Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint block common attack techniques used by malware and exploits. By preventing suspicious behaviors like Office macros spawning child processes or scripts downloading executables, ASR rules significantly reduce your exposure to threats. This guide covers configuring, testing, and managing ASR rules effectively.
Prerequisites
Before configuring ASR rules, ensure:
- Microsoft Defender Antivirus is running in active mode (not passive)
- Windows 10 version 1709+ or Windows 11 (some rules require newer versions)
- Appropriate licenses: Microsoft 365 E5, E5 Security, or Defender for Endpoint P1/P2
- Administrative access to Intune, Group Policy, or devices
- Device onboarding to Defender for Endpoint (for portal visibility)
Understanding ASR Rules
Available Rules
| Rule | GUID | Purpose |
|---|---|---|
| Block executable content from email | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Prevents email attachments from running executables |
| Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Stops Office spawning cmd, PowerShell, etc. |
| Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Prevents Office from writing executable files |
| Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Stops process injection from Office |
| Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Prevents scripts from running downloaded executables |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Blocks heavily obfuscated scripts |
| Block Win32 API calls from Office macros | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Prevents macros from calling Windows APIs |
| Block credential stealing from LSASS | 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 | Protects against credential dumping |
| Block process creations from PSExec and WMI | D1E49AAC-8F56-4280-B9BA-993A6D77406C | Stops remote execution tools |
| Block untrusted and unsigned processes from USB | B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 | Prevents USB-based attacks |
| Block Office communication apps from creating child processes | 26190899-1602-49E8-8B27-EB1D0A1CE869 | Protects Outlook, Teams, etc. |
| Block Adobe Reader from creating child processes | 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C | Prevents PDF-based attacks |
| Block persistence through WMI event subscription | E6DB77E5-3DF2-4CF1-B95A-636979351E5B | Blocks WMI-based persistence |
| Block abuse of exploited vulnerable signed drivers | 56A863A9-875E-4185-98A7-B882C64B5CE5 | Prevents BYOVD attacks |
| Use advanced protection against ransomware | C1DB55AB-C21A-4637-BB3F-A12568109D35 | Enhanced ransomware protection |
Rule Modes
| Mode | Value | Behavior |
|---|---|---|
| Disabled | 0 | Rule is off |
| Block | 1 | Rule actively blocks actions |
| Audit | 2 | Logs events but doesn't block |
| Warn | 6 | Shows warning to user, allows bypass |
Step 1: Assess Current State
Before enabling rules, check current configuration:
Using PowerShell
# Check current ASR rule states
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
# Get detailed status
$rules = Get-MpPreference
for ($i = 0; $i -lt $rules.AttackSurfaceReductionRules_Ids.Count; $i++) {
$id = $rules.AttackSurfaceReductionRules_Ids[$i]
$action = $rules.AttackSurfaceReductionRules_Actions[$i]
$actionName = switch ($action) { 0 {"Disabled"} 1 {"Block"} 2 {"Audit"} 6 {"Warn"} }
Write-Host "$id : $actionName"
}
View in Defender Portal
- Go to Reports > Security report > Devices
- Select Attack surface reduction rules card
- Review rule status and detections across devices
Step 2: Deploy Rules in Audit Mode
Always start with Audit mode to assess impact.
Using Microsoft Intune
- Sign in to Microsoft Intune admin center
- Go to Endpoint security > Attack surface reduction
- Click Create Policy
- Select:
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Attack Surface Reduction Rules
- Configure rules:
Recommended Initial Audit Settings:
| Rule | Setting |
|---|---|
| Block executable content from email client and webmail | Audit |
| Block all Office applications from creating child processes | Audit |
| Block Office applications from creating executable content | Audit |
| Block JavaScript or VBScript from launching downloads | Audit |
| Block execution of potentially obfuscated scripts | Audit |
| Block credential stealing from LSASS | Audit |
| Use advanced protection against ransomware | Audit |
- Click Next
- Assign to a test device group first
- Click Create
Using Group Policy
- Open Group Policy Management Editor
- Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction - Configure Configure Attack Surface Reduction rules:
- Set to Enabled
- Click Show to add rules
- Enter GUID and value (2 for Audit):
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 2 D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 2 3B576869-A4EC-4529-8536-B80A7769E899 = 2
Using PowerShell (Local Testing)
# Enable rules in Audit mode
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions 2
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions 2
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions 2
# Verify configuration
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
Step 3: Monitor Audit Events
Run in Audit mode for 1-2 weeks before enabling Block mode.
Review Events in Defender Portal
- Go to Hunting > Advanced hunting
- Run query to find ASR audit events:
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType startswith "Asr"
| summarize EventCount = count() by ActionType, FileName, FolderPath
| order by EventCount desc
Review Local Event Logs
- Open Event Viewer
- Navigate to:
Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational - Filter for Event IDs:
- 1121: Rule blocked action (Block mode)
- 1122: Rule audited action (Audit mode)
- 1125: Rule triggered in Warn mode
Analyze False Positives
Identify legitimate applications triggering rules:
DeviceEvents
| where Timestamp > ago(14d)
| where ActionType contains "AsrOfficeMacroWin32ApiCallsAudited"
| summarize Count = count() by FileName, FolderPath, DeviceName
| where Count > 5
| order by Count desc
Common false positive patterns:
- Line-of-business applications using Office automation
- IT admin scripts running from Office
- Third-party Office add-ins with legitimate API calls
Step 4: Configure Exclusions
Add exclusions for legitimate false positives before enabling Block mode.
