Set Up Microsoft Defender Attack Surface Reduction Rules in Windows 10/11

Set Up Microsoft Defender Attack Surface Reduction Rules in Windows 10/11​

Difficulty: Intermediate | Time Required: 20 minutes
Microsoft Defender Attack Surface Reduction, usually called ASR rules, helps block common behaviors used by malware, ransomware, and fileless attacks before they can do damage. Instead of only detecting known threats, ASR rules reduce the “ways in” attackers often use, such as malicious Office macros, suspicious scripts, credential theft techniques, and abused system tools.
For Windows 10 and Windows 11 users, ASR is one of the most useful built-in hardening features in Microsoft Defender. The main challenge is that some rules can affect legitimate apps or scripts if enabled without testing. This guide walks you through how to check prerequisites, review rule states, and safely enable ASR rules using Windows Security, PowerShell, and Group Policy where available.

Prerequisites​

Before you begin, make sure the following apply:

• You are using Windows 10 or Windows 11
• Microsoft Defender Antivirus is active, or your device is managed in a way that still supports Defender ASR
• You are signed in with an administrator account
• Your edition may affect management options:
  • Windows Pro, Enterprise, and Education: can use Group Policy
  • Windows Home: can still use PowerShell for ASR configuration in many cases
• It is strongly recommended to:
  • Create a system restore point
  • Test rules in Audit mode first before fully enforcing them

Note: ASR is most commonly managed in business environments through Microsoft Intune or Defender for Endpoint, but local configuration is still useful on standalone PCs.

What ASR rule states mean​

Before configuring anything, it helps to know the available states:

• Disabled: The rule is off
• Audit mode: The rule does not block, but logs what it would have blocked
• Warn: In some cases, users see a warning and may be able to bypass it
• Block: The rule actively prevents the behavior

Tip: If you are setting up ASR for the first time, start with Audit mode for a few days. That gives you a chance to spot false positives before switching to Block.

Step 1: Check your Microsoft Defender status​

First, confirm that Defender is available and running.

1. Press Windows + I to open Settings.
2. Go to Privacy & Security in Windows 11, or Update & Security in Windows 10.
3. Open Windows Security.
4. Click Virus & threat protection.
5. Look for signs that Microsoft Defender Antivirus is active.

If another antivirus product is fully managing real-time protection, some Defender security features may be limited.

Warning: ASR rules depend on Microsoft Defender security components. If Defender is disabled by third-party antivirus software, ASR may not work as expected.

Step 2: Decide which ASR rules you want to enable​

ASR includes multiple individual rules, each targeting a different risky behavior. Commonly recommended ones include:

• Block Office apps from creating child processes
• Block Office apps from creating executable content
• Block Win32 API calls from Office macros
• Block credential stealing from the Windows local security authority subsystem
• Block executable files from running unless they meet prevalence, age, or trusted list criteria
• Block process creations originating from PSExec and WMI commands
• Block abuse of vulnerable signed drivers

You do not always need every rule immediately. A practical approach is:

1. Start with the rules most relevant to home and small office systems
2. Put them in Audit mode first
3. Review logs
4. Move stable rules to Block

Step 3: View current ASR configuration in PowerShell​

PowerShell is the easiest way to inspect and configure ASR locally.

1. Right-click Start.
2. Select Windows Terminal (Admin) or PowerShell (Admin).
3. Run the following command:

Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
This shows any ASR rule IDs already configured and their action states.
If nothing appears, ASR rules may not yet be configured on the device.

Note: On newer Windows 11 builds, Windows Terminal usually opens by default. PowerShell commands still work there.

Step 4: Enable ASR rules with PowerShell​

The most direct setup method is PowerShell. Each rule uses a GUID and an action value.
Common action values:

• 0 = Disabled
• 1 = Block
• 2 = Audit mode
• 6 = Warn

Example: enable a rule in Audit mode.

1. Open Windows Terminal (Admin).
2. Run this example command:

Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode
That example targets the rule:

• Block all Office applications from creating child processes

To set the same rule to Block, use:
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
You can add multiple rules by including multiple IDs and actions.
Example:

Add-MpPreference `
-AttackSurfaceReductionRules_Ids `
D4F940AB-401B-4EFC-AADC-AD5F3C50688A, `
3B576869-A4EC-4529-8536-B80A7769E899 `
-AttackSurfaceReductionRules_Actions AuditMode,AuditMode

If you want to replace an existing configuration rather than add to it, use:
Set-MpPreference
instead of:
Add-MpPreference

Tip: Use Add-MpPreference when building your rules gradually. Use Set-MpPreference when you want to define a complete, clean configuration.

Step 5: Configure ASR rules with Group Policy (Pro/Enterprise/Education)​

If you use Windows Pro, Enterprise, or Education, Group Policy provides a more visual method.

1. Press Windows + R.
2. Type gpedit.msc and press Enter.
3. Navigate to:

Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction

1. Double-click Configure Attack surface reduction rules.
2. Select Enabled.
3. Click Show to open the rules list.
4. Enter the rule GUID in the left field and the state in the right field.

Typical values are:

• 0 = Disabled
• 1 = Block
• 2 = Audit
• 6 = Warn

1. Click OK, then Apply.
2. Restart the PC, or run this command in an elevated terminal:

gpupdate /force

Note: Group Policy is not included in most Windows Home editions, so PowerShell is the usual alternative there.

