Tenant attach: Create and deploy Attack surface reduction policies from the admin center (preview)

Applies to: Configuration Manager (current branch)


This information relates to a preview feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Create Attack surface reduction policies in the Microsoft Endpoint Manager console and deploy them to Configuration Manager collections.


Assign Attack surface reduction policy to a collection

  1. In a browser, go to the Microsoft Endpoint Manager admin center.

  2. Select Endpoint security > Attack surface reduction then Create Policy.

  3. Create a profile with the following settings:

    • Platform: Windows 10 and later (ConfigMgr)
    • Profile: Choose one of the following profiles:
      • Attack Surface Reduction Rules (ConfigMgr) (preview)
      • Exploit Protection (ConfigMgr) (preview)
      • Web Protection (ConfigMgr) (preview)


The Microsoft Edge installer, Attack Surface Reduction rules engine for tenant attach, and CMPivot are currently signed with the Microsoft Code Signing PCA 2011 certificate. If you set PowerShell execution policy to AllSigned, then you need to make sure that devices trust this signing certificate. You can export the certificate from a computer where you've installed the Configuration Manager console. View the certificate on "C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe", and then export the code signing certificate from the certification path. Then import it to the machine's Trusted Publishers store on managed devices. You can use the process in the following blog, but make sure to export the code signing certificate from the certification path: Adding a Certificate to Trusted Publishers using Intune

  1. Assign a Name and optionally a Description on the Basics page.
  2. On the Configuration settings page, configure the settings you want to manage with this profile. When your done configuring settings, select Next. For more information about available settings for both profiles, see Attack surface reduction policy settings for tenant attached devices.
  3. Assign the policy to a Configuration Manager collection on the Assignments page.

Device Status (preview)

You can review the status of endpoint security policies for tenant attached devices. The Device Status page can be accessed for all endpoint security policy types for tenant-attached clients. To display the Device Status page:

  1. Select a policy that's targeted to ConfigMgr devices to display the Overview page for the policy.
  2. Select Device Status to display a list of devices targeted by the policy.
  3. The Device Name, Compliance State, and SMS ID are displayed for each of the devices on the Device Status page.

Next steps