How to Block JavaScript and VBScript from Launching Downloaded Executables in Intune

Configure Microsoft Intune Attack Surface Reduction rules to prevent JavaScript and VBScript from automatically executing downloaded executable files, enhancing endpoint security across your organization.

Emanuel DE ALMEIDA

3/16/2026 15 min 0

hardintune 10 steps 15 min

Why Block JavaScript and VBScript from Launching Downloaded Executables?

JavaScript and VBScript execution of downloaded executables represents one of the most common attack vectors in modern cybersecurity threats. Malicious actors frequently use these scripting languages to automatically execute downloaded malware, ransomware, and other harmful payloads without user interaction. When users download files from email attachments, web browsers, or file sharing services, embedded scripts can immediately launch executable content, bypassing traditional security controls.

Microsoft Intune's Attack Surface Reduction (ASR) rules provide a powerful defense mechanism against these automated execution attacks. The specific rule for blocking JavaScript and VBScript from launching downloaded executable content targets the behavior where scripts automatically execute .exe files, .msi installers, and other executable formats immediately after download. This creates a critical security barrier that prevents many common malware delivery methods.

How Do Attack Surface Reduction Rules Work in Microsoft Intune?

Attack Surface Reduction rules operate at the Windows Defender level, monitoring system behavior in real-time to detect and prevent suspicious activities. When configured through Microsoft Intune, these rules deploy consistently across your entire device fleet, providing centralized management and reporting. The rules use behavioral analysis rather than signature-based detection, making them effective against zero-day threats and polymorphic malware that traditional antivirus might miss.

The ASR rule system supports multiple enforcement modes: Audit mode for monitoring and impact assessment, Block mode for active protection, and Warn mode for user education with override capabilities. This flexibility allows organizations to implement a phased deployment approach, starting with monitoring to understand the impact on legitimate business applications before moving to full enforcement. The centralized management through Intune ensures consistent policy application and provides detailed reporting on rule effectiveness and any blocked activities across your organization.

Implementation Guide

Full Procedure

Access the Microsoft Intune Admin Center

Start by navigating to the Microsoft Intune admin center where you'll configure the Attack Surface Reduction policy.

Open your web browser and navigate to https://intune.microsoft.com. Sign in with your administrative credentials that have Intune Administrator or Global Administrator permissions.

Once logged in, you'll see the main Intune dashboard. The interface has been updated in recent years, so ensure you're using the current navigation structure.

Pro tip: Bookmark the Intune admin center URL and consider using a dedicated browser profile for administrative tasks to avoid session conflicts.

Verification: Confirm you can see the main Intune dashboard with options like "Devices," "Apps," and "Endpoint security" in the left navigation pane.

Navigate to Attack Surface Reduction Policies

Access the endpoint security section where Attack Surface Reduction rules are managed in the current Intune interface.

In the left navigation pane, click on Endpoint security. This will expand to show several security-related options. Click on Attack surface reduction from the submenu.

You'll now see the Attack Surface Reduction policies page, which displays any existing ASR policies and provides options to create new ones. This is the preferred method for configuring ASR rules as of 2026, replacing the older device configuration profiles approach.

Warning: Avoid using the legacy "Device configuration > Profiles" method for ASR rules, as Microsoft has moved these settings to the Endpoint security section for better organization and functionality.

Verification: You should see a page titled "Attack surface reduction" with options to "Create policy" and any existing ASR policies listed below.

Create a New Attack Surface Reduction Policy

Create a new policy specifically for blocking JavaScript and VBScript from launching downloaded executables.

Click the Create policy button at the top of the Attack surface reduction page. This will open the policy creation wizard.

Configure the basic policy settings:

Platform: Select "Windows 10, Windows 11, and Windows Server"
Profile: Choose "Attack surface reduction rules"
Name: Enter a descriptive name like "Block JS/VBS Downloaded Executables"
Description: Add a clear description such as "Prevents JavaScript and VBScript from automatically launching downloaded executable content"

Click Create to proceed to the configuration settings.

Pro tip: Use consistent naming conventions for your policies. Include the rule type and target behavior in the name to make policy management easier as your organization grows.

Verification: The wizard should advance to the "Configuration settings" page where you can configure specific ASR rules.

Configure the JavaScript/VBScript Blocking Rule

Configure the specific Attack Surface Reduction rule that blocks JavaScript and VBScript from launching downloaded executable content.

