Configure Attack Surface Reduction In Microsoft Defender ... - 4sysops

In addition to the virus scanner, Microsoft Defender offers other security functions. These include the reduction of the attack surface, which hardens applications such as Office, browsers, and Adobe Reader. The feature is not active by default and can be configured via group policies or PowerShell. Read 4sysops without ads for freeContents

1. Complement to app-specific measures
2. Limited management options
3. Evaluation using audit mode
4. Manage ASR via PowerShell
5. Configure ASR rules using group policies
6. Monitor ASR in the event log
7. Conclusion
8. ASR rule to GUID matrix

This entry is part 7 of 12 in the series Microsoft Defender

Microsoft Defender

Mail flow reports in the Microsoft 365 Defender portal

Protect Active Directory with Microsoft Defender for Identity

Overview: Microsoft’s security portfolio under the Defender brand

Turn on Windows 10 Tamper Protection for Microsoft Defender

Setting up Microsoft Defender for Business with a simplified configuration

Windows Defender Application Control (WDAC): Secure Windows 10 / 11 against malicious apps and rogue drivers with recommended WDAC block rules

Configure attack surface reduction in Microsoft Defender using Group Policy or PowerShell

Manage Defender Antivirus using Intune

Configure Defender exploit protection using PowerShell and Group Policy

Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell

Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations

Configuring Defender Exploit Guard network protection

• Author
• Recent Posts

Wolfgang SommergutWolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de. Latest posts by Wolfgang Sommergut (see all)

• Assign recommended Windows security settings with the free Harden Windows Security app - Wed, Jun 11 2025
• Activate Windows authentication with a PIN - Mon, Jun 2 2025
• Hyper-V Quick Create: Deploy custom VM images - Mon, May 19 2025

Common entry points for attackers include email attachments that contain malicious code such as scripts, executables, or macros embedded in Office. Other points of attack include web browsers in particular as well as widely used programs, such as Adobe Reader, which regularly suffer from vulnerabilities.

Read 4sysops without ads for free

Complement to app-specific measures

On top of the measures admins can take by configuring the applications themselves, Defender provides an additional layer of protection. For example, Office macros can be tamed to a large extent with the help of group policies, but the rules for reducing the attack surface (Attack Surface Reduction, or ASR) seal them even further.

For example, Office can be prevented from generating executable content, injecting code into other processes, or creating child processes. The latter can also be enforced for Adobe Reader. And Defender can block executable content if it enters the computer via a mail client.

The setting for advanced protection against ransomware is also interesting. It obtains information about a suspicious file from the Microsoft Cloud and checks to see whether it is prevalent enough to not be considered ransomware or proven harmless, for example. The function requires that cloud-based protection be active.

Advanced ransomware protection requires data from the Microsoft cloud

Limited management options

Attack surface reduction is not only included in paid products, such as Defender for Endpoint, but is also part of Windows 10/11 and Windows Server, although some rules are not supported on older versions.

The major drawback of the free version is its limited options for management and reporting. There is no GUI in the Settings app for this at all, and rule administration is handled via group policies or PowerShell. They are limited to the activation or deactivation of individual rules, as well as the optional definition of directories and files that should be excluded. Read 4sysops without ads for free

Evaluation using audit mode

By default, ASR is not enabled. In any case, admins should take a look at the rules and check which ones are suitable for their environment.

You don't have to switch them to blocking mode right away, but you can run them in audit mode first and observe what impact they would have.

Manage ASR via PowerShell

If you need to get the current status of the ASR rules, PowerShell will master this task: Read 4sysops without ads for free

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

This command shows which rules have been configured and what their status is. However, you do not get their name - only a GUID. The table at the end of this post (source) can be used to resolve them.

The values 0, 1, 2, and 6 define the status ("Actions"). 0 stands for deactivated, 1 for activated, 2 for audit mode (merely logging as soon as a rule is triggered), and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking.

