Enable attack surface reduction rules
Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro, version 1709 or later
- Windows 10 Enterprise, version 1709 or later
- Windows Server, version 1803 (Semi-Annual Channel) or later
- Windows Server 2019
Each ASR rule contains one of three settings:
- Not configured: Disable the ASR rule
- Block: Enable the ASR rule
- Audit: Evaluate how the ASR rule would impact your organization if enabled
To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
You can enable attack surface reduction rules by using any of these methods:
- Microsoft Intune
- Mobile Device Management (MDM)
- Microsoft Endpoint Configuration Manager
- Group Policy
Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
Exclude files and folders from ASR rules
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See Manage indicators.)
Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.
You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see Use wildcards in the file name and folder path or extension exclusion lists.
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
Select Device configuration > Profiles. Choose an existing endpoint protection profile or create a new one. To create a new one, select Create profile and enter information for this profile. For Profile type, select Endpoint protection. If you've chosen an existing profile, select Properties and then select Settings.
In the Endpoint protection pane, select Windows Defender Exploit Guard, then select Attack Surface Reduction. Select the desired setting for each ASR rule.
Under Attack Surface Reduction exceptions, you can enter individual files and folders, or you can select Import to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
Select OK on the three configuration panes and then select Create if you're creating a new endpoint protection file or Save if you're editing an existing one.
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider (CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using GUID values for ASR rules.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
The values to enable, disable, or enable in audit mode are:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service provider (CSP) to add exclusions.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Be sure to enter OMA-URI values without spaces.
Microsoft Endpoint Configuration Manager
In Microsoft Endpoint Configuration Manager, click Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.
Click Home > Create Exploit Guard Policy.
Enter a name and a description, click Attack Surface Reduction, and click Next.
Choose which rules will block or audit actions and click Next.
Review the settings and click Next to create the policy.
After the policy is created, click Close.
If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction.
Select Configure Attack surface reduction rules and select Enabled. You can then set the individual state for each rule in the options section.
Click Show... and enter the rule ID in the Value name column and your desired state in the Value column as follows:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface reduction rules setting and set the option to Enabled. Click Show and enter each file or folder in the Value name column. Enter 0 in the Value column for each item.
Do not use quotes as they are not supported for either the Value name column or the Value column.
If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator.
Enter the following cmdlet:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
To enable ASR rules in audit mode, use the following cmdlet:
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
To turn off ASR rules, use the following cmdlet:
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
You can also use the
Add-MpPreferencePowerShell verb to add new rules to the existing list.
Set-MpPreferencewill always overwrite the existing set of rules. If you want to add to the existing set, you should use
Add-MpPreferenceinstead. You can obtain a list of rules and their current state by using
To exclude files and folders from ASR rules, use the following cmdlet:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
Continue to use
Add-MpPreference -AttackSurfaceReductionOnlyExclusionsto add more files and folders to the list.
Add-MpPreferenceto append or add apps to the list. Using the
Set-MpPreferencecmdlet will overwrite the existing list.