In this articele, we wil discuss Attack Surface Reduction Configuration with Microsoft Defender. Microsoft Defender is a free, built-in antivirus for Windows. Until May 10th, 2020, it was known as Windows Defender, and in the most recent versions of Windows 10. Please see How to install and debug logs with the CMTrace Tool, and Insight on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption.

Windows Defender is also referred to as Windows Security. It contains several security features aimed at protecting devices and the internet from malware such as spyware, adware, ransomware, and other threats. It is an easy-to-use antivirus program for Windows users.

Windows devices have broad appeal due to the pre-installed and free availability of Windows Defender, the antivirus program. In addition to the features mentioned above, other security features are also available with Microsoft Defender. These include lowering the attack surface, which hardens software like Adobe Reader, Office, and browsers.

In this write-up, I show you how to configure Microsoft Defender using PowerShell. The feature is not turned on by default. Malicious code thrives in email attachments—scripts, executables, or tainted Office macros. Web browsers and products like Adobe Reader pose vulnerabilities. Defender enhances security beyond app-specific efforts, adding a layer against attacks.

For instance, group policies can significantly control office macros. Attack Surface Reduction (ASR) rules further enclose them. For instance, you can stop Office from producing executable content, injecting code into other processes, or establishing new processes. For example, you might also need to require the latter for Adobe Reader. Defender can stop executable content from entering the computer through a mail client.

Configure ASR in Microsoft Defender Using PowerShell

It’s also intriguing to observe the configuration of advanced ransomware prevention. The system collects data on suspicious files via Microsoft Cloud, verifying common ransomware or known harmlessness. Enabling cloud-based protection is necessary for the function to work.

Here I show you how to configure Attack Surface Reduction in Microsoft Defender via PowerShell. But before we do that, if you need to ascertain the current status of the ASR rules, use the PowerShell Cmdlet below to do so:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

The above command displays the configured rules and their status. The output screen shows that no rules have been configured yet.

Invoke the Set-MpPreference to specify directories and files that are excluded as follows:

*Configure exclusions for ASR rules with PowerShell*

Then use the Get-MpPreference query the status of this property as shown on the above screenshot.

Take a look at the following related articles to learn more: How to enable Exploit Protection on Windows using Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy Editor, and

Configure ASR rules using group policies

Another method for enabling or configuring ASR rules is through Group Policy. In the Group Policy, two settings are available for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.

To access the ASR, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction by searching for and opening Group Policy on your PC’s search menu.

In configuring the GUID for Attack Surface Reduction, the values 0, 1, 2, and 6 specify the status (“Actions”). 0 stands for deactivated, 1 for activated, 2 for audit mode and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking. Configure this folder’s other property to create directories and file exclusions.

Configuring Attack Surface Reduction via Group Policy

As shown above, we also enter the Value names in a table in this case, and we always set the field in the right-hand column to 0. Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

Configure Attack Surface Reduction rules

You can utilize a standard configuration for all of the rules rather than just turning on a different option for each one (“C onfigure Attack Surface Reduction rules“). There, you input the action’s numerical value and the aforementioned GUID into a table. For instance, here we want to