Deploy the new Attack Surface Reduction rules

Microsoft recently released two (2) new Attack Surface Reduction rules. These are still in preview but can already be deployed using Intune. Be careful deploying these to your production environment! In this blog I’ll show you how it’s done and how it impacts your endpoints.

Block rebooting machine in Safe Mode

For troubleshooting purposes administrators (or users) might reboot a Windows device in Safe Mode. If issues in normal mode are not reproduceable within Safe Mode it could mean that issues are related to third party software, drivers, settings. Because Safe Mode only loads a subset (basic) configuration of the complete OS, this might result in a less secure system, not protected or monitored by your security solutions.

By deploying this Attack Surface Reduction rule the endpoint would be blocked from booting into Safe Mode.

Create the following policy:

  1. Navigate to https://intune.microsoft.com
  2. Go to Endpoint Security -> Attack surface reduction
  3. Click Create policy
  4. Platform: Windows 10, Windows 11 and Windows Server -> Profile type: Attack Surface Reduction Rules -> Click Create
  5. Fill in a common name. For example: Windows – ASR – Block rebooting machine in Safe Mode
  6. Click Next -> Click Scroll down to the policy “Block rebooting machine in Safe Mode
  7. From the dropdown menu click Block
  8. Click Next
  9. Scope tags are optional
  10. Assignment: Pick All Devices or a specific device group. Make sure to test this first with a small amount of devices.
  11. Finally, Create the policy.

Lets figure out what happens if we try to reboot a device into Safe Mode. Open a command prompt and run the following command: bcdedit /set {current} safeboot minimal. You will see that Windows Defender automatically detects the execution and blocks it.

The policy does NOT protect rebooting into safe mode via System -> Recovery -> Advanced Startup -> Startup Settings. This is something that could be in development during the preview period.

Block use of copied or impersonated system tools

Impersonated system tools are copies or modified system executables which are part of System Tools / Windows Tools. These can be found in the Control Panel. These tools might be used by Administrators or people who have local admin permissions on a device. When possible attackers might replace these tools with a vulnerable one this might lead to security issues. All these tools are located in C:\Windows\System32 or any subfolders. This might ring a bell..

Read more about Windows tools here: Windows Tools/Administrative Tools – Windows Client Management | Microsoft Learn

Create the following policy:

  1. Navigate to https://intune.microsoft.com
  2. Go to Endpoint Security -> Attack surface reduction
  3. Click Create policy
  4. Platform: Windows 10, Windows 11 and Windows Server -> Profile type: Attack Surface Reduction Rules -> Click Create
  5. Fill in a common name. For example: Windows – ASR – Block use of copied or impersonated system tools
  6. Click Next -> Click Scroll down to the policy “Block use of copied or impersonated system tools
  7. From the dropdown menu click Block
  8. Click Next
  9. Scope tags are optional
  10. Assignment: Pick All Devices or a specific device group. Make sure to test this first with a small amount of devices.
  11. Finally, Create the policy.

Keep in mind that both policies are in preview! It’s not recommended to deploy these policies into your production environment (yet).

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

19 + 4 =