Attack surface reduction policy for endpoint security in Intune

When Defender antivirus is in use on your Windows 10 devices, you can use Intune endpoint security policies for Attack surface reduction to manage those settings for your devices.

Attack surface reduction policies help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. For more information, see Overview of attack surface reduction in the Windows Threat protection documentation.

Find the endpoint security policies for attack surface reduction under Manage in the Endpoint security node of the Microsoft Endpoint Manager admin center. Each attack surface reduction profile manages settings for a specific area of a Windows 10 device.

View settings for Attack surface reduction profiles.

Prerequisites for Attack surface reduction profiles

  • Windows 10 or later
  • Defender antivirus must be the primary antivirus on the device

Attack surface reduction profiles

Windows 10 profiles:

  • App and browser isolation – Manage settings for Windows Defender Application Guard (Application Guard), as part of Defender ATP. Application Guard helps to prevent old and newly emerging attacks and can isolate enterprise-defined sites as untrusted while defining what sites, cloud resources, and internal networks are trusted.

    To learn more, see Application Guard in the Microsoft Defender ATP documentation.

  • Web protection – Settings you can manage for Web protection in Microsoft Defender ATP configure network protection to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they're away or on-premises. Web protection stops access to:

    • Phishing sites
    • Malware vectors
    • Exploit sites
    • Untrusted or low-reputation sites
    • Sites that you've blocked in your custom indicator list.

    To learn more, see Web protection in the Microsoft Defender ATP documentation.

  • Application control - Application control settings can help mitigate security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). Manage settings that can block unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.

    To learn more, see Application Control in the Microsoft Defender ATP documentation.

  • Attack surface reduction rules – Configure settings for attack surface reduction rules that target behaviors that malware and malicious apps typically use to infect computers, including:

    • Executable files and scripts used in Office apps or web mail that attempt to download or run files
    • Obfuscated or otherwise suspicious scripts
    • Behaviors that apps don't usually start during normal day-to-day work Reducing your attack surface means offering attackers fewer ways to perform attacks.

    To learn more, see Attack surface reduction rules in the Microsoft Defender ATP documentation.

  • Device control – With settings for device control, you can configure devices for a layered approach to secure removable media. Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices.

    To learn more, see How to control USB devices and other removable media using Microsoft Defender ATP in the Microsoft Defender ATP documentation.

  • Exploit protection - Exploit protection settings can help protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.

    To learn more, see Enable exploit protection in the Microsoft Defender ATP documentation.

Next steps

Configure Endpoint security policies