Scripts (PowerShell) Security | Vulnerability Scans and Assessment Windows Windows Server

How to Configure Attack Surface Reduction in Microsoft Defender using PowerShell and Group Policy


Microsoft Defender is a free, built-in antivirus for Windows. It was formerly known as Windows Defender until May 10th, 2020, and is now also referred to as Windows Security in the most recent versions of Windows 10. It contains a number of security features aimed at protecting devices and the internet from malware such as spyware, adware, ransomware, and other threats. It is an easy-to-use antivirus program for Windows users. Take a look at the following related articles to learn more: How to enable Exploit Protection on Windows using Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy Editor, Configuration Manager Tools: How to install and debug logs with the CMTrace Tool, and Insight on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption.

The fact that Windows Defender is pre-installed and available for free on all Windows devices contributes to the antivirus program’s broad appeal. In addition to the features mentioned above, other security features are also available with Microsoft Defender. These include lowering the attack surface, which hardens software like Adobe Reader, Office, and browsers. Here are some more guides you may want to read: How to turn on Windows 10 Tamper Protection for Microsoft Defender, and how to manage Microsoft Defender Antivirus with Group Policy and Microsoft Malware Protection from the Command Line.

In this write-up, I show you how to configure Microsoft Defender using PowerShell. The feature is not turned on by default. Email attachments containing malicious code, such as scripts, executables, or Office macros laced with malicious code, are a common entry point for attackers. Web browsers in particular, as well as commonly used products like Adobe Reader, which frequently have vulnerabilities, are other points of attack. In addition to app-specific measures, Defender offers an additional degree of security on top of the precautions administrators might take by setting up the programs themselves.

For instance, office macros may be controlled to a significant extent with the aid of group policies, but the Attack Surface Reduction (ASR) rules further enclose them. For instance, Office may be stopped from producing executable content, injecting code into other processes, or establishing new processes. For example, for Adobe Reader, the latter can also be required, and if executable content enters the computer through a mail client, Defender can stop it.

It’s also intriguing to see how advanced ransomware prevention is configured. It retrieves details about a questionable file from the Microsoft Cloud and determines whether it is common enough to not be classified as ransomware or has been shown to be innocuous, for example. The function needs cloud-based protection to be turned on.

Configure ASR in Microsoft Defender Using PowerShell

Here I show you how to configure Attack Surface Reduction in Microsoft Defender via PowerShell. But before we do that, if you need to ascertain the current status of the ASR rules, use the PowerShell Cmdlet below to do so:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
Status of ASR Rules

The above command shows which rules have been configured and what their status is. From the output screen, there are no rules configured yet.

Invoke the Set-MpPreference to specify directories and files that are excluded as follows:

Configure exclusions for ASR rules with PowerShell

Then use the Get-MpPreference query the status of this property as shown on the above screenshot.

Configure ASR rules using group policies

Another method for enabling or configuring ASR rules is through Group Policy. In the Group Policy, two settings are available for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.

To access the ASR, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction by searching for and opening Group Policy on your PC’s search menu.

In configuring the GUID for Attack Surface Reduction, the values 0, 1, 2, and 6 specify the status (“Actions”). 0 stands for deactivated, 1 for activated, 2 for audit mode and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking. Configure this folder’s other property to create directories and file exclusions.

Configuring Attack Surface Reduction via Group Policy

As shown above, the Value names are also entered in a table in this case, and the field in the right-hand column is always set to 0. Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

You can utilize a standard configuration for all of the rules rather than just turning on a different option for each one (“Configure Attack Surface Reduction rules”). There, you input the action’s numerical value and the aforementioned GUID into a table. For instance, here we want to


I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x