Add Exclusions via Intune
- Edit your ASR policy in Intune
- Under Attack Surface Reduction Rules, find exclusion settings
- Add exclusions by:
- File path:
C:\Program Files\LegitApp\app.exe - Folder path:
C:\Program Files\LegitApp\
- File path:
- Save and sync
Add Exclusions via PowerShell
# Add folder exclusion
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\LegitApp"
# Add file exclusion
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Scripts\approved-script.ps1"
# View current exclusions
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions
Exclusion Best Practices
- Be specific: Exclude specific files, not entire folders
- Avoid user-writable paths: Never exclude Downloads, Temp, Desktop
- Document exclusions: Track why each exclusion was added
- Review periodically: Remove exclusions for decommissioned apps
- Use signed app exceptions: Where possible, use certificate-based trust
Step 5: Enable Block Mode
After confirming no critical false positives, switch to Block mode.
Phased Rollout Strategy
- Week 1-2: Audit mode on pilot devices
- Week 3: Block mode on pilot devices
- Week 4-5: Audit mode on broader population
- Week 6+: Block mode org-wide
Enable Block Mode in Intune
- Edit your ASR policy
- Change rules from Audit to Block
- Deploy to broader device groups
- Monitor for impact
Enable Block Mode via PowerShell
# Set rules to Block mode (1)
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions 1
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions 1
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions 1
Step 6: Monitor and Maintain
Create Alert Rules
Set up alerts for blocked actions:
DeviceEvents
| where ActionType startswith "AsrOffice" and ActionType endswith "Blocked"
| summarize BlockCount = count() by DeviceName, ActionType, bin(Timestamp, 1h)
| where BlockCount > 10
Regular Review Cadence
| Frequency | Action |
|---|---|
| Daily | Review high-volume blocks for false positives |
| Weekly | Check ASR dashboard for trends |
| Monthly | Review exclusions, remove unnecessary ones |
| Quarterly | Evaluate enabling additional rules |
Report on ASR Effectiveness
// ASR rule effectiveness over 30 days
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| extend RuleId = extract("Asr([A-Za-z]+)(Blocked|Audited)", 1, ActionType)
| extend Mode = extract("Asr([A-Za-z]+)(Blocked|Audited)", 2, ActionType)
| summarize
Blocked = countif(Mode == "Blocked"),
Audited = countif(Mode == "Audited")
by RuleId
| order by Blocked desc
Recommended Rule Configuration
High-Confidence Rules (Enable Block Immediately)
These rules have low false positive rates:
| Rule | Recommendation |
|---|---|
| Block executable content from email | Block |
| Block Office from creating executable content | Block |
| Block JavaScript/VBScript launching downloads | Block |
| Block credential stealing from LSASS | Block |
| Advanced ransomware protection | Block |
Medium-Confidence Rules (Audit First)
These rules may affect legitimate applications:
| Rule | Recommendation |
|---|---|
| Block Office from creating child processes | Audit 2 weeks, then Block |
| Block obfuscated scripts | Audit 2 weeks, then Block |
| Block Win32 API calls from macros | Audit 2 weeks, then Block |
| Block process creations from PSExec/WMI | Audit 2 weeks, then Block |
Use-Case Dependent Rules
| Rule | When to Enable |
|---|---|
| Block untrusted processes from USB | If USB threats are a concern |
| Block Adobe Reader child processes | If PDFs are a threat vector |
| Block Office communication app child processes | For high-security environments |
Troubleshooting
Rule Not Blocking
Symptoms: Rule is set to Block but actions aren't prevented.
Solutions:
- Verify Defender AV is in active mode (not passive)
- Check that policy is applied:
Get-MpPreference - Verify device is receiving policy from Intune/GPO
- Check for broad exclusions overriding the rule
- Ensure Windows version supports the rule
Excessive Blocking
Symptoms: Legitimate applications are being blocked.
Solutions:
- Set rule to Audit mode temporarily
- Identify the specific application triggering blocks
- Add targeted exclusion for the legitimate application
- Verify exclusion is scoped appropriately
- Re-enable Block mode after exclusion
Policy Conflicts
Symptoms: Different rule states on same device.
Solutions:
- Check for multiple policies (Intune, GPO, local)
- GPO settings may override Intune
- Use
gpresult /h report.htmlto see applied policies - Consolidate ASR configuration to single policy source
Next Steps
After configuring ASR rules:
- Investigate security incidents blocked by ASR
- Enable Controlled Folder Access for ransomware protection
- Configure Network Protection to block malicious connections
- Implement Exploit Protection for additional hardening
Need help hardening your endpoints? Inventive HQ provides comprehensive endpoint security services including ASR configuration, policy management, and ongoing optimization. Contact us for expert guidance.