PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 13 min read

Microsoft Defender ASR Rules: Which Attack Surface Reduction Rules to Enable and Which Will Break Things

Audit first
is Microsoft's mandatory recommendation before enabling any ASR rule in Block mode. Audit mode logs what the rule would have blocked without disrupting users, revealing application compatibility issues before they cause an incident
GUID-based
each ASR rule is identified by a GUID, not a friendly name, in Group Policy and registry configuration. The friendly names appear only in the Intune UI and the Microsoft 365 Defender portal -- always use GUIDs for scripted deployment
Event 1121 = blocked
Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log indicates an ASR rule blocked an action. Event ID 1122 indicates audit mode detection. Monitoring these events in your SIEM provides visibility into both blocked attacks and potential false positives
Exclusions by path or process
are available for all ASR rules to resolve false positives for legitimate applications. Exclusions should be scoped to the minimum required path or process -- wildcard exclusions of entire drives or user profile directories negate the rule's protection entirely

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

ASR rules address specific attack techniques -- not generic 'malicious behavior' -- which is why their coverage maps directly to MITRE ATT&CK techniques like T1055 (Process Injection), T1003 (Credential Dumping), and T1059 (Command and Scripting Interpreter). Enabling them in Block mode without testing first breaks things like legitimate Office macros in finance, PDFCreator applications that spawn child processes, and IT automation tools that use LSASS reads. The correct deployment path is: audit for two weeks, review events, create targeted exclusions, then switch to block.

Safe to Enable Immediately in Block Mode

These rules have very low breakage rates in typical enterprise environments and high attack prevention value. Enable them in Block mode as your first deployment wave:

Block abuse of exploited vulnerable signed drivers GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5 Blocks untrusted drivers from loading. Low false positive rate.

Block executable files from running unless they meet a prevalence, age, or trusted list criteria GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 Blocks unknown executables. Can affect first-run of new software -- test before enabling in environments with frequent new software deployment.

Block credential stealing from the Windows local security authority subsystem (lsass.exe) GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0 Blocks Mimikatz-class LSASS credential dumping. May break older backup agents that read LSASS. Test in audit mode first if you run third-party backup software.

Block untrusted and unsigned processes that run from USB GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Blocks autorun-style attacks from removable media. Very low false positive rate if you do not autorun executables from USB.

Block Office communication application from creating child processes GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 Blocks Outlook and Teams from spawning child processes (classic phishing payload delivery). Low breakage if users do not intentionally open scripts from email attachments.

Block JavaScript or VBScript from launching downloaded executable content GUID: d3e037e1-3eb8-44c8-a917-57927947596d Blocks scripts that download and run payloads. Very low breakage rate for enterprise environments.

Require Audit Testing Before Enabling in Block Mode

These rules have higher breakage rates and should run in audit mode for 14 days minimum before switching to Block:

Block all Office applications from creating child processes GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a Breaks: PDF printers that spawn from Word/Excel, older Office add-ins, some third-party document processing tools. High attack prevention value -- test carefully.

Block Office applications from injecting code into other processes GUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Breaks: Some legitimate DLL injection-based Office add-ins. Rare but real.

Block Win32 API calls from Office macros GUID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Breaks: Legitimate macros that use Win32 API calls directly. Finance teams using complex Excel macros are the most common affected population.

Use advanced protection against ransomware GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 Monitors file modification rates to detect ransomware-like behavior. Can trigger on backup agents, file migration tools, and batch document processing. Test in environments with heavy file I/O.

Block process creations originating from PSExec and WMI commands GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c Breaks: Any legitimate use of PSExec or WMI process creation in your environment. Common in IT automation. Conduct a thorough audit before enabling.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Deploy via Intune (MEM)

Intune Endpoint Security profile (recommended for cloud-managed devices):

Intune > Endpoint Security > Attack Surface Reduction > Create Policy > Windows 10 and later > Attack Surface Reduction Rules

Each rule has a dropdown: Not configured / Block / Audit / Warn / Off

For scripted deployment across many rules, use a Custom OMA-URI profile:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Data type: String
Value: <GUID>=<state>|<GUID>=<state>|...
# State: 0=Off, 1=Block, 2=Audit, 6=Warn
# Example (Block LSASS rule, Audit Office child process rule):
# 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0=1|d4f940ab-401b-4efc-aadc-ad5f3c50688a=2

Deploy via Group Policy

For on-premises or hybrid domain-joined devices:

GPO path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction

Setting: Configure Attack Surface Reduction rules

  • Enabled
  • Click Show to add rules: Value name = GUID, Value = 0 (Off), 1 (Block), or 2 (Audit)

Via PowerShell (useful for testing or staged rollout):

# Set a specific rule to audit mode
Add-MpPreference -AttackSurfaceReductionRules_Ids '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0' `
                 -AttackSurfaceReductionRules_Actions AuditMode
# Switch to Block
Add-MpPreference -AttackSurfaceReductionRules_Ids '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0' `
                 -AttackSurfaceReductionRules_Actions Enabled
# Check current state
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

Monitor ASR Events and Manage Exclusions

Audit and block events:

  • Event ID 1121: ASR rule fired in Block mode (action was prevented)
  • Event ID 1122: ASR rule fired in Audit mode (action was logged only)
  • Event ID 1129: User override of a rule in Warn mode

Event channel: Microsoft-Windows-Windows Defender/Operational

Query audit events to identify false positives:

Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' |
  Where-Object Id -in 1121,1122 |
  Select-Object TimeCreated, Message |
  Format-List

In Defender portal: Microsoft 365 Defender > Reports > Security report > Attack surface reduction rules This view shows the top triggering processes and files, which identifies false positive candidates.

