HOW-TO GUIDE | ENDPOINT SECURITY
Updated 12 min read

How to Configure Microsoft Defender for Endpoint Attack Surface Reduction Rules

Audit mode
ASR audit mode logs rule matches as Event ID 1121/1122 without blocking: the required first step before enabling block mode; run audit for 2-4 weeks to identify legitimate applications that would be blocked before enforcing
Block mode
ASR block mode actively prevents the matched behavior and generates Event ID 1121: only enable after completing audit mode review and configuring necessary exclusions for legitimate business applications
16 ASR rules
Microsoft Defender for Endpoint includes 16 distinct ASR rules covering Office macro behavior, script execution, credential protection, ransomware-specific patterns, and network-based attack prevention
LSASS guard
ASR rule 'Block credential stealing from LSASS' (9e6c4e1f) directly prevents Mimikatz-style credential dumping by blocking unauthorized access to LSASS process memory: one of the highest-value individual rules

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Attack Surface Reduction rules are behavior-based endpoint controls built into Microsoft Defender for Endpoint that block specific techniques used in ransomware, fileless malware, and credential theft attacks. Unlike signature-based detection, ASR rules block behaviors: Office spawning PowerShell, scripts running from temp directories, processes accessing LSASS memory: regardless of whether the specific malware sample is known. The 2021 Conti ransomware group specifically documented which ASR rules they worked around, confirming they meaningfully blocked attack progress. This guide covers the deployment mechanics from audit mode through production enforcement.

Understand the Rule Identifier System

Each ASR rule has a GUID identifier, a friendly name, and three operating modes: Off, Audit, and Block. The GUIDs are used in Group Policy and PowerShell configuration. Key high-value rules and their GUIDs: Block Office applications from creating child processes: D4F940AB-401B-4EFC-AADC-AD5F3C50688A; Block credential stealing from LSASS: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B0; Block Office from injecting code into other processes: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84; Block execution of potentially obfuscated scripts: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC; Block JavaScript or VBScript from launching downloaded executable content: D3E037E1-3EB8-44C8-A917-57927947596D; Use advanced protection against ransomware: C1DB55AB-C21A-4637-BB3F-A12568109D35. Run Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions to see current configuration. Each element in _Ids corresponds positionally to _Actions (0=Off, 1=Block, 2=Audit, 6=Warn).

Enable Audit Mode via Intune

In Microsoft Intune: Endpoint Security > Attack Surface Reduction > Create Policy. Select Platform: Windows 10 and later, Profile: Attack Surface Reduction Rules. Configure each rule to 'Audit Mode' initially. Assign to a pilot group (250-500 endpoints across diverse job functions: cover finance, legal, IT, and executive users to capture application diversity). Sync takes up to 8 hours for Intune policy application. Verify receipt on a test endpoint: Get-MpPreference | Select AttackSurfaceReductionRules_Actions should show all 2s (Audit) for the rules you configured. For Group Policy deployment: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction. Enable 'Configure Attack Surface Reduction rules' and add each rule GUID with value 2 (Audit). Verify: auditpol /get /subcategory:"Audit Policy Change" and check Event ID 1122 in Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Review Audit Events and Identify Exclusions

ASR audit events appear in Event Viewer at Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational. Event ID 1122 = Audit (rule would have blocked), Event ID 1121 = Block (rule blocked). In Microsoft 365 Defender portal: Reports > Microsoft Defender Antivirus > Attack Surface Reduction Rules. Filter by rule and review the 'File' and 'Process' columns: these identify what would be blocked. Common legitimate applications that trigger ASR rules: Adobe Acrobat spawning JavaScript (Office child process rules), backup agents accessing LSASS, RMM tools running from temp directories, vulnerability scanners with obfuscated scripts. Use KQL in Microsoft 365 Defender Advanced Hunting:

DeviceEvents
| where ActionType startswith "AsrBlock"
| summarize Count=count() by FolderPath, FileName, InitiatingProcessFileName, bin(Timestamp, 1d)
| order by Count desc

Group by FolderPath to identify exclusion patterns: if a specific application directory consistently triggers a rule, that directory is the exclusion scope.

