Attack Surface Reduction (asr) In 10 Minutes — Practical Rollout For Windows

Written By Joshua Means

Summary: ASR rules in Microsoft Defender block high‑risk behaviors (e.g., Office spawning child processes). Start in Audit, review impact, then move to Block with narrow exclusions where truly necessary. Below are step‑by‑step navigation paths and clean command blocks.

What ASR does

ASR stops behaviors that malware relies on (Office → cmd.exe / powershell.exe, macros calling Win32 APIs, executables launched from mail). Because it targets behavior rather than specific files, it helps against new and obfuscated threats.

Choose your management path

Pick the approach that fits your environment. You can mix: PowerShell for quick pilots, Intune or GPO for policy.

1) Local PowerShell (works anywhere)

  • Open Windows PowerShell as Administrator.

  • Use Get-MpPreference to inspect, and Add‑/Set‑/Remove‑MpPreference to change rules.

  • Prefer AttackSurfaceReductionOnlyExclusions for narrow ASR‑only exceptions.

Commands — see current state

Get-MpPreference |
  Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions,
                AttackSurfaceReductionOnlyExclusions

Commands — enable pilot in Audit

$ids = @(
  'd4f940ab-401b-4efc-aadc-ad5f3c50688a', # Office child processes
  '3b576869-a4ec-4529-8536-b80a7769e899', # Office creates executables
  '92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b', # Macro Win32 API calls
  'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550', # Executables from email/webmail
  'd1e49aac-8f56-4280-b9ba-993a6d77406c'  # PSExec/WMI originations
)
$acts = @('AuditMode','AuditMode','AuditMode','AuditMode','AuditMode')
Add-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $acts
# Tip: Add‑MpPreference appends; Set‑MpPreference overwrites the full list.

Commands — add ASR‑only exclusions (example path and process)

Add-MpPreference -AttackSurfaceReductionOnlyExclusions @(
  'C:\Program Files\ContosoApp\',
  'contosotool.exe'
)

Commands — promote pilot to Block

Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions @(
  'Enabled','Enabled','Enabled','Enabled','Enabled'
)

Commands — rollback / disable

# Disable one rule (example: Office child processes)
Set-MpPreference -AttackSurfaceReductionRules_Ids 'd4f940ab-401b-4efc-aadc-ad5f3c50688a' -AttackSurfaceReductionRules_Actions Disabled

# Remove rules previously added with Add‑MpPreference
Remove-MpPreference -AttackSurfaceReductionRules_Ids 'd4f940ab-401b-4efc-aadc-ad5f3c50688a'

2) Group Policy (on‑prem GPO or local gpedit)

  • Open gpmc.msc (domain) or gpedit.msc (local).

  • Navigate: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Microsoft Defender Exploit Guard → Attack surface reduction.

  • Open Configure Attack surface reduction rules → set Enabled → add rule GUIDs with Action values (0 Off, 1 Block, 2 Audit, 6 Warn when supported).

  • Exclusions: Configure Attack surface reduction rules: Exclusions (where present). Prefer ASR‑only exclusions via PowerShell for precision.

3) Microsoft Intune (cloud‑managed)

  • Intune admin center → Endpoint securityAttack surface reduction.

  • Create policy → Platform: Windows 10 and later → Profile: Attack surface reduction rules.

  • Set rule states to Audit (pilot) or Block (after review). Assign to a pilot group first.

  • Exclusions: Endpoint security → Antivirus → Create policy → Microsoft Defender AntivirusExclusions (paths, processes, extensions). Use targeted paths or trusted publisher; avoid broad folders.

4) Microsoft Defender portal (visibility)

  • security.microsoft.comSettingsEndpointsAttack surface reductionRules to view current state.

  • Use Advanced hunting and Alerts to validate effect. Policy itself should come from Intune or GPO.

Starter set (begin in Audit)

  • Office applications creating child processes — d4f940ab-401b-4efc-aadc-ad5f3c50688a

  • Office applications creating executable content — 3b576869-a4ec-4529-8536-b80a7769e899

  • Win32 API calls from Office macros — 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

  • Executable content from email client and webmail — be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

  • Process creations originating from PSExec and WMI — d1e49aac-8f56-4280-b9ba-993a6d77406c

Where to read events and confirm impact

Local Event Viewer

  • Event ViewerApplications and Services Logs → Microsoft → Windows → Windows Defender → Operational.

  • Event 1122 = would‑block (Audit). Event 1121 = blocked.

  • Open an event to see RuleId (GUID), file, and process.

Defender portal — Advanced hunting (quick starts)

Overview

DeviceEvents
| where ActionType startswith "Asr"
| summarize count() by ActionType
| order by count_ desc

Focus on Office child‑process attempts

DeviceEvents
| where ActionType in~ ("AsrOfficeChildProcessAudited","AsrOfficeChildProcessBlocked")
| summarize Attempts = count() by DeviceName, ActionType
| order by Attempts desc

Moving from Audit to Block (with navigation)

Group Policy

  • Same GPO path → Configure Attack surface reduction rules → change Action values from 2 (Audit) to 1 (Block) for pilot rules.

  • Refresh policy (gpupdate /force) on pilot machines. Confirm Event 1121 during testing.

Intune

  • Endpoint security → Attack surface reduction → open your policy → flip rules from Audit to BlockSave.

  • Wait for device check‑in (or Sync). Validate via Advanced hunting and Event Viewer.

When to use Warn

Some rules support Warn. In Intune, set the rule to Warn; in GPO, use Action 6. Users get a prompt and can allow once. Use sparingly.

Operational tips

Keep Microsoft Defender Antivirus in Active mode. Keep Defender platform updates current. Prefer publisher‑based allows over broad folder exclusions. Review exclusions quarterly and retire unused ones.

References

Joshua Means
Next

DLL Search Order Hijacking