This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 56.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Company has two (2) VMs hosted in Azure. These VMs use Windows Defender as their Antivirus solution and recently (2-3 months ago), Company's Secure Score has been negatively affected for Windows Defender metrics; applicable to the two VMs. Secure Score has dropped from 7x% to 5x%.
The remediation steps have suggested – 1. Ensure Windows Defender is enabled along with real-time protection, cloud delivery etc. 2. Create and apply ASR rules
Remediation step 1 above has been actioned manually on the VMs but the issue now lies with applying the ASR rules.
Steps taken thus far:
I require assistance in determining why the policy status is “Not Applicable” and measures that can be taken to rectify the issue.
how are you trying to enable ASR rules? Normally this is one via powershell if it's for servers.
@SMB Thanks for posting in our Q&A.
If we want to use ASR policy, it is needed to meet some requirements. Please refer to the following article to do some check:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#requirements
If there is anything update, feel free to let us know.
I am trying to enable it from Microsoft Endpoint Manager Admin Center > Endpoint Security > Attack Surface Reduction.
Hello,
The Azure VMs are Server 2019 with Microsoft Defender Antivirus (with real time protection enabled) and cloud delivery protection on as well. All licenses within my tenant are M365 E5.
I used the same approach in creating an A
V Policy which applied successfully.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 10%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQS%3C/text%3E%3C/svg%3E)
Hi SMB
Did you find a resolution to the ASR rules you tried to apply to servers? am getting same error you had.
I have applied a ASR rule from Endpoint Security and getting "Not Applicable"
when i setup a antivirus policy it works.
Can you assist please
Quintin
Yep, I'm getting exactly the same issue myself as well... AV policy on servers is working perfectly. ASR policy is getting 'Not Applicable' for the ASR rules, but the 'Enable Controlled Folder Access' option in the same policy does show 'success'...
Servers are a mix of 2016, 2019 and 2022.
We know that Intune can apply ASR policy onto Servers nowadays, but now we can use Defender to create and apply policy 'direct'...
I've since deleted the Intune ASR policy, and created the ASR policy directly within the Defender Portal, which showed no change. I've since deleted that and re-created the policy minus the 'Enable Controlled Folder Access' setting (left to 'not configured'). This time, rather than showing 'Success' for the policy being pushed out, it's now showing 'Not Applicable' (presumably because the 'whole' policy is now not applicable, rather than the 'Enable Controlled Folder Access' succeeding, and the ASR polices being 'Not Applicable')...
Whichever way, I've got no idea why this is happening!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 42%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA9%3C/text%3E%3C/svg%3E)
Ok works now. That's what I did
find in policy Block Webshell creation for Servers and set it to ‘Not Configured’
need to investigate that, but in general without that setting works fine.
Please confirm from your side.
Regards
Adam
Hi Adam, can you please explain step by step what you did yo get it to work. so we can try doing the same thing. Thanx Quintin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 3%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
This also worked for me
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 47%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
This comment saved me hours, testing an audit only policy that would not apply due to accidently marking ASR rule Block Webshell creation for Servers as Audit**.** As soon as I marked it not configured MDE was able to apply the remaining ASR policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 73%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Hello, I am having the same issue but on MDE-only Windows 10 workstations that are Hybrid AAD-joined (but not enrolled in Intune). I did everything that was needed, they look good in Intune as MDE, they're receiving the AV policy but not the ASR that shows as Not applicable. I have a small doubt about the cloud-delivered protection: there are two settings inside the policy settings in Intune\Endpoint Security\Antivirus: Allow Cloud Protection and Cloud Protection Level. They look the same as the ones that can be found under the Security baseline (called exactly cloud-delivered protection) ... however, when asking that to Copilot/Bing chat it said no, they're different level of protection :D. This is damn confusing and if so, I couldn't find cloud-delivered protection setting in the AV policy. This feature needs to be active for some, if not for all, ASR rules. Is anyone experiencing the same issue on simple Windows 10 workstations that are MDE-managed? Thank you!
