Attack Surface Reduction

Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.7

Name	Value
Basics
Name	Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.7
Description	DO NOT ASSIGN THIS POLICY WITHOUT VALIDATING VIA AUDIT MODE FIRST! https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize
Profile type	Settings catalog
Category	Attack surface reduction
Policy type	Attack Surface Reduction Rules
Platform supported	Windows 10 and later
Created	Thursday, February 26, 2026 2:33:51 AM
Last modified	Thursday, February 26, 2026 2:33:51 AM
Scope tags	Default

Name	Value
Defender
Attack Surface Reduction Rules
Block Adobe Reader from creating child processes	Block
Block process creations originating from PSExec and WMI commands	Warn
Block execution of potentially obfuscated scripts	Warn
Block persistence through WMI event subscription	Block
Block Win32 API calls from Office macros	Block
Block Office applications from creating executable content	Block
Block credential stealing from the Windows local security authority subsystem	Block
Block use of copied or impersonated system tools	Block
Block executable files from running unless they meet a prevalence, age, or trusted list criterion	Audit
Block JavaScript or VBScript from launching downloaded executable content	Block
Block Office communication application from creating child processes	Warn
Block Office applications from injecting code into other processes	Block
Block all Office applications from creating child processes	Block
Block rebooting machine in Safe Mode	Audit
Block untrusted and unsigned processes that run from USB	Block
Use advanced protection against ransomware	Block
Block executable content from email client and webmail	Block
Block abuse of exploited vulnerable signed drivers (Device)	Block
Enable Controlled Folder Access	Audit Mode

Join the list to see the real-time solutions I'm delivering to my GCC High clients.