diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 57f3a3eebf..94fd50bf15 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -85,7 +85,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr - Disable = 0 - Audit = 2 -![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. @@ -102,14 +102,19 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` -You can enable the feature in audit mode using the following cmdlet: +To enable ASR rules in audit mode, use the following cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode ``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. ->[!IMPORTANT> +To turn off ASR rules, use the following cmdlet: + +```PowerShell +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled +``` + +>[!IMPORTANT] >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. > >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: @@ -124,7 +129,7 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. >You can obtain a list of rules and their current state by using `Get-MpPreference` -3. To exclude files and folders from ASR rules, enter the following cmdlet: +3. To exclude files and folders from ASR rules, use the following cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""