes, Tamper Protection literally shows as Not Applicable on the device, and the EDR sensor cannot enforce anything.

Three prerequisites that catch MSPs out:

Devices must be Intune-managed or co-managed with the Endpoint Protection workload pointed at Intune. Co-managed devices where the workload still points to ConfigMgr are not supported by the Intune Tamper Protection policy.
Defender antimalware platform must be at 4.18.1906.3 or later. Modern devices are; stale gold images and the odd Server 2016/2019 host often are not.
If you plan to manage AV exclusions through Intune, set DisableLocalAdminMerge = true in your AV policy. Without it, tamper-protected exclusions silently fail to apply.

Verify all of this on a pilot device with Get-MpComputerStatus, checking IsTamperProtected and AMRunningMode, before you flip anything.

Where to configure

For Tamper Protection, do it in Intune, not the Defender portal. Granular targeting beats a tenant-wide toggle every time.

Intune admin centre → Endpoint security → Antivirus → Create policy → Platform: Windows → Profile: Windows Security Experience → Tamper protection (device): On.

For EDR in block mode, the cleanest path is the Defender portal — it is tenant-wide and does not fight your AV policies:

Microsoft Defender portal → Settings → Endpoints → Advanced features → Enable EDR in block mode → Save.

You can also drive it through Intune via the Defender CSP when you need device-group scoping, but for most BP tenants tenant-wide is correct.

Microsoft’s references:

The rollout that survives contact with users

Three rings, always:

Pilot (5–10 devices) — your own techs plus one cooperative power user. Apply the Tamper Protection policy first, leave it 48 hours, then enable EDR block mode tenant-wide. Watch the Action Center for unexpected Blocked/Prevented entries; confirm IsTamperProtected = True and AMRunningMode = Normal (or EDR Block Mode on third-party AV tenants).
Broader pilot (~25%) — one quiet department, ideally not Finance during end-of-month. Run for a full working week.
Full rollout — assign to your “All Workstations” dynamic group.

Sequencing matters. Enabling EDR block mode before Tamper Protection means a misbehaving LOB app can still be silenced by a local admin disabling Defender — which defeats the point.

Top three pitfalls

Passive-mode false sense of security. If a third-party AV is the primary product, Defender drops into passive mode. EDR block mode still fires, but real-time protection, network protection, ASR rules, and indicators are all inactive. Either document this in the customer-facing security baseline or migrate them off the third-party AV.
Tamper Protection blocking your own policy changes. Once on, you cannot edit AV exclusions or disable real-time protection from the device — and sometimes not cleanly from Intune either. Use troubleshooting mode from the Defender portal for short-lived changes; never disable Tamper Protection at scale.
Forgetting the servers. Windows Server 2012 R2/2016 do not auto-passivate when third-party AV is installed. Set the ForceDefenderPassiveMode registry value before onboarding, or you will have two AV products fighting at boot.

Get the prerequisites right, ring the rollout, and these two features quietly become the most boring — and most valuable — controls in your Business Premium stack.

Inspect What You Expect: Why MSPs Can’t “Set and Forget” Copilot (or Anything Else)

One pattern I see repeatedly in MSP businesses—especially as they start adopting Microsoft 365 Copilot—is the quiet belief that once something is delegated, the job is done.

Hand it to a technician.
Hand it to an admin.
Hand it to an AI tool.

Then move on.

That approach has always been risky. With Copilot in the mix, it becomes outright dangerous.

Not because Copilot is untrustworthy—but because systems don’t improve unless you observe them. And as an MSP, improving systems is literally your job.

Delegation Without Inspection Is How Problems Hide

Most MSPs already understand this with infrastructure. You don’t deploy backups and just hope they work. You test. You get alerts. You look for drift.

But when it comes to productivity work—emails, reporting, meetings, content creation—we suddenly relax.

I’m seeing MSPs roll out Copilot, show users a few prompts, and then disappear. No feedback loop. No measurement. No review of outputs or behaviours.

Weeks later, the questions start:

“Why are users still asking basic questions?”
“Why hasn’t productivity improved?”
“Why does Copilot feel underwhelming?”

The issue isn’t the tool. It’s the lack of inspection.

Copilot Changes the Work—So You Need New Sensors

Copilot doesn’t just speed things up. It changes how work happens.