In the Configuration settings page, locate the rule "Block JavaScript or VBScript from launching downloaded executable content". This rule has the GUID 56a863a9-875e-4185-98a7-b882c64b5ce5 in the backend.

Set the rule action based on your deployment strategy:

Audit: Recommended for initial testing (30+ days) - logs events without blocking
Block: Actively prevents the behavior - use after audit period
Warn: Shows user warning but allows override (Windows 10 1809+ required)
Not configured: Disables the rule

For initial deployment, select Audit to monitor impact before enforcement:

Block JavaScript or VBScript from launching downloaded executable content: Audit

Warning: Never deploy ASR rules in Block mode without first running them in Audit mode for at least 30 days. This prevents unexpected business disruptions from legitimate applications being blocked.

Verification: Confirm the rule is set to your chosen action (Audit for initial deployment) and shows as configured in the policy settings.

Configure Exclusions and Advanced Settings

Set up exclusions for legitimate applications that might be affected by the ASR rule.

In the same configuration page, look for "Attack Surface Reduction Only Exclusions" section. Here you can add exclusions for:

File paths: Specific directories where scripts should be allowed
File names: Specific executable names to exclude
Process names: Applications that should be exempt

Common exclusions you might need:

File path exclusions:
C:\Program Files\YourApp\Scripts\
C:\Scripts\Approved\

File name exclusions:
legitimate-installer.exe
automation-script.js

Process exclusions:
trusted-application.exe

Only add exclusions for applications you've verified as legitimate and necessary for business operations. Each exclusion reduces the security benefit of the rule.

Pro tip: Document all exclusions with business justification and review them quarterly. Use the most specific exclusion possible (file name > file path > process name) to minimize security gaps.

Verification: Review your exclusions list to ensure only necessary and documented exceptions are included.

Assign the Policy to Target Groups

Configure which devices or users will receive this Attack Surface Reduction policy.

Click Next to proceed to the Assignments page. Here you'll define the scope of your policy deployment.

Configure the assignments:

Included groups: Select device groups or user groups that should receive this policy
Excluded groups: Optionally exclude specific groups (e.g., test devices, executive devices)

For a phased deployment approach:

Phase 1: IT Test Devices (50-100 devices)
Phase 2: Pilot Department (500-1000 devices)
Phase 3: All Corporate Devices

Exclusions: Executive Devices, Critical Servers

Start with a small test group when deploying in Audit mode, then expand to larger groups as you gain confidence in the rule's impact.

Warning: Avoid assigning conflicting ASR policies to the same devices. If multiple policies configure the same rule with different actions (e.g., one sets Block, another sets Audit), the rule will be skipped entirely on those devices.

Verification: Confirm your target groups are selected and any necessary exclusions are configured before proceeding.

Configure Applicability Rules (Optional)

Set up conditional deployment based on device characteristics like OS version or device properties.

Click Next to reach the Applicability rules page. This optional step allows you to create conditions that must be met for the policy to apply.

Common applicability rules for ASR policies:

OS version: Windows 10 version 1809 or later (required for Warn mode)
Device ownership: Corporate devices only
Device compliance: Only compliant devices

Example applicability rule configuration:

Rule: Device.OSVersion
Operator: Greater than or equal to
Value: 10.0.17763 (Windows 10 1809)

Rule: Device.DeviceOwnership
Operator: Equals
Value: Corporate

If you don't need conditional deployment, you can skip this step by clicking Next without adding any rules.

Pro tip: Use applicability rules to ensure ASR policies only apply to supported OS versions and device types. This prevents policy failures on incompatible systems like older Windows Server versions.

Verification: Review any applicability rules you've configured, or confirm you're proceeding without conditions if none are needed.

Review and Deploy the Policy

Complete the policy creation and deploy it to your target devices.

Click Next to reach the Review + create page. Carefully review all your policy settings:

Policy name and description
Rule configuration (should be set to Audit initially)
Exclusions (if any)
Target assignments
Applicability rules (if configured)

Once you've verified all settings are correct, click Create to deploy the policy.

The policy will begin applying to target devices within minutes. Intune policies typically sync every 8 hours by default, but you can force a sync for immediate testing.

To force a policy sync on a test device:

# Run on target Windows device as administrator
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Or use Intune remote action:
# Devices > All devices > Select device > Sync

Pro tip: After deploying in Audit mode, wait at least 30 days before switching to Block mode. Use this time to analyze the audit logs and identify any legitimate applications that need exclusions.

Verification: Check the policy status in Intune shows as "Deployed" and verify it appears in the Attack surface reduction policies list.

