How to Block JavaScript and VBScript from Launching Downloaded Executables in Intune

Start by navigating to the Microsoft Intune admin center where you'll configure the Attack Surface Reduction policy.

Open your web browser and navigate to https://intune.microsoft.com. Sign in with your administrative credentials that have Intune Administrator or Global Administrator permissions.

Once logged in, you'll see the main Intune dashboard. The interface has been updated in recent years, so ensure you're using the current navigation structure.

Access the endpoint security section where Attack Surface Reduction rules are managed in the current Intune interface.

In the left navigation pane, click on Endpoint security. This will expand to show several security-related options. Click on Attack surface reduction from the submenu.

You'll now see the Attack Surface Reduction policies page, which displays any existing ASR policies and provides options to create new ones. This is the preferred method for configuring ASR rules as of 2026, replacing the older device configuration profiles approach.

Create a new policy specifically for blocking JavaScript and VBScript from launching downloaded executables.

Click the Create policy button at the top of the Attack surface reduction page. This will open the policy creation wizard.

Configure the basic policy settings:

• Platform: Select "Windows 10, Windows 11, and Windows Server"
• Profile: Choose "Attack surface reduction rules"
• Name: Enter a descriptive name like "Block JS/VBS Downloaded Executables"
• Description: Add a clear description such as "Prevents JavaScript and VBScript from automatically launching downloaded executable content"

Click Create to proceed to the configuration settings.

Configure the specific Attack Surface Reduction rule that blocks JavaScript and VBScript from launching downloaded executable content.

In the Configuration settings page, locate the rule "Block JavaScript or VBScript from launching downloaded executable content". This rule has the GUID 56a863a9-875e-4185-98a7-b882c64b5ce5 in the backend.

Set the rule action based on your deployment strategy:

• Audit: Recommended for initial testing (30+ days) - logs events without blocking
• Block: Actively prevents the behavior - use after audit period
• Warn: Shows user warning but allows override (Windows 10 1809+ required)
• Not configured: Disables the rule

For initial deployment, select Audit to monitor impact before enforcement:

Block JavaScript or VBScript from launching downloaded executable content: Audit

Set up exclusions for legitimate applications that might be affected by the ASR rule.

In the same configuration page, look for "Attack Surface Reduction Only Exclusions" section. Here you can add exclusions for:

• File paths: Specific directories where scripts should be allowed
• File names: Specific executable names to exclude
• Process names: Applications that should be exempt

Common exclusions you might need:

File path exclusions:
C:\Program Files\YourApp\Scripts\
C:\Scripts\Approved\

File name exclusions:
legitimate-installer.exe
automation-script.js

Process exclusions:
trusted-application.exe

Only add exclusions for applications you've verified as legitimate and necessary for business operations. Each exclusion reduces the security benefit of the rule.

Configure which devices or users will receive this Attack Surface Reduction policy.

Click Next to proceed to the Assignments page. Here you'll define the scope of your policy deployment.

Configure the assignments:

• Included groups: Select device groups or user groups that should receive this policy
• Excluded groups: Optionally exclude specific groups (e.g., test devices, executive devices)

For a phased deployment approach:

Phase 1: IT Test Devices (50-100 devices)
Phase 2: Pilot Department (500-1000 devices)
Phase 3: All Corporate Devices

Exclusions: Executive Devices, Critical Servers

Start with a small test group when deploying in Audit mode, then expand to larger groups as you gain confidence in the rule's impact.

Set up conditional deployment based on device characteristics like OS version or device properties.

Click Next to reach the Applicability rules page. This optional step allows you to create conditions that must be met for the policy to apply.

Common applicability rules for ASR policies:

• OS version: Windows 10 version 1809 or later (required for Warn mode)
• Device ownership: Corporate devices only
• Device compliance: Only compliant devices

Example applicability rule configuration:

Rule: Device.OSVersion
Operator: Greater than or equal to
Value: 10.0.17763 (Windows 10 1809)

Rule: Device.DeviceOwnership
Operator: Equals
Value: Corporate

If you don't need conditional deployment, you can skip this step by clicking Next without adding any rules.

Complete the policy creation and deploy it to your target devices.

Click Next to reach the Review + create page. Carefully review all your policy settings:

• Policy name and description
• Rule configuration (should be set to Audit initially)
• Exclusions (if any)
• Target assignments
• Applicability rules (if configured)

Once you've verified all settings are correct, click Create to deploy the policy.

The policy will begin applying to target devices within minutes. Intune policies typically sync every 8 hours by default, but you can force a sync for immediate testing.

To force a policy sync on a test device:

# Run on target Windows device as administrator
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Or use Intune remote action:
# Devices > All devices > Select device > Sync

Track the policy deployment status and monitor ASR rule events to ensure proper functionality.

Monitor deployment status in Intune:

1. Navigate to Endpoint security > Attack surface reduction
2. Click on your newly created policy
3. Review the Device status and User status tabs

Check for deployment issues:

Success: Policy applied successfully
Error: Policy failed to apply (check device logs)
Conflict: Multiple conflicting policies detected
Not applicable: Device doesn't meet applicability rules

Monitor ASR events using Microsoft Defender for Endpoint or Windows Event Logs:

# PowerShell command to check ASR events locally
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1121,1122,5007} | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

# Check current ASR rule status
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

In Microsoft Defender for Endpoint portal, navigate to Reports > Attack surface reduction to view detailed analytics and blocked events.

After monitoring the audit phase, update the policy to actively block malicious JavaScript and VBScript execution.

After running in Audit mode for at least 30 days and analyzing the results:

1. Return to Endpoint security > Attack surface reduction
2. Click on your policy name to edit it
3. Navigate to Configuration settings
4. Change the rule setting from Audit to Block

Before making this change, ensure you've:

• Reviewed all audit events and added necessary exclusions
• Tested the impact on critical business applications
• Communicated the change to relevant stakeholders
• Prepared incident response procedures for false positives

Save the policy changes:

Block JavaScript or VBScript from launching downloaded executable content: Block

The updated policy will deploy to devices within the next sync cycle. Monitor closely for the first 48 hours after switching to Block mode.