People delegate thinking earlier.
Drafts appear faster.
Decisions are made with less friction—and sometimes less reflection.

That’s powerful, but only if you can see what’s going on.

This is where I introduce the idea of sensors.

Sensors are simple mechanisms that tell you when reality drifts from expectation. They’re not about distrust—they’re about visibility.

In Copilot terms, that might look like:

A short weekly check‑in where users paste an example output that helped (or failed).
A dashboard showing adoption signals across apps, not just license counts.
A Teams message when usage patterns drop after the initial rollout.
A review cadence where managers validate whether Copilot‑created artefacts are actually being used.

None of this is complex. Almost no one does it.

AI Amplifies Weak Processes First

Here’s the uncomfortable truth: Copilot makes good systems better and bad systems louder.

If documentation is outdated, Copilot spreads outdated thinking faster.
If decision rights are unclear, Copilot accelerates confusion.
If users don’t know what “good” looks like, Copilot produces more confident mediocrity.

Inspecting outcomes—not effort—is how you catch this early.

I’ve worked with MSPs who expected Copilot to “lift capability” across the board. What actually happened was more revealing: high performers got better, while poor habits became more visible.

That visibility is a gift—if you’re looking for it.

Growth Comes From Feedback Loops, Not Trust Falls

Whether you’re an MSP of five people or fifty, growth doesn’t come from hiring smarter people or deploying smarter tools. It comes from tightening feedback loops.

That’s why mature MSPs obsess over:

Red/green indicators
Exception reporting
Notifications when something deviates from normal

The same thinking now applies to knowledge work.

Copilot isn’t a project you “finish”. It’s a system you tune. And tuning only works when you inspect what you expect.

The Takeaway for MSP Leaders

If you’re advising clients—or running your own MSP—don’t treat Copilot like a magic upgrade.

Treat it like any other core system:

Define what “good” looks like
Build simple sensors
Review outputs, not intentions
Adjust the environment, not just the prompts

Trust is fine. Visibility is better.

If you’re not inspecting, you’re guessing. And guessing doesn’t scale—especially in an AI‑assisted world.

A Cleaner Way to Connect PowerShell to SharePoint Online

Connect-PnPOnline with a browser sign-in is fine when you’re sitting at the keyboard. It becomes a problem the moment you’re not. The script that worked beautifully on your laptop refuses to run unattended. The scheduled job that was meant to tidy up orphaned sites overnight quietly does nothing, because it’s still waiting for someone to type a password. And the moment conditional access tightens on the admin account you’ve been quietly using for automation, every script that touches SharePoint behaves like it’s been thrown out a window.

The fix has existed. The setup hasn’t.

Certificate-based app authentication for SharePoint Online has been supported by Microsoft for years. The mechanics are well documented. The trouble has always been the assembly — generate a cert, export the public key, register an app in Entra ID, paste the right GUIDs in the right boxes, find Sites.FullControl.All in the API permissions list, grant admin consent, copy the thumbprint somewhere you won’t lose it, and verify the tenant ID in three different places along the way. By the time you’ve finished, you’ve forgotten which client you were doing it for.

So I’ve written a script that does the whole sequence end to end:

Generates a self-signed RSA-2048 certificate in your local certificate store
Creates the Entra ID app registration
Uploads the certificate and grants Sites.FullControl.All with admin consent
Provisions the service principal and adds Application.Read.All on Graph so the app can read its own metadata back
Resolves your tenant’s SharePoint root URL automatically from the Graph verified-domains call
Saves tenant, app ID, site URL, and thumbprint into a JSON profile so future connections need almost no parameters

What’s normally half an hour of clicking between Entra, the SharePoint admin centre, and a Notepad full of half-remembered GUIDs runs in about ninety seconds.

I’ve been written a new script — https://github.com/directorcia/Office365/blob/master/o365-connect-pnp-cert.ps1

with full documentation here – https://github.com/directorcia/Office365/wiki/Connect-to-SharePoint-Online-with-Certificates

What the Script Actually Does

There are two modes, controlled by switches.

-GenerateLocalCertificate creates a self-signed RSA-2048 certificate in your current user’s certificate store, exports the public key as a .cer file, and optionally exports a password-protected .pfx. By default it’s valid for two years. That’s the local side of the handshake.

