From f679ee5f9755e4914308d04b8ae4f33a32a97abe Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 8 Feb 2021 21:51:57 +0500 Subject: [PATCH 1/4] Update evaluate-attack-surface-reduction.md --- .../evaluate-attack-surface-reduction.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 8687fe08c9..1c05c987b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -22,7 +22,7 @@ ms.technology: mde **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows: @@ -40,10 +40,18 @@ Learn how to evaluate attack surface reduction rules by enabling audit mode to t Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use. -To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet: +To enable attack surface reduction rule in audit mode, use the following PowerShell cmdlet: ```PowerShell -Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode +``` + +Where `` is a [GUID value of ASR rule](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#attack-surface-reduction-rules). + +To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet: + +```PowerShell +(Get-MpPreference).AttackSurfaceReductionRules_Ids | Foreach {Add-MpPreference -AttackSurfaceReductionRules_Ids $_ -AttackSurfaceReductionRules_Actions AuditMode} ``` > [!TIP] From ca9a3f37146e83439a7a89e3af307f888666e520 Mon Sep 17 00:00:00 2001 From: Beth Woodbury <40870842+levinec@users.noreply.github.com> Date: Mon, 8 Feb 2021 11:24:34 -0800 Subject: [PATCH 2/4] Update windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/evaluate-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 1c05c987b4..2cf01a9895 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -40,7 +40,7 @@ Learn how to evaluate attack surface reduction rules by enabling audit mode to t Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use. -To enable attack surface reduction rule in audit mode, use the following PowerShell cmdlet: +To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode From 8af343c07fbbac270340c8d4be098aafd9681e7e Mon Sep 17 00:00:00 2001 From: Beth Woodbury <40870842+levinec@users.noreply.github.com> Date: Mon, 8 Feb 2021 11:25:07 -0800 Subject: [PATCH 3/4] Update windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/evaluate-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 2cf01a9895..ae0189e01e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -46,7 +46,7 @@ To enable an attack surface reduction rule in audit mode, use the following Powe Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode ``` -Where `` is a [GUID value of ASR rule](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#attack-surface-reduction-rules). +Where `` is a [GUID value of the attack surface reduction rule](attack-surface-reduction.md#attack-surface-reduction-rules). To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet: From 870793e9842bc06d11a2ea570e3741b5141bc960 Mon Sep 17 00:00:00 2001 From: Beth Woodbury <40870842+levinec@users.noreply.github.com> Date: Mon, 8 Feb 2021 11:26:10 -0800 Subject: [PATCH 4/4] Update evaluate-attack-surface-reduction.md --- .../microsoft-defender-atp/evaluate-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index ae0189e01e..3ae9907010 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -22,7 +22,7 @@ ms.technology: mde **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows: