Merge pull request #9353 from Oludele0315/patch-1

Update enable-attack-surface-reduction.md
2025-06-23 06:13:41 +00:00 · 2021-03-22 11:56:16 -07:00
parent 5118d9868f 778e34c1d7
commit 38454eaf48
1 changed files with 21 additions and 8 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@ -32,11 +32,13 @@ ms.technology: mde
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-Each ASR rule contains one of three settings:
+Each ASR rule contains one of four settings:
 - Not configured: Disable the ASR rule
 - Block: Enable the ASR rule
 - Audit: Evaluate how the ASR rule would impact your organization if enabled
 - Warn:  Enable the ASR rule but allow the end-user to bypass the block 
 It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
@ -92,11 +94,13 @@ The following is a sample for reference, using [GUID values for ASR rules](attac
 `Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1`
-The values to enable, disable, or enable in audit mode are:
+The values to enable (Block), disable, warn, or enable in audit mode are:
  •	 0 : Disable (Disable the ASR rule)
  •	 1 : Block (Enable the ASR rule)
  •	 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)
  •	 6 : Warn  (Enable the ASR rule but allow the end-user to bypass the block)
 - Disable = 0
 - Block (enable ASR rule) = 1
 - Audit = 2
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@ -138,9 +142,10 @@ Example:
   Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
-   - Disable = 0
+  •	 0 : Disable (Disable the ASR rule)
-   - Block (enable ASR rule) = 1
+  •	 1 : Block (Enable the ASR rule)
-   - Audit = 2
+  •	 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)
  •	 6 : Warn  (Enable the ASR rule but allow the end-user to bypass the block)
   ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
@ -158,6 +163,8 @@ Example:
 2. Enter the following cmdlet:
   To enable ASR rules in enable (block) mode, use the following cmdlet:
    ```PowerShell
    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
    ```
@ -168,6 +175,12 @@ Example:
    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
    ```
    To enable ASR rules in warn mode, use the following cmdlet:
    ```PowerShell
    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Warn
    ```
    To turn off ASR rules, use the following cmdlet:
    ```PowerShell