Deploying Attack Surface Reduction Rules
Start course

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


Let's take a look at some examples of how to configure Attack Surface Reduction Rules. For polymorphic threats, we can block executable files from running, unless they meet criteria such as prevalence, age or are on a trusted list. For lateral movement and credential threat, we can block process creation originating from PSExec and WMI commands. For productivity apps, we can block office apps from creating executable content. For email, we can block executable content from email client and web mail. For script rules, we can block obfuscated code. These represent just some of the catalog of rules that can be applied for attack surface reduction across an organization.

To apply these rules, our organization must have the following infrastructure already in place. We must be using Azure Active Directory and Microsoft Endpoint Manager. In addition, we must have Windows 10 or 11 devices and Microsoft Defender for Endpoint E5 or Windows E5 licenses. We can configure ASR rules using Microsoft Endpoint Manager, Powershell, group policies, or Microsoft System Center Configuration Manager. 

Attack surface reduction rules have a few dependencies including that Microsoft Defender Antivirus must be enabled and configured as the primary antivirus solution and in active mode. The components of these systems must be the current versions. Additionally, Cloud protection services, known as Microsoft advanced protection services or MAPS must be enabled. These services enhance standard real-time protection providing a robust antivirus defense.

Cloud protection is critical to preventing breaches from malware. As with any new wide scale implementation which could potentially impact line of business operations, it's important to be methodical in planning and implementation. Because of the powerful capabilities of ASR rules in preventing malware, we must use careful planning and deployment of these rules to ensure that they work best for our unique workflow. The steps recommended for this are, plan, test, implement and operationalize. In the next section, we'll walk through each of these in more detail.


About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.