-UseCertificateAuth is the everyday mode. You tell it which tenant to connect to — or let it look up the details in a profile map file — and it signs into Exchange Online using that certificate. No password. No browser. No MFA dialog.

The clever bit is the third option: combining -GenerateLocalCertificate with -ProvisionEntraApp -Tenant 'contoso.onmicrosoft.com'. In a single run, the script will generate the local certificate, authenticate to Microsoft Graph via a device-code flow, create the Entra ID app registration if it doesn’t exist, upload the certificate, grant Exchange.ManageAsApp and Application.Read.All with admin consent, create the matching service principal, sign you into Exchange Online to add the app to the Organization Management role group, and save the tenant, app ID, and certificate thumbprint to a JSON profile file so future connections don’t need any of those parameters.

Getting Started

If you’re new to certificate auth, the first run is the one that matters. Drop the script onto an admin machine, open PowerShell, and run:

.\o365-connect-pnp-cert.ps1 -GenerateLocalCertificate -ProvisionEntraApp -Tenant 'yourtenant.onmicrosoft.com'

You’ll be prompted to sign in — via device code for the Graph permissions (which if you use the –copydevicecodetoclipboard, option will put the required device code straight into the clipboard to paste into the request). You need a Global Admin account.

Where this earns its keep across a client base

After that first run, connecting to a tenant looks like this:

.\o365-connect-pnp-cert.ps1 -UseCertificateAuth -Tenant ‘contoso.onmicrosoft.com’

No password. No browser. No MFA prompt. The profile file is the bit that pays you back across an MSP book. One script lives in your tooling folder, each client has its own certificate and entry in the JSON map, and Task Scheduler can finally drive things like site collection audits, sharing reports, lifecycle cleanup on Teams-connected sites, and external-user reviews without anyone watching it run. Filter by tenant or site URL on the command line and the same script services twenty different customers without you ever editing it.

One honest caveat

When you’ve just provisioned a brand-new app, give Entra fifteen to thirty minutes for the role grants to replicate before your first cert-based connect. It’s the single most common reason a fresh setup looks broken when it isn’t. The script flags this on the way out, but it’s worth saying twice.

Why Certificates Beat Passwords

The security argument is the easy one. A certificate’s private key never leaves the machine that generated it. Nothing crosses the wire that an attacker could intercept and replay. There’s no shared secret to rotate across a team, no admin password sitting in a vault that someone might extract, and no MFA bypass to engineer because the flow doesn’t involve a user account at all.

If the certificate is ever compromised, you remove the key credential from the app registration and the access is gone — no password reset required, no impact on any human admin account.

The script enforces TLS 1.2, refuses to assign RBAC if the PnP session has landed in the wrong tenant, warns when the certificate is within thirty days of expiry, and keeps the device-code value off the clipboard by default to avoid leaks on RDP or shared sessions.

The change is a quiet one. You stop thinking about who is signing in and start thinking about which certificate is presenting itself. Once your SharePoint automation is no longer at the mercy of someone else’s MFA settings or a password rotation policy, the kind of work you’re willing to schedule expands. That’s the real win — not the ninety seconds saved on setup, but the chores you finally get around to doing.

Making Attack Surface Reduction Rules Actually Work in Microsoft 365

Attack Surface Reduction (ASR) rules are one of the most powerful — and most misunderstood — security capabilities in Microsoft Defender for Endpoint.

On paper, they’re simple:

Reduce the ways attackers can abuse Windows.

In practice, many environments either:

Enable everything in block mode and break workflows, or
Leave ASR in audit forever because “it caused issues once”.

Just like Conditional Access, ASR only works properly when:

You understand what problem you’re solving
You deploy it gradually and intentionally
You accept that security without friction isn’t security

This post explains how to deploy ASR rules properly using Intune and Microsoft Defender — in a way that actually raises the security bar without torching productivity.

Why ASR Rules Matter (Still)

ASR rules are designed to block common attacker techniques, not malware files.

That distinction matters.

Most modern attacks don’t rely on:

Dropping obvious malware
Exploiting rare zero‑days

They rely on living‑off‑the‑land (LOLBins):

PowerShell
WMI
Office macros
Credential dumping from LSASS
Script abuse from user‑writable locations

ASR targets behaviour, not signatures — which is why Microsoft consistently recommends them as part of a Zero Trust baseline.

