deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update enable-attack-surface-reduction.md

Browse Source 
@denisebmsft , please review.
This commit is contained in:
Oludele0315
2021-03-14 22:31:25 -07:00
committed by GitHub
parent 704dff61e6
commit 778e34c1d7
1 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -32,11 +32,13 @@ ms.technology: mde
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Each ASR rule contains one of three settings:
Each ASR rule contains one of four settings:
- Not configured: Disable the ASR rule
- Block: Enable the ASR rule
- Audit: Evaluate how the ASR rule would impact your organization if enabled
- Warn: Enable the ASR rule but allow the end-user to bypass the block
It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
@ -92,11 +94,13 @@ The following is a sample for reference, using [GUID values for ASR rules](attac
`Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1`
The values to enable, disable, or enable in audit mode are:
The values to enable (Block), disable, warn, or enable in audit mode are:
• 0 : Disable (Disable the ASR rule)
• 1 : Block (Enable the ASR rule)
• 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)
• 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@ -138,9 +142,10 @@ Example:
Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
• 0 : Disable (Disable the ASR rule)
• 1 : Block (Enable the ASR rule)
• 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)
• 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
@ -158,6 +163,8 @@ Example:
2. Enter the following cmdlet:
To enable ASR rules in enable (block) mode, use the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
```
@ -167,6 +174,12 @@ Example:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
```
To enable ASR rules in warn mode, use the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Warn
```
To turn off ASR rules, use the following cmdlet: