![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 65%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Security
Managing and enforcing security policies for devices and apps to protect organizational data through Intune
The two ASR rules
- Block use of copied or impersonated system tools
- Block rebooting machine in Safe Mode are fully supported in Intune, but there are some caveats that explain why they might not be editable in the Intune UI and how to manage them instead.
Key points from the documented behavior:
- Rule support in Intune
- Both rules are listed as supported for Intune:
- Block rebooting machine in Safe Mode → Intune: Y
- Block use of copied or impersonated system tools → Intune: Y
- However, there is a known backend issue for at least one ASR rule where it “might not be available in the Intune ASR policy configuration,” even though the rule itself is available through other configuration methods or in existing Intune ASR policies created before the issue.
- Why an existing rule may be “not editable” in Intune
- If the rule was added when it was still exposed in the Intune ASR policy UI, and later the backend issue removed or hid it from the catalog, the existing policy can continue to apply the rule but the setting may no longer be surfaced for editing in the current Intune UI.
- In that case, the rule is still enforced on devices, but the specific toggle for that rule may not appear or may be locked in the Intune portal.
- How to manage these rules when the Intune UI does not allow editing When the Intune ASR policy UI cannot be used to edit these rules, the documented alternatives are:
A. Use PowerShell on devices
- Configure ASR rules locally with PowerShell using the rule GUIDs:
- Block rebooting machine in Safe Mode GUID:
33ddedf1-c6e0-47cb-833e-de6133960387 - Block use of copied or impersonated system tools GUID:
c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb
- Block rebooting machine in Safe Mode GUID:
- Command pattern (run elevated):
whereAdd-MpPreference -AttackSurfaceReductionRules_Ids <RuleGuid> -AttackSurfaceReductionRules_Actions <Mode><Mode>is one of:-
0orDisabled -
1orEnabled(Block) -
2orAuditMode -
5orNotConfigured -
6orWarn
-
- Note: If Intune is managing ASR rules, its settings will overwrite conflicting local PowerShell settings on startup.
B. Use MDM CSP / custom OMA-URI in Intune
- These rules are exposed via the Defender Policy CSP and the Intune setting catalog:
-
BlockRebootingMachineInSafeMode -
BlockUseOfCopiedOrImpersonatedSystemTools
-
- Allowed values:
off,block,audit,warn. - If the built-in ASR policy blade does not show the rules, create a custom profile using the Defender CSP OMA-URIs (for example, via
./Device/Vendor/MSFT/Policy/Config/Defender/...) or use the setting catalog entriesBlockRebootingMachineInSafeModeandBlockUseOfCopiedOrImpersonatedSystemToolsto set them.
C. Use Group Policy (for on-prem / hybrid)
- All ASR rules are supported when configured locally via Group Policy.
- If Intune is also managing ASR rules, Intune settings take precedence and can overwrite Group Policy or PowerShell settings.
- Verifying what is actually applied on devices
- On an affected device, run:
$p = Get-MpPreference;0..([math]::Min($p.AttackSurfaceReductionRules_Ids.Count,$p.AttackSurfaceReductionRules_Actions.Count)-1) | % {[pscustomobject]@{Id=$p.AttackSurfaceReductionRules_Ids[$_];Action=$p.AttackSurfaceReductionRules_Actions[$_]}} | Format-Table -AutoSize - Confirm that the GUIDs for the two rules are present and check their
Actionvalues to see whether they are in Block, Audit, etc.
- Practical workaround pattern
- If the existing Intune ASR policy will not let these rules be edited:
- Create a new ASR configuration using either:
- Intune setting catalog entries for
BlockRebootingMachineInSafeModeandBlockUseOfCopiedOrImpersonatedSystemTools, or - A custom profile using the Defender Policy CSP.
- Intune setting catalog entries for
- Assign the new profile to the same device/user scope.
- Once confirmed applied (via
Get-MpPreference), retire or unassign the old ASR policy that contains the uneditable rules.
- Create a new ASR configuration using either:
This approach keeps management centralized in Intune while working around the backend limitation that prevents direct editing of those specific rules in the original ASR policy UI.
References: