🚀Introducing ASR Rule Inspector V2

Introduction

After some incredibly valuable feedback and a few feature requests, I’m excited to share the next iteration of my ASR reporting script: ASR Rule Inspector V2.

This version brings new functionality, improved visibility, and more actionable insights to help you stay on top of Attack Surface Reduction (ASR) rules and Controlled Folder Access (CFA) configurations.

Whether you’re an Intune admin, a security enthusiast, or just someone who’s had one too many late nights troubleshooting inconsistent ASR behavior, this tool is designed with you in mind.

What’s New in the V2?

All the enhancements are based on real-world use and community feedback (thank you!). Here’s a rundown of the new features and why they matter.

Intune vs Local Comparison – No More Policy Guesswork

This feature retrieves actual ASR-related configurations directly from Intune using SettingDefinitionIDs. It allows you to easily search across both Endpoint Security Policies and Configuration Profiles. It gives you a clear view of whether what you’ve assigned is truly what’s applied on the device.

NOTE: OMA URI is not included as this is slowly being phased out anyway.

Detecting Duplicate and Conflicting Rules

One of the more common sources of frustration: overlapping or conflicting rules that undermine your intended configuration. V2 now flags:

  • Duplicate ASR rules
  • Conflicting exclusions (global and ASR per rule)

This helps prevent scenarios where one rule quietly cancels out another, leading to unexpected behavior and potential security gaps.

See What’s Really in Those Exclusion Folders

This update now recursively reports all underlying folders and files within exclusion directories. No more guessing. No more blind spots. Just full visibility.

HTML report

The script now generates an HTML report with all details. It includes:

  • Intune vs Local ASR rule comparisons
  • Duplicate/conflicting rules
  • ASR exclusions and their compliance status
  • CFA settings with a breakdown of protected folders and allowed apps
  • The report opens automatically in your default browser.

Use Cases

Verify Policy Assignments

Confirm whether Intune policies are reaching the intended device especially useful with group-based or filter-based assignments.

Analyze ASR Rules

Compare Intune vs local settings to spot inconsistencies, duplications, or missing configurations.

Audit ASR Exclusions

Retrieve and evaluate exclusion paths from both Intune and the device. Ensure they match expectations.

CFA Compliance Checks

Review Controlled Folder Access settings and verify that the intended folders and apps are protected and allowed as per policy.

Intune Debug Toolkit

Last but not least, I am proud to announce that this script will also be made available in the Intune Debug Toolkit

Conclusion

ASR Rule Inspector V2 aims to make your life just a little bit easier (and your compliance checks a lot more accurate). Whether you’re troubleshooting, auditing, or just trying to get a better handle on your ASR and CFA setup, this tool gives you a solid starting point.

Feedback is always welcome! if something doesn’t work the way you expect, or if you’ve got an idea for a future enhancement, feel free to reach out.

ASR Rule Inspector – GitHub

Related Posts