Microsoft Defender ASR Rules: Which Attack Surface Reduction Rules to Enable and Which Will Break Things

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
ASR rules address specific attack techniques -- not generic 'malicious behavior' -- which is why their coverage maps directly to MITRE ATT&CK techniques like T1055 (Process Injection), T1003 (Credential Dumping), and T1059 (Command and Scripting Interpreter). Enabling them in Block mode without testing first breaks things like legitimate Office macros in finance, PDFCreator applications that spawn child processes, and IT automation tools that use LSASS reads. The correct deployment path is: audit for two weeks, review events, create targeted exclusions, then switch to block.
Safe to Enable Immediately in Block Mode
These rules have very low breakage rates in typical enterprise environments and high attack prevention value. Enable them in Block mode as your first deployment wave:
Block abuse of exploited vulnerable signed drivers
GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5
Blocks untrusted drivers from loading. Low false positive rate.
Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Blocks unknown executables. Can affect first-run of new software -- test before enabling in environments with frequent new software deployment.
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0
Blocks Mimikatz-class LSASS credential dumping. May break older backup agents that read LSASS. Test in audit mode first if you run third-party backup software.
Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Blocks autorun-style attacks from removable media. Very low false positive rate if you do not autorun executables from USB.
Block Office communication application from creating child processes
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Blocks Outlook and Teams from spawning child processes (classic phishing payload delivery). Low breakage if users do not intentionally open scripts from email attachments.
Block JavaScript or VBScript from launching downloaded executable content
GUID: d3e037e1-3eb8-44c8-a917-57927947596d
Blocks scripts that download and run payloads. Very low breakage rate for enterprise environments.
Require Audit Testing Before Enabling in Block Mode
These rules have higher breakage rates and should run in audit mode for 14 days minimum before switching to Block:
Block all Office applications from creating child processes
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
Breaks: PDF printers that spawn from Word/Excel, older Office add-ins, some third-party document processing tools. High attack prevention value -- test carefully.
Block Office applications from injecting code into other processes
GUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
Breaks: Some legitimate DLL injection-based Office add-ins. Rare but real.
Block Win32 API calls from Office macros
GUID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
Breaks: Legitimate macros that use Win32 API calls directly. Finance teams using complex Excel macros are the most common affected population.
Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
Monitors file modification rates to detect ransomware-like behavior. Can trigger on backup agents, file migration tools, and batch document processing. Test in environments with heavy file I/O.
Block process creations originating from PSExec and WMI commands
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
Breaks: Any legitimate use of PSExec or WMI process creation in your environment. Common in IT automation. Conduct a thorough audit before enabling.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Deploy via Intune (MEM)
Intune Endpoint Security profile (recommended for cloud-managed devices):
Intune > Endpoint Security > Attack Surface Reduction > Create Policy > Windows 10 and later > Attack Surface Reduction Rules
Each rule has a dropdown: Not configured / Block / Audit / Warn / Off
For scripted deployment across many rules, use a Custom OMA-URI profile:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Data type: String
Value: <GUID>=<state>|<GUID>=<state>|...
# State: 0=Off, 1=Block, 2=Audit, 6=Warn
# Example (Block LSASS rule, Audit Office child process rule):
# 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0=1|d4f940ab-401b-4efc-aadc-ad5f3c50688a=2
Deploy via Group Policy
For on-premises or hybrid domain-joined devices:
GPO path:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Setting: Configure Attack Surface Reduction rules
- Enabled
- Click Show to add rules: Value name = GUID, Value = 0 (Off), 1 (Block), or 2 (Audit)
Via PowerShell (useful for testing or staged rollout):
# Set a specific rule to audit mode
Add-MpPreference -AttackSurfaceReductionRules_Ids '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0' `
-AttackSurfaceReductionRules_Actions AuditMode
# Switch to Block
Add-MpPreference -AttackSurfaceReductionRules_Ids '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0' `
-AttackSurfaceReductionRules_Actions Enabled
# Check current state
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
Monitor ASR Events and Manage Exclusions
Audit and block events:
- Event ID 1121: ASR rule fired in Block mode (action was prevented)
- Event ID 1122: ASR rule fired in Audit mode (action was logged only)
- Event ID 1129: User override of a rule in Warn mode
Event channel: Microsoft-Windows-Windows Defender/Operational
Query audit events to identify false positives:
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' |
Where-Object Id -in 1121,1122 |
Select-Object TimeCreated, Message |
Format-List
In Defender portal: Microsoft 365 Defender > Reports > Security report > Attack surface reduction rules This view shows the top triggering processes and files, which identifies false positive candidates.