Configure Exclusions Correctly

ASR exclusions are path-based only: you cannot exclude by process name or hash for most rules. Exclusions apply to all ASR rules when a file in the excluded path is involved. Configure in Intune under the same ASR policy: 'Attack Surface Reduction Only Exclusions' field. Use the most specific path possible: C:\Program Files\VendorName\Application\specific-binary.exe rather than C:\Program Files\VendorName\. Never exclude entire directories like C:\Windows\Temp or C:\Users: this negates the protection. For Group Policy: Computer Configuration > Admin Templates > Windows Defender > Exploit Guard > ASR > Exclude files and paths. Warning: the LSASS protection rule (9E6C4E1F) handles exclusions differently: it uses a separate process exclusion list configured under AttackSurfaceReductionOnlyExclusions. Test exclusions in audit mode by verifying Event ID 1122 stops appearing for the excluded path before promoting to block mode.

Prioritize These Rules for Block Mode First

Not all ASR rules carry equal risk of business disruption. Promote these to Block mode first after audit review because they have low legitimate-use false positive rates and high attacker impact: (1) Block credential stealing from LSASS (9E6C4E1F): few legitimate applications access LSASS; (2) Block JavaScript/VBScript from launching downloaded executables (D3E037E1): no legitimate business process requires JS/VBS to download and run executables; (3) Block executable content from email client and webmail (BE9BA2D9): legitimate attachments are documents, not executables; (4) Block execution of files unless they meet a prevalence, age, or trusted list criterion (01443614): Smart Screen-style prevalence check. Enable after proven stable in audit: Block Office applications from spawning child processes (D4F940AB), Block Office macro code from Win32 API calls (92E97FA1), Block persistence through WMI event subscription (E6DB77E5). Handle with extra care because they generate more false positives: Block obfuscated scripts (5BEB7EFE): PowerShell-heavy environments have legitimate obfuscation; Block untrusted USB processes (B2B3F03D): depends on removable media policy.

Monitor ASR Enforcement in Production

After enabling block mode, create hunting rules for blocked legitimate business activity to catch over-blocking early. Sentinel KQL for ASR blocks affecting business applications:

DeviceEvents
| where ActionType startswith "AsrBlock"
| where FolderPath has_any ("C:\\Program Files", "C:\\Windows\\System32")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powershell.exe", "wscript.exe")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessFileName
| order by Timestamp desc

Set up a Teams or email alert when ASR blocks hit more than 10 unique users in a day: that threshold indicates a legitimate business application is affected. Review blocked events in the Microsoft 365 Defender portal daily for the first two weeks after enabling block mode. Create a runbook for the help desk: when a user reports an application stopped working after a security policy change, they should run Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -MaxEvents 50 and provide Event IDs 1120/1121 to the security team for exclusion evaluation.

The bottom line

Deploy ASR rules in audit mode (value 2) first, run for 2-4 weeks covering diverse endpoint profiles, then analyze Event ID 1122 patterns in Microsoft 365 Defender Advanced Hunting to identify legitimate application exclusions. Promote to block mode starting with the four lowest-false-positive rules: LSASS credential protection, JS/VBS download blocking, email executable content blocking, and file prevalence check. Block the Office-spawning rules after verifying your macro-dependent business applications are excluded.

Frequently asked questions

How do I enable ASR rules without breaking legitimate applications?

Deploy all ASR rules in audit mode first (value 2 in Intune or Group Policy) and run for 2-4 weeks. Review Event ID 1122 in Windows Defender Operational logs or Microsoft 365 Defender Advanced Hunting to identify which legitimate applications trigger each rule. Configure path-based exclusions for those applications before switching to block mode (value 1). Start with block mode on the lowest-disruption rules first: LSASS credential stealing protection and JS/VBS download blocking typically generate very few false positives.

Which ASR rules are most effective against ransomware?

