Configure attack surface reduction capabilities

Applies to:


Want to experience Defender for Endpoint? Sign up for a free trial.

Defender for Endpoint includes several attack surface reduction capabilities. To learn more, see Overview of attack surface reduction capabilities. To configure attack surface reduction in your environment, follow these steps:

  1. Enable hardware-based isolation for Microsoft Edge.

  2. Enable application control.

    1. Review base policies in Windows. See Example Base Policies.
    2. See the Windows Defender Application Control design guide.
    3. Refer to Deploying Windows Defender Application Control (WDAC) policies.
  3. Enable controlled folder access.

  4. Turn on Network protection.

  5. Enable exploit protection.

  6. Configure attack surface reduction rules.

  7. Set up your network firewall.

    1. Get an overview of Windows Defender Firewall with advanced security.
    2. Use the Windows Defender Firewall design guide to decide how you want to design your firewall policies.
    3. Use the Windows Defender Firewall deployment guide to set up your organization's firewall with advanced security.


In most cases, when you configure attack surface reduction capabilities, you can choose from among several methods:

  • Microsoft Endpoint Manager (which now includes Microsoft Intune and Microsoft Endpoint Configuration Manager)
  • Group Policy
  • PowerShell cmdlets