Skip to content
English
Go to senturo.com
  • There are no suggestions because the search field is empty.

How to Configure Windows Attack Surface Reduction Exclusions for Senturo

Ensure Senturo Runs Without Interruption on Windows Devices with Strict Security Policies

Overview

Some Windows security configurations, specifically Attack Surface Reduction (ASR) rules, may block Senturo executables from running even when properly code-signed. This occurs because certain ASR rules require executables to meet prevalence, age, or trusted list criteria before they're allowed to run.

This guide explains how to configure ASR exclusions for Senturo across your organization using three deployment methods:

  1. Microsoft Intune (for cloud-managed and hybrid environments)
  2. Active Directory Group Policy (for traditional on-premises deployments)
  3. PowerShell (for individual devices or small deployments)

Choose the method that matches your IT infrastructure.

Understanding the Issue

What is Attack Surface Reduction (ASR)?

Attack Surface Reduction is a Windows security feature that prevents executables from running unless they meet specific security criteria. Even with valid code signing certificates, new or recently updated executables may be blocked until they establish sufficient reputation with Microsoft's cloud security services.

Which ASR Rule Blocks Senturo?

The specific rule that commonly affects Senturo is:

  • "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"

Why Does This Happen?

  • New binary hashes (from updates) need time to build reputation
  • Microsoft's telemetry requires download data from multiple sources
  • ASR rules prioritize security over convenience by default

What Gets Blocked?

The following Senturo executables may be affected:

  • Senturo.exe (main application)
  • SenturoBroadcast.exe (broadcast utility)
  • SenturoLock.exe (lockscreen utility)
  • SenturoScreenshot.exe (screenshot utility)

Choose Your Deployment Method

Select the option that matches your organization's IT infrastructure:

Method 1: Configure ASR Exclusions via Microsoft Intune

Steps to Configure via Intune Settings Catalog

Step 1: Create a New Configuration Profile

  1. Sign in to Microsoft Intune admin center (intune.microsoft.com).
  2. Navigate to Devices > Configuration.
  3. Click + Create > New Policy.
  4. Choose:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  5. Click Create.

Step 2: Name the Profile

  1. Enter a Name, for example: Senturo – ASR Exclusions.
  2. Optionally enter a Description, e.g.: Allows Senturo executables to run on devices with Attack Surface Reduction rules enabled.
  3. Click Next.

Step 3: Add Settings

  1. In Configuration settings, click + Add settings.
  2. In the search box, type: Attack Surface Reduction Only Exclusions
  3. Select: Defender > Attack Surface Reduction Only Exclusions
  4. In the value field, enter: C:\Program Files (x86)\Senturo Ltd\Senturo\*
  5. Click Next.

 

Step 4: Assign the Profile

  1. (Optional) Add any Scope tags if required by your environment, then click Next.
  2. Under Assignments, choose:
    • Included groups: Select the device groups or user groups where Senturo is deployed.
    • Excluded groups: Any devices where ASR exclusions should not apply.
  3. Click Next.

Step 5: Review and Create

  • Review your configuration settings.
  • Click Create to deploy the policy.

Verify the Policy on a Device

  1. On a Windows device, allow time for the policy to apply (typically 5-20 minutes).
  2. Open PowerShell as Administrator.
  3. Run the following command: 
    Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions
  4. Verify that C:\Program Files (x86)\Senturo Ltd\Senturo\* appears in the output.

Method 2: Configure ASR Exclusions via Group Policy

Steps to Configure via Group Policy

Step 1: Open Group Policy Management Console

  1. On your domain controller or management workstation, open Group Policy Management Console (GPMC).
  2. Create a new Group Policy Object (GPO) or edit an existing one linked to the appropriate Organizational Units (OUs) containing your Windows devices.

Step 2: Navigate to ASR Settings

  1. In the Group Policy Management Editor, navigate to: 
    Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Microsoft Defender Exploit Guard → Attack Surface Reduction

 

Step 3: Configure the Exclusion

  1. Locate and double-click: "Exclude files and paths from Attack surface reduction Rules"
  2. Select Enabled.
  3. Click Show next to the options field.
  4. In the Value column, enter: C:\Program Files (x86)\Senturo Ltd\Senturo\*
  5. Click OK to close all windows.

 

Step 4: Link and Apply the GPO

  1. Link the GPO to the appropriate OUs containing Windows devices running Senturo.
  2. On a test device, open Command Prompt as Administrator.
  3. Run: gpupdate /force to immediately apply the policy.

Verify the Policy on a Device

  1. Open PowerShell as Administrator on a domain-joined device.
  2. Run: 
    Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions
  3. Verify that C:\Program Files (x86)\Senturo Ltd\Senturo\* appears in the output.

Note: Group Policy may take up to 90 minutes to apply automatically. Use gpupdate /force for immediate testing.

Method 3: Configure ASR Exclusions via PowerShell

Steps to Configure via PowerShell

Step 1: Open PowerShell as Administrator

  1. Click Start and search for PowerShell.
  2. Right-click Windows PowerShell and select Run as administrator.
  3. Click Yes to allow the app to make changes.

Step 2: Add the ASR Exclusion

Copy and paste the following command into PowerShell, then press Enter:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files (x86)\Senturo Ltd\Senturo\*"

 

Step 3: Verify the Exclusion

Run the following command to confirm the exclusion was added:

Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions

You should see C:\Program Files (x86)\Senturo Ltd\Senturo\* in the output.