But behaviour-based controls must be deployed carefully.

The Core Problem with ASR Deployments

In the wild, I usually see one of three patterns:

1. “Turn Them All On”

Someone enables every ASR rule in block mode.

Result:

Line of business scripts fail
Custom automation breaks
IT disables ASR entirely

2. “Audit Forever”

Rules sit in audit mode indefinitely “until we review logs”.

Result:

Attack techniques pass straight through
Security teams get a false sense of protection

3. “We Enabled One or Two”

Only macro-related rules are enabled.

Result:

Partial coverage
Easily bypassed attack paths remain open

None of these deliver meaningful protection.

A Better Mental Model for ASR

Instead of thinking:

“Which rules should we turn on?”

Ask:

“Which attacker techniques do we want to make impractical?”

ASR works best when combined with:

Standard user devices
Intune-managed endpoints
Defender for Endpoint P1/P2
Strong Conditional Access

Sound familiar? Same foundations as compliant-device CA policies.

The ASR Rules That Actually Deliver Value

Here are the ASR rules that consistently provide the best risk reduction with manageable impact in real environments.

1. Block credential stealing from LSASS

Rule ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

This blocks tools like Mimikatz-style credential dumping.

✅ High attacker impact
✅ Minimal end-user disruption
✅ Should be BLOCK in almost every environment

2. Block Office from creating child processes

Rule ID: d4f940ab-401b-4efc-aadc-ad5f3c50688a

This stops:

Macro → PowerShell
Document-based malware chains

Realistically:

Most organisations do not need Office spawning shells

Start in AUDIT, then move to BLOCK once exceptions are known.

3. Block executable content from email and webmail

Rule ID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

This blocks users launching:

EXEs
Scripts
Payloads straight from email or web download locations

✅ Enforces basic hygiene
✅ Aligns well with user expectations
✅ Rarely breaks legitimate workflows

4. Use Advanced Protection Against Ransomware Abuse

Rules that help here include:

Blocking untrusted executable content
Blocking abuse of vulnerable signed drivers

These pair extremely well with:

Defender Tamper Protection
Controlled Folder Access (selectively)

How to Deploy ASR Rules Properly with Intune

Step 1: Create an ASR Policy in Audit Mode

In Intune:

Endpoint Security
Attack Surface Reduction
Create policy
Start with Audit

Audit mode tells you:

What would have been blocked
Which apps or scripts need exclusions

This is not optional.

Step 2: Review Events in Advanced Hunting

Use this table in Defender:

DeviceEvents

| where ActionType contains “Asr”

Focus on:

Repeat offenders
Automation tools
Known admin workflows

If something fires once, ignore it.
If it fires 300 times a day, investigate.

Step 3: Use Targeted Exclusions — Sparingly

ASR exclusions should be:

File path–specific
App–specific
As narrow as possible

Avoid:

Wildcards
Folder-wide exclusions unless absolutely required

Bad exclusions undo the entire point of ASR.

Step 4: Move High‑Confidence Rules to Block

Once audit noise stabilises:

Move specific rules, not the whole policy
Prioritise credential theft and Office abuse

Yes, this causes friction.
So does getting owned.

Common ASR Mistakes (That I Still See in 2026)

Treating ASR as “optional”
Letting developers demand blanket exclusions
Ignoring audit logs
Enabling rules without Defender onboarding complete
Forgetting ASR only protects Defender-managed devices

ASR is not a set-and-forget tool.
It’s an operational security control.

ASR + Conditional Access = Real Endpoint Trust

Here’s the key point many miss:

ASR strengthens the integrity of “Compliant Device” signals.

If a device:

Meets Intune compliance
Runs Defender
Enforces ASR rules
Has tamper protection enabled

You can trust Conditional Access decisions far more.

Compliance without hard endpoint controls is mostly paperwork.

Final Thought

Attack Surface Reduction is one of those Microsoft security features that:

Looks scary
Sounds complex
Delivers massive value when done properly

If your ASR rules are all disabled, set to audit forever, or barely touched — you’re leaving one of the best cost‑to‑benefit controls on the table.

Just like Conditional Access… ASR only works when you actually enforce it.