Using Attack Surface Reduction Rules
Start course

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


Use Attack Surface Reduction Rules. Our organization's attack surfaces include all the places where an attacker could compromise devices or networks. Reducing these attack surfaces means protecting these devices and networks, which leaves attackers with fewer ways to perform attacks. These rules are configured in Microsoft Defender for Endpoint and target certain software behaviors such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, and performing behaviors that apps don't usually initiate during day-to-day work. These behaviors are often considered risky because they are commonly abused by attackers through malware.

Attack surface reduction rules can constrain software-based risky behaviors and help keep our organization safe. Once a rule has been set up, we can assess its impact before deployment. This will show us how a rule might affect our network. We can review this by opening the security recommendation for that rule in threat and vulnerability management. The recommendation details pane will show the user impact and highlight what percentage of devices can accept a new policy enabling this rule without adversely impacting productivity. Alternatively, we can use audit mode to evaluate how attack surface reduction rules would affect our organization if enabled.

It is recommended to run all rules in audit mode first, so we can understand how they affect line of business applications. From the audit, we can add exclusions for necessary applications which will prevent the rules from impacting productivity. Attack surface reduction rules that are enabled can be set to either audit mode or block mode.

There is now another option, which is the new warn mode. Whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. Dialog box also offers the user an option to unblock the content. The user can then retry their action and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then the blocking resumes. Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. We can customize the notification with our company details and contact information. Also, when certain attack surface reduction rules are triggered, alerts are generated. Notifications and any alerts that are generated can be viewed in the Microsoft 365 Defender portal.


About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.