Forum Discussion
Intune - ASR Rules - exclusion
Hello, please can anybody give me an advice about Intune exception? We are using N-Able client for computer management and Intune ASR is blocking it. I tried to add exception in rule setting but it has not helped so far.
I am getting defender popup with info that
risky action blocked
Your admin blocker this action.
Blocked app or process - winagent.exe
Blocked by - surface attack reduction
Rule - Block using of copied or personified system tools.
There is my exception but it did not helped.
Thank you.
1 Reply
Hi Jendislav
This behaviour is usually related to how the “Block use of copied or impersonated system tools” ASR rule works, rather than an Intune misconfiguration. The N-able agent (winagent.exe) runs under the SYSTEM context and can show behaviour similar to Windows system tools, which can trigger this ASR rule.
When adding exclusions:
- Make sure you are using ASR per-rule exclusions inside the ASR policy
- The exclusion should target the actual third-party executable (for example, winagent.exe), not Windows system files like svchost.exe
In some environments, even per-rule exclusions may not fully resolve the issue with certain RMM or monitoring agents. If the problem continues, a good approach is to temporarily set this ASR rule to Audit mode and review the Defender logs to confirm exactly what is being blocked. This helps determine whether the rule can stay enabled or needs a different approach for these devices.
Hope this helps.