Query status of ASR empty by default and add a new rule for Adobe Reader

If you want to configure rules, the Set-MpPreference cmdlet provides the constants Disabled, Enabled, and AuditMode for the parameter AttackSurfaceReductionRules Actions instead of these numeric values. Additionally, you pass the GUID for AttackSurfaceReductionRules_Ids to the cmdlet.

For example, to prevent Adobe Reader from starting child processes, use PowerShell as follows:

Set-MpPreference ` -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c ` -AttackSurfaceReductionRules_Actions Enabled

To define exclusions for directories and files, invoke Set-MpPreference as follows:

Set-MpPreference -AttackSurfaceReductionOnlyExclusions "c:\windows"

You can then query the status of this property using the following command:

Get-MpPreference | select AttackSurfaceReductionOnlyExclusions

Manage exclusions for ASR rules with PowerShell

Configure ASR rules using group policies

Two settings are available in the group policies for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.

Both are located under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.

Instead of simply enabling a separate option for each rule, you need to use a common setting for all of them ("Configure Attack Surface Reduction rules"). There, you enter the GUID mentioned above and the numeric value for the action into a table.

Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

To set up exclusions for directories and files, configure the other setting in this folder. Here, too, you enter all the Value names in a table, and you always choose 0 for the field in the right-hand column.

Define ASR exclusions via group policies

Monitor ASR in the event log

Since the onboard tools do not provide any reporting for ASR, you have to limit yourself to evaluating the logs. They are recorded under Application and Service Logs > Microsoft > Windows > Windows Defender > Operational.

The following IDs are of interest here:

Event ID	Description
5007	Event when settings are changed
1121	Event when rule fires in block mode
1122	Event when rule fires in audit mode

To monitor these events, you can create a custom view in the Event Viewer.

Event log for Windows Defender

Alternatively, you can query the log entries with PowerShell:

Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' | where {$_.ID -eq "5007" -or $_.ID -like "112?"}

Conclusion

Reducing the attack surface can make an important contribution to increasing the security of the most exposed applications. The feature is included with all current Windows versions but is not enabled by default.

If you don't want to use a paid service, like Defender for Endpoint, a management tool, like ConfigMgr, or a third-party tool, you are limited to managing using group policies and PowerShell. Notably, there is a lack of reasonable reporting capabilities.

Subscribe to 4sysops newsletter!

If you introduce ASR in the company, you should start with the monitoring mode and use the event log to study the effects the rules would have in practice. If no major impairment of the users is to be expected, then they can be activated.

ASR rule to GUID matrix

Rule name	Rule GUID
Block abuse of exploited vulnerable signed drivers	56a863a9-875e-4185-98a7-b882c64b5ce5
Block Adobe Reader from creating child processes	7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processes	d4f940ab-401b-4efc-aadc-ad5f3c50688a
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block executable content from email client and webmail	be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Block executable files from running unless they meet a prevalence, age, or trusted list criterion	01443614-cd74-433a-b99e-2ecdc07bfc25
Block execution of potentially obfuscated scripts	5beb7efe-fd9a-4556-801d-275e5ffc04cc
Block JavaScript or VBScript from launching downloaded executable content	d3e037e1-3eb8-44c8-a917-57927947596d
Block Office applications from creating executable content	3b576869-a4ec-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes	75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
Block Office communication application from creating child processes	26190899-1602-49e8-8b27-eb1d0a1ce869
Block persistence through WMI event subscription * File and folder exclusions not supported	e6db77e5-3df2-4cf1-b95a-636979351e5b
Block process creations originating from PSExec and WMI commands	d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB	b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Win32 API calls from Office macros	92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
Use advanced protection against ransomware	c1db55ab-c21a-4637-bb3f-a12568109d35

2 Comments

Microsoft Defender

Windows Defender Application Control (WDAC): Secure Windows 10 / 11 against malicious apps and rogue drivers with recommended WDAC block rules Manage Defender Antivirus using Intune Read 4sysops without ads for free

Join our IT community and read articles without ads!