Create exclusions for false positives:

# Exclude a specific process from all ASR rules
Add-MpPreference -AttackSurfaceReductionOnlyExclusions 'C:\Program Files\BackupAgent\agent.exe'
# Or via Intune: Endpoint Security > ASR > Edit policy > Add ASR Only Exclusions

Exclusions apply to all ASR rules -- you cannot exclude a process from one rule while keeping it protected by another. Keep the exclusion list minimal and document the business justification for each entry.

The bottom line

ASR rule deployment in three phases: Phase 1 -- enable low-breakage rules in block mode immediately (LSASS protection, USB block, Office communication child processes, scripted download execution). Phase 2 -- run high-breakage rules in audit mode for 14 days, review Event 1122 for false positives, create targeted exclusions, then switch to block. Phase 3 -- review the ASR rules report in Defender portal monthly to identify new triggering patterns and tighten exclusions. The six safe-to-block rules in Phase 1 alone address credential dumping, USB autorun, and several common phishing payload delivery techniques.

Frequently asked questions

Do ASR rules require Microsoft Defender for Endpoint Plan 1 or Plan 2?

ASR rules require either Microsoft Defender for Endpoint Plan 1, Plan 2, or a Microsoft 365 Business Premium license. They are not available with Windows Security alone on unmanaged devices. However, the Defender Antivirus component that enforces ASR rules is built into Windows -- the licensing requirement is for management and reporting via the Microsoft 365 Defender portal. You can enable ASR rules via Group Policy or PowerShell on any Windows 10 version 1709 or later device running Defender Antivirus without a Defender for Endpoint license, but you will not get centralized reporting or the advanced ASR rules report.

Will ASR rules conflict with third-party antivirus software?

ASR rules are a component of Microsoft Defender Antivirus. If a third-party AV product is installed and active as the primary antivirus, Defender Antivirus runs in Passive mode and ASR rules are not enforced. ASR rules require Defender Antivirus to be in Active mode. If you are running a third-party EDR alongside Defender, check whether Defender is in Active or Passive mode: Get-MpComputerStatus | Select-Object AMRunningMode. Organizations running CrowdStrike, SentinelOne, or similar alongside Defender in passive mode will need to implement equivalent controls in the third-party platform.

Which ASR rule most often breaks enterprise applications?

Block all Office applications from creating child processes (GUID d4f940ab) is the most common breakage cause. Finance teams using Excel macros that spawn external processes, PDF printer integrations, and legacy Office add-ins all trigger this rule. Block Win32 API calls from Office macros (GUID 92e97fa1) is the second most common breakage source for organizations with complex Excel-based automation. Always run these two rules in audit mode for at least two weeks and review the events before switching to block.

How do I check which ASR rules are currently active on a machine?

Run Get-MpPreference on the target machine. The AttackSurfaceReductionRules_Ids property lists the rule GUIDs and the AttackSurfaceReductionRules_Actions property lists the corresponding states (0=Off, 1=Block, 2=Audit, 6=Warn). In the Microsoft 365 Defender portal, go to Endpoints > Configuration management > Endpoint security policies to view the applied ASR policy. The portal view is easier to read for a large estate; the PowerShell command is useful for verifying a specific endpoint's configuration during an investigation.

Can ASR rules be deployed via Intune for endpoints not managed by Group Policy?

Yes. In Intune, go to Endpoint security > Attack surface reduction > Create policy, select Windows as the platform, and Attack surface reduction rules as the profile type. Each rule can be set to Off, Audit, Block, or Warn per rule GUID. Intune ASR policy works for cloud-native Entra ID joined devices that are not in scope for Group Policy. For co-managed devices (both Intune and GPO), ensure the ASR workload is managed by Intune rather than GPO to avoid conflicts. Verify the applied rules on individual machines using Get-MpPreference after the Intune policy syncs, which typically completes within 8 hours of policy assignment.

Which ASR rules are most likely to block legitimate applications and how do I handle exclusions?

The ASR rules with the highest rate of false positives in enterprise environments: 'Block Office applications from creating child processes' (breaks legacy Office add-ins, PDF plugins, and some developer tools that spawn processes from Excel or Word), 'Block JavaScript or VBScript from launching downloaded executable content' (breaks web-based application launchers and some enterprise software update mechanisms), and 'Block execution of potentially obfuscated scripts' (triggers on legitimate build scripts and automation that uses string manipulation). Exclusion approach: when a rule in Audit mode generates alerts for a legitimate application, identify the exact file path or process being blocked from the alert details in Microsoft Defender portal, and add a per-rule exclusion for that specific file path rather than disabling the entire rule. Exclusions should be as narrow as possible (specific exe path rather than a broad directory) and documented with the business justification. For rules you cannot exclude safely, leave them in Audit mode to maintain visibility without blocking, and revisit when the application is updated or replaced.

Sources & references

  1. Microsoft: Attack surface reduction rules reference
  2. Microsoft: Enable attack surface reduction rules
  3. Microsoft: Attack surface reduction rules deployment overview

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.