Monitor Policy Deployment and Effectiveness

Track the policy deployment status and monitor ASR rule events to ensure proper functionality.

Monitor deployment status in Intune:

Navigate to Endpoint security > Attack surface reduction
Click on your newly created policy
Review the Device status and User status tabs

Check for deployment issues:

Success: Policy applied successfully
Error: Policy failed to apply (check device logs)
Conflict: Multiple conflicting policies detected
Not applicable: Device doesn't meet applicability rules

Monitor ASR events using Microsoft Defender for Endpoint or Windows Event Logs:

# PowerShell command to check ASR events locally
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1121,1122,5007} | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

# Check current ASR rule status
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

In Microsoft Defender for Endpoint portal, navigate to Reports > Attack surface reduction to view detailed analytics and blocked events.

Warning: If you see numerous legitimate applications being blocked during audit mode, review and add appropriate exclusions before switching to Block mode. Document all exclusions with business justification.

Verification: Confirm devices show "Success" status in Intune and ASR events are being logged in Defender for Endpoint or local event logs.

Transition from Audit to Block Mode

After monitoring the audit phase, update the policy to actively block malicious JavaScript and VBScript execution.

After running in Audit mode for at least 30 days and analyzing the results:

Return to Endpoint security > Attack surface reduction
Click on your policy name to edit it
Navigate to Configuration settings
Change the rule setting from Audit to Block

Before making this change, ensure you've:

Reviewed all audit events and added necessary exclusions
Tested the impact on critical business applications
Communicated the change to relevant stakeholders
Prepared incident response procedures for false positives

Save the policy changes:

Block JavaScript or VBScript from launching downloaded executable content: Block

The updated policy will deploy to devices within the next sync cycle. Monitor closely for the first 48 hours after switching to Block mode.

Pro tip: Consider using Warn mode as an intermediate step between Audit and Block. This allows users to override blocks when necessary while still providing protection and user education.

Verification: Confirm the policy shows "Block" mode in the configuration and monitor for any unexpected application blocks or user complaints in the first few days after deployment.

Frequently Asked Questions

What is the GUID for the JavaScript VBScript ASR rule in Microsoft Intune?+

The GUID for blocking JavaScript or VBScript from launching downloaded executable content is 56a863a9-875e-4185-98a7-b882c64b5ce5. This unique identifier is used internally by Windows Defender and can be referenced in PowerShell commands or custom OMA-URI configurations. You don't need to manually enter this GUID when using the Intune admin center interface, as it's automatically applied when you select the rule from the policy configuration options.

How long should I run ASR rules in Audit mode before switching to Block mode?+

Microsoft recommends running ASR rules in Audit mode for at least 30 days before switching to Block mode. This period allows you to collect sufficient data about legitimate applications that might be affected by the rule. During this time, monitor the audit logs through Microsoft Defender for Endpoint or Windows Event Logs to identify any business-critical applications that need exclusions. Some organizations extend this period to 60-90 days for complex environments with many custom applications.

What happens if multiple Intune policies configure the same ASR rule differently?+

When multiple Intune policies configure the same ASR rule with conflicting settings (for example, one policy sets it to Block and another sets it to Audit), the rule will be skipped entirely on affected devices. Unlike other policy types, ASR rules don't have a priority system - conflicts result in the rule not being applied at all. To avoid this, ensure only one policy per ASR rule is assigned to each device group, or use a single comprehensive ASR policy for your organization.

Can I use PowerShell to test ASR rules locally before deploying through Intune?+

Yes, you can test ASR rules locally using PowerShell before Intune deployment. Use the Add-MpPreference cmdlet with the rule GUID: Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled. Use 'Enabled' for Block mode, 'AuditMode' for Audit mode. Remember that Add-MpPreference appends to existing rules while Set-MpPreference overwrites all rules. Always test on non-production devices first and remove test configurations before deploying Intune policies.

Which Windows versions support the JavaScript VBScript blocking ASR rule?+

The JavaScript VBScript blocking ASR rule supports Windows 10 version 1709 and later, Windows 11 all versions, and Windows Server 2016 and later. However, avoid deploying ASR rules to Windows Server 2012 R2 and Windows Server 2016 when using modern Intune management, as some rules may fail to apply properly. For Warn mode functionality, you need Windows 10 version 1809 or later. Always verify OS compatibility in your environment and use Intune applicability rules to target only supported versions.

Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Further Intelligence

Deepen your knowledge with related resources

tutorial

Cybersecurity