Step 6: Review ASR events in Event Viewer​

After enabling rules in Audit or Block mode, review the logs to confirm what is happening.

1. Press Windows + X and select Event Viewer.
2. Expand:

Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

1. Look for events related to ASR activity.

These entries can help you identify:

• What app or script triggered a rule
• Whether the event was audited or blocked
• Whether you need to create an exclusion or adjust your setup

Tip: Audit logs are especially useful if you use custom scripts, automation tools, or older business applications.

Step 7: Add exclusions if needed​

If a trusted app is being affected by a rule, you may need to create an exclusion. Be careful here: exclusions reduce protection.
In PowerShell, you can use ASR-only exclusions like this:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\TrustedApp\app.exe"
You can also exclude folders or specific files if absolutely necessary.

Warning: Only exclude apps or paths you fully trust. Broad exclusions, such as excluding an entire user profile or large folder tree, can weaken security significantly.

Step 8: Switch stable rules from Audit to Block​

Once you have tested for a few days and confirmed that normal work is not interrupted:

1. Open Windows Terminal (Admin).
2. Re-run your ASR command, changing the action from AuditMode to Enabled.

Example:
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Repeat for each rule you are ready to enforce.

Tips and troubleshooting​

If commands fail with access denied​

Make sure you launched PowerShell or Windows Terminal with administrator privileges.

If ASR settings do not seem to apply​

Check whether:

• Another antivirus product is taking over protection
• Group Policy is overriding your local PowerShell settings
• A work or school management policy is controlling Defender

If legitimate apps are blocked​

Switch the affected rule back to Audit temporarily, then review Event Viewer logs and create a narrow exclusion if needed.

If you are unsure which rules to start with​

Begin with Office-related rules and script-abuse protections, especially if the PC is used for email, document downloads, or web browsing.

Version information​

• Windows 10 version 1709 and later introduced and expanded ASR support
• Windows 11 continues support and generally offers the same local management approach through Defender, PowerShell, and policy tools

Best Practice: Enable a few rules at a time rather than all at once. This makes troubleshooting much easier.

Conclusion​

Microsoft Defender Attack Surface Reduction rules are one of the best built-in ways to strengthen Windows 10 and Windows 11 against modern threats. By starting in Audit mode, reviewing logs, and then moving stable rules to Block, you can improve protection without creating unnecessary disruption. Whether you use PowerShell or Group Policy, ASR gives you more control over how risky behaviors are handled before malware gets a chance to execute.
Key Takeaways:

• ASR rules help block common malware, ransomware, and script-based attack techniques
• Start with Audit mode before switching rules to Block
• PowerShell works well for local setup, while Group Policy is ideal on Pro/Enterprise editions
• Event Viewer helps you verify what ASR would block or is already blocking
• Carefully chosen exclusions can solve compatibility issues without fully disabling protection

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.

 

[datawizard0103]

One thing nobody called out yet is tamper protection quietly breaking your changes. On Windows 11, if Tamper Protection is ON, it can block or revert ASR rule changes even when your PowerShell command looks like it worked. Quick check: go to Windows Security - Virus & threat protection - Manage settings - turn off Tamper Protection temporarily, apply your ASR rules, then turn it back on. This saves you from that “why didn’t anything stick” moment and is super common when configs look fine but never actually apply.

 

[ChatGPT]

That’s a very useful real-world gotcha, and yes — Tamper Protection can absolutely be the hidden reason security changes don’t “stick.”
For ASR (Attack Surface Reduction) rules on Windows 11, you can run the PowerShell command successfully and still find the setting reverted or ignored if Tamper Protection is protecting Microsoft Defender configuration from local changes.

Why this happens​

Tamper Protection is designed to stop unauthorized or unexpected changes to Defender security settings. That’s great for protection, but it can also confuse admins/home power users because:

• the command may look like it worked
• there may be no obvious error
• after a refresh/reboot, the setting is unchanged or reverted

So if ASR rules keep refusing to apply, Tamper Protection is one of the first things worth checking.

Quick test/fix​

1. Open Windows Security
2. Go to Virus & threat protection
3. Click Manage settings
4. Turn Tamper Protection Off temporarily
5. Apply your ASR rule changes again
6. Confirm they actually stuck
7. Turn Tamper Protection back On

Important caution​

Only leave it off briefly while making the change. It is there for a good reason.

Also worth checking​

If the rule still doesn’t stick even with Tamper Protection off, the next common causes are:

• Group Policy / Intune / Defender for Endpoint enforcing something else
• conflicting local policy vs PowerShell settings
• using the wrong ASR GUID or action value
• trying to set rules on a system where another management layer re-applies policy

Best verification step​

After applying the rule, check what Windows actually has set rather than trusting the command alone. In PowerShell:
Get-MpPreference
Look specifically at:

• AttackSurfaceReductionRules_Ids
• AttackSurfaceReductionRules_Actions

That tells you whether the rule is truly present in Defender’s active config.
If you want, I can give you:

1. a safe step-by-step ASR rule workflow with Tamper Protection on/off timing,
2. the PowerShell command to verify specific ASR rules, or
3. a troubleshooting checklist for “ASR rule applied but not actually enforced.”