Ok works now. That's what I did find in policy Block Webshell creation for Servers and set it to ‘Not Configured’ need to investigate that, but in general without that setting works fine. Please confirm from your side. Regards Adam
Hello, I am linking my previous comment to this one because the solution proposed by you also worked for me on Windows 10 machines that are MDE-managed only and not enrolled in Intune. Very odd, it should only concern Windows Server, hence no clue why Windows 10 behave in the same way. Anyhow, The "Attack Surface Reduction rules" profile is now showing as succeeded (and no longer as Not Applicable) and configured ASR rules are applied on workstation. Now a legitimate question arise: What is the risk to leave Block Webshell creation for servers not configured?
Hi I agree it works for windows 10 device, but not for servers? any help with that please?
I agree with Adam and Gianluca here... When utilising Intune to manage Defender policies for endpoints (Win 10/11), the setting of the ASR rule 'Block Webshell creation for Servers' doesn't matter. However, when using Defender to manage policy on non-intune enrolled endpoints, I've finally managed to get this to work only by changing the ASR rule 'Block Webshell creation for Servers' to 'Not Configured'. For endpoints, there's no issue in leaving this setting to Not configured, as the rule is only supported for Servers in the 'Exchange Role'. As per here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rules-supported-operating-systems So by that, in theory, you only need to configure this rule for Exchange Servers if your still running them 'on-prem'...
I'm still to get a definite to find out if this works for servers, or not... But I have come across the same issue with servers - of ASR rules showing as 'Not Applicable'. In the end, we used GPOs for the policy config roll-out - works every time!! Although we do plan to try MDE policy for servers again in the future at some point...
@SMB Thanks for your update.
Based on my understanding, intune can manage windows client and can't manage windows server. In the following intune article, the ASR policy is applied to windows 10 or windows 11.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-profile-settings
The server you can see in intune portal is synced from Windows Defender. However, it is still not managed by intune. So, this ASR policy shows "Not Applicable".
Hope my answer clear something.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
The link you provided surely makes reference to only Windows10 & 11. However, the link provided by LimitlessTechnology (which I have perused many times) shows that ASR rules are applicable to Server2019 to the top under Requirements.
@SMB I know ASR is applied to Server2019. We can enable ASR by many methods, such as:
Microsoft Intune
Mobile Device Management (MDM)
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell
Other methods may be applied to server devices. However, for intune, it doesn't support server devices.
We use intune to deploy this policy, intune has its own limitations for device OS. We will also need to follow these limitations.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers#microsoft
Hello,
I think you guys are definitely correct here. I tried again to create another ASR policy using Intune and in the section Applicability Rules, I selected OS version and, in the drop down, only Windows 10 & 11 options were available. I guess this is the reason for "Not Applicable" when applied to servers.
I have resorted to using powershell as previously suggested.
Thanks.
@SMB You're welcome. I'm glad to discuss with you.
If possible, please accept my answer. It will make someone else who has the similar issue focus on this point that are easy to overlook.
Thanks for your kindness in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
Can you see any ASR keys in the below location HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
Can you run this Powershell command get-mppreference and see any ASR listed here?
I have also found this article, There is a known issue with the applicability of Attack Surface Reduction on Server OS versions which is marked as compliant without any actual enforcement. Currently, there is no ETA for when this will be fixed.
-------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
Hello LimitlessTechnology,
There are no ASR keys in the registry. And the powershell command yields no values for ASR rules.
I find this all very strange as the article you linked shows multiple ways for creating and applying ASR policies. To the top, it also shows that Server2019 is supported under Requirements.
The known issue you mentioned, I believe is only when using Endpoint Configuration Manager for which no ETA has been provided.
When I try the first method, "Intune" and create a device configuration policy, the status just remains as "Pending Assignment". Only when I create the policy under Endpoint Security > Attack Surface Reduction do Iget the status of "Not Applicable".
If Server2019 is not supported, then how do I action the metrics under Secure Score for Defender (for the 2 VMs) to improve the overall score. This is ultimately what I am trying to achieve.