The ASR rules with the highest ransomware-prevention impact are: 'Use advanced protection against ransomware' (C1DB55AB) which blocks ransomware-specific file modification patterns, 'Block credential stealing from LSASS' (9E6C4E1F) which prevents the credential dumping that enables ransomware lateral movement, 'Block Office applications from creating child processes' (D4F940AB) which stops macro-based ransomware delivery, and 'Block persistence through WMI event subscription' (E6DB77E5) which prevents ransomware from surviving reboots via WMI.

How do I deploy ASR rules via Microsoft Intune?

Deploy ASR rules via Intune at: Endpoint Security > Attack Surface Reduction > Create Policy > Windows 10 and Later > Attack Surface Reduction Rules. Each rule is configured individually with values: 0 (Off), 1 (Block), 2 (Audit), 6 (Warn — shows a user notification before blocking). Best practice: set all rules to Audit (2) for 2-4 weeks while reviewing alerts in the MDE portal under Reports > Attack Surface Reduction, then switch to Block (1) rule by rule starting with the lowest-disruption ones. Exclusions are configured in the same Intune policy: add file paths or process names that legitimate software triggers. Intune pushes the configuration as device policies — confirm deployment in Intune's Device Status view before switching rules to Block mode.

What is the difference between ASR rules and Windows Defender Exploit Guard?

Attack Surface Reduction (ASR) rules and Exploit Guard are both part of the Windows Defender security stack but address different threat vectors. ASR rules block specific high-risk behaviors across the entire system: macro launching child processes, credential dumping, WMI persistence. Exploit Guard provides per-process exploit mitigations: DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), Control Flow Guard, and heap spray protection configured for specific applications. ASR is the broader behavioral control; Exploit Guard is targeted process-level hardening. Enable both: ASR for system-wide behavioral controls and Exploit Guard for high-risk applications like Office, browsers, and PDF readers that are common initial access targets.

How does Microsoft Defender for Endpoint ASR reporting work?

ASR events are visible in three places in the Microsoft 365 Defender portal: (1) Reports > Attack Surface Reduction: a summary dashboard showing block and audit event counts per rule over the selected time period, with the ability to filter by rule, machine, or time range. (2) Advanced Hunting: query ASR events in the DeviceEvents table using ActionType like 'AsrOfficeChildProcess%' or 'AsrLsassCredentialTheft%' — this allows correlating ASR events with other telemetry. (3) Alerts queue: ASR blocks in Block mode generate alerts that appear in the incident management queue. For tuning, Advanced Hunting is most powerful: query for AsrRuleAudited events and identify the InitiatingProcessFileName values that are triggering the rule — these are the legitimate applications needing exclusions.

How do I handle ASR rule conflicts with endpoint management tools like SCCM or RMM agents?

Management and monitoring tools are the most common source of ASR false positives because they frequently perform actions that match high-risk behavioral rules: spawning child processes, running scripts from temp directories, and accessing sensitive process memory. Before enabling block mode, query Advanced Hunting for AsrAudited events where InitiatingProcessFileName matches your RMM or SCCM executables. Create path-based exclusions scoped to the specific binary rather than the entire vendor directory -- for example, exclude 'C:\Program Files\SolarWinds\Agent\SWAgentSvc.exe' rather than 'C:\Program Files\SolarWinds\'. Test exclusions in audit mode by confirming Event ID 1122 stops appearing for that path before promoting to block. For cloud-managed endpoints using Intune, add exclusions in the same ASR policy under 'Attack Surface Reduction Only Exclusions' and verify the exclusion applies using Get-MpPreference on a test device within 8 hours of policy sync. Document every exclusion with the associated tool, version, and the specific ASR rule it conflicts with -- revisit exclusions when the tool is updated because new versions sometimes resolve the conflict.

Sources & references

  1. Microsoft ASR Rules Reference Documentation
  2. Microsoft ASR Rules Deployment Guide
  3. CISA Known Exploited Vulnerabilities Catalog

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.