Edit

Attack surface reduction (ASR) rules deployment guide

  • Applies to: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2

Attack surface reduction (ASR) rules target risky software behavior on Windows devices that attackers commonly exploit through malware (for example, launching scripts that download files, running obfuscated scripts, and injecting code into other processes). For an introduction to ASR rules and their requirements, see Attack surface reduction (ASR) rules overview.

This guide helps you plan, test, implement, and manage your ASR rules deployment to effectively stop advanced threats like human-operated ransomware.

Important

This guide provides images and examples to help you decide how to configure ASR rules. These images and examples might not reflect the best configuration options for your environment.

Diagram of the ASR rules deployment phases: plan, test, enable, and maintain.

Important predeployment caveat

Typically, you can enable the standard protection rules in Block or Warn mode without testing. You should test other ASR rules in Audit mode before you switch them to Block or Warn mode.

Before you begin

Before you start the deployment process, review the following documentation:

Deployment steps

Use the following articles to plan, test, implement, and manage your ASR rules deployment:

  1. Plan ASR rules deployment: Determine infrastructure requirements, select business units and champions, and define team roles.
  2. Test ASR rules: Configure rules in Audit mode, review reports, and add exclusions.
  3. Enable ASR rules: Transition rules from Audit to Block mode, and expand to other deployment rings.
  4. Manage and monitor ASR rules: Monitor ongoing activity, manage false positives, and use advanced hunting.

Related content

  • Last updated on