Advanced Configuration Options

Exclude Specific Executables (More Restrictive)

Instead of excluding the entire Senturo folder, you can exclude only specific executables:

For Intune Settings Catalog:

  • Add multiple entries in the Attack Surface Reduction Only Exclusions setting:
    • C:\Program Files (x86)\Senturo Ltd\Senturo\Senturo.exe
    • C:\Program Files (x86)\Senturo Ltd\Senturo\SenturoBroadcast.exe
    • C:\Program Files (x86)\Senturo Ltd\Senturo\SenturoLock.exe
    • C:\Program Files (x86)\Senturo Ltd\Senturo\SenturoScreenshot.exe 

For Group Policy:

  • Add these paths as separate values in the Exclude files and paths setting.

For PowerShell:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files (x86)\Senturo Ltd\Senturo\Senturo.exe"
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files (x86)\Senturo Ltd\Senturo\SenturoBroadcast.exe" 
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files (x86)\Senturo Ltd\Senturo\SenturoLock.exe"
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files (x86)\Senturo Ltd\Senturo\SenturoScreenshot.exe"

Certificate-Based Trust (Enterprise Environments)

For organizations with Microsoft Defender for Endpoint, you can configure certificate-based trust instead of path-based exclusions:

  1. Navigate to Microsoft 365 Defender Portal > Settings > Endpoints > Indicators.
  2. Add indicator → Certificate.
  3. Enter certificate thumbprint: 68357EB8BE064850D62837F5B72516B10213ADA7
  4. Action: Allow
  5. Title: Senturo Ltd EV Code Signing Certificate

This approach trusts all executables signed with Senturo's certificate, regardless of file location.

Troubleshooting

Exclusion Not Applying

Symptoms:

  • Senturo continues to be blocked by ASR rules
  • Windows Security shows repeated "Action blocked" notifications

Solutions:

  1. Verify policy assignment:

    • Intune: Check that the device group is correctly assigned to the configuration profile
    • Group Policy: Ensure the GPO is linked to the correct OU and not blocked by inheritance

  2. Check for conflicting policies:

    • Multiple Intune profiles or GPOs may conflict
    • Verify no other policy is setting ASR rules that override the exclusion

  3. Force policy refresh:

    • Intune: Devices check in every 8 hours by default. Go to Devices > select device > Sync to force immediate check-in
    • Group Policy: Run gpupdate /force on the device

  4. Restart the device:

    • Some ASR configurations require a reboot to take full effect

PowerShell Command Fails

Error: "Access is denied"

Solution: Ensure PowerShell is running as Administrator. Right-click PowerShell and select Run as administrator.

Error: "The term 'Add-MpPreference' is not recognized"

Solution: This indicates Windows Defender is not present or disabled. Verify Windows Defender is enabled on the device.

Exclusion Exists But Senturo Still Blocked

Cause: The exclusion path may be incorrect or not matching the actual installation location.

Solution:

  1. Verify Senturo's installation path:

    Get-ChildItem "C:\Program Files (x86)\Senturo Ltd" -Recurse -Filter "Senturo.exe"

  2. If Senturo is installed in a different location, update the exclusion path accordingly.

Windows Security Shows "At Risk" After Adding Exclusion

Cause: Windows Security may flag exclusions as reducing protection.

Solution: This is expected behavior. The exclusion is working correctly. You can dismiss the notification or disable the warning in Windows Security settings.

Conclusion

By configuring ASR exclusions for Senturo using one of the three methods above, you ensure that Senturo can operate without interruption while maintaining strong security posture on your Windows devices. The exclusion allows Senturo to function properly while still benefiting from Windows Defender's other protection layers.

For organizations with centralized management, Intune or Group Policy provide scalable, enterprise-grade deployment. For smaller environments or individual devices, PowerShell offers a quick and effective solution.

FAQs

Q: Do I need to reapply the exclusion after updating Senturo?
A: No. The exclusion applies to the installation directory, not specific file hashes. Updates to Senturo will automatically be covered by the existing exclusion.

Q: Will this exclusion affect other security software on my devices?
A: No. ASR exclusions only affect Microsoft Defender's Attack Surface Reduction rules. Third-party antivirus or security software operates independently.

Q: Can users remove this exclusion?
A: No. When deployed via Intune or Group Policy, exclusions are enforced by policy and cannot be removed by standard users. PowerShell-based exclusions can be removed by local administrators.

Q: Does this work on Windows 10 and Windows 11?
A: Yes. All methods work on Windows 10 version 1709 and later, including all versions of Windows 11.

Q: What if I use a different antivirus instead of Windows Defender?
A: ASR rules are specific to Microsoft Defender. If you use third-party antivirus software, this configuration is not needed. However, you may need to configure exclusions in your third-party antivirus software instead.

Q: Is there a risk in excluding the entire Senturo folder with the wildcard (*)?
A: The risk is minimal. The folder requires administrator privileges to modify, and all legitimate Senturo executables are code-signed. For maximum security, you can exclude only the specific executables (Senturo.exeSenturoBroadcast.exe, SenturoLock.exe, SenturoScreenshot.exe) instead of using the wildcard.

Q: Why doesn't Senturo just request allowlisting from Microsoft?

A: Even with EV code signing and cloud reputation, new binary hashes (from each update) can trigger ASR rules temporarily until they establish sufficient prevalence. The exclusion ensures uninterrupted operation regardless of update frequency.