diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 94fd50bf15..1420c2c6e7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -81,8 +81,8 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Block (enable ASR rule) = 1 - Disable = 0 + - Block (enable ASR rule) = 1 - Audit = 2 ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) @@ -102,32 +102,32 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` -To enable ASR rules in audit mode, use the following cmdlet: + To enable ASR rules in audit mode, use the following cmdlet: -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode -``` + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode + ``` -To turn off ASR rules, use the following cmdlet: + To turn off ASR rules, use the following cmdlet: -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled -``` + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled + ``` ->[!IMPORTANT] ->You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. -> ->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: -> ->```PowerShell ->Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode ->``` + >[!IMPORTANT] + >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. + > + >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: + > + >```PowerShell + >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode + >``` -You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. ->[!WARNING] ->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. ->You can obtain a list of rules and their current state by using `Get-MpPreference` + >[!WARNING] + >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. + >You can obtain a list of rules and their current state by using `Get-MpPreference` 3. To exclude files and folders from ASR rules, use the following cmdlet: @@ -135,17 +135,44 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" ``` -Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. + Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. ->[!IMPORTANT] ->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + >[!IMPORTANT] + >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ### Enable ASR rules with MDM CSPs Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. +The following is a sample for reference, using the [GUID value for the ASR rule](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). The values to enable, disable, or enable in audit mode are: + +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 + +```OMA-URI path +./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +``` + +```OMA-URI value +{75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 +``` + Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. +Example: + +```OMA-URI path +./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +``` + +```OMA-URI value +c:\path|e:\path|c:\Whitelisted.exe +``` + +>[!NOTE] +>Be sure to enter OMA-URI values without spaces. + ## Related topics - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)