Create exclusions for false positives:
# Exclude a specific process from all ASR rules
Add-MpPreference -AttackSurfaceReductionOnlyExclusions 'C:\Program Files\BackupAgent\agent.exe'
# Or via Intune: Endpoint Security > ASR > Edit policy > Add ASR Only Exclusions
Exclusions apply to all ASR rules -- you cannot exclude a process from one rule while keeping it protected by another. Keep the exclusion list minimal and document the business justification for each entry.
The bottom line
ASR rule deployment in three phases: Phase 1 -- enable low-breakage rules in block mode immediately (LSASS protection, USB block, Office communication child processes, scripted download execution). Phase 2 -- run high-breakage rules in audit mode for 14 days, review Event 1122 for false positives, create targeted exclusions, then switch to block. Phase 3 -- review the ASR rules report in Defender portal monthly to identify new triggering patterns and tighten exclusions. The six safe-to-block rules in Phase 1 alone address credential dumping, USB autorun, and several common phishing payload delivery techniques.
Frequently asked questions
Do ASR rules require Microsoft Defender for Endpoint Plan 1 or Plan 2?
ASR rules require either Microsoft Defender for Endpoint Plan 1, Plan 2, or a Microsoft 365 Business Premium license. They are not available with Windows Security alone on unmanaged devices. However, the Defender Antivirus component that enforces ASR rules is built into Windows -- the licensing requirement is for management and reporting via the Microsoft 365 Defender portal. You can enable ASR rules via Group Policy or PowerShell on any Windows 10 version 1709 or later device running Defender Antivirus without a Defender for Endpoint license, but you will not get centralized reporting or the advanced ASR rules report.
Will ASR rules conflict with third-party antivirus software?
ASR rules are a component of Microsoft Defender Antivirus. If a third-party AV product is installed and active as the primary antivirus, Defender Antivirus runs in Passive mode and ASR rules are not enforced. ASR rules require Defender Antivirus to be in Active mode. If you are running a third-party EDR alongside Defender, check whether Defender is in Active or Passive mode: Get-MpComputerStatus | Select-Object AMRunningMode. Organizations running CrowdStrike, SentinelOne, or similar alongside Defender in passive mode will need to implement equivalent controls in the third-party platform.
Which ASR rule most often breaks enterprise applications?
Block all Office applications from creating child processes (GUID d4f940ab) is the most common breakage cause. Finance teams using Excel macros that spawn external processes, PDF printer integrations, and legacy Office add-ins all trigger this rule. Block Win32 API calls from Office macros (GUID 92e97fa1) is the second most common breakage source for organizations with complex Excel-based automation. Always run these two rules in audit mode for at least two weeks and review the events before switching to block.
How do I check which ASR rules are currently active on a machine?
Run Get-MpPreference on the target machine. The AttackSurfaceReductionRules_Ids property lists the rule GUIDs and the AttackSurfaceReductionRules_Actions property lists the corresponding states (0=Off, 1=Block, 2=Audit, 6=Warn). In the Microsoft 365 Defender portal, go to Endpoints > Configuration management > Endpoint security policies to view the applied ASR policy. The portal view is easier to read for a large estate; the PowerShell command is useful for verifying a specific endpoint's configuration during an investigation.
Can ASR rules be deployed via Intune for endpoints not managed by Group Policy?
Yes. In Intune, go to Endpoint security > Attack surface reduction > Create policy, select Windows as the platform, and Attack surface reduction rules as the profile type. Each rule can be set to Off, Audit, Block, or Warn per rule GUID. Intune ASR policy works for cloud-native Entra ID joined devices that are not in scope for Group Policy. For co-managed devices (both Intune and GPO), ensure the ASR workload is managed by Intune rather than GPO to avoid conflicts. Verify the applied rules on individual machines using Get-MpPreference after the Intune policy syncs, which typically completes within 8 hours of policy assignment.
Which ASR rules are most likely to block legitimate applications and how do I handle exclusions?
The ASR rules with the highest rate of false positives in enterprise environments: 'Block Office applications from creating child processes' (breaks legacy Office add-ins, PDF plugins, and some developer tools that spawn processes from Excel or Word), 'Block JavaScript or VBScript from launching downloaded executable content' (breaks web-based application launchers and some enterprise software update mechanisms), and 'Block execution of potentially obfuscated scripts' (triggers on legitimate build scripts and automation that uses string manipulation). Exclusion approach: when a rule in Audit mode generates alerts for a legitimate application, identify the exact file path or process being blocked from the alert details in Microsoft Defender portal, and add a per-rule exclusion for that specific file path rather than disabling the entire rule. Exclusions should be as narrow as possible (specific exe path rather than a broad directory) and documented with the business justification. For rules you cannot exclude safely, leave them in Audit mode to maintain visibility without blocking, and revisit when the application is updated or replaced.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
