Plan attack surface reduction (ASR) rules deployment

Before you test or enable Microsoft Defender for Endpoint (MDE) attack surface reduction (ASR) rules, you should plan how you will roll out your deployment. Careful planning will not only help testing and enabling your ASR rules deployment, but will also be of benefit when you configure ASR rules exceptions. When planning to test or enable attack surface reduction (ASR) rules it is important to start with the right business unit. You'll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact about the ASR rules, and help you tune your implementation.

The ASR rules planning steps. Preparation before you test Microsoft Defender for Endpoint (MDE) ASR rules, or enable MDE ASR rules.

Start your ASR rules deployment with the right business unit

How you select the business unit to roll out your ASR rules deployment will depend on factors such as:

  • Size of business unit
  • Availability of ASR rules champions
  • Distribution and usage of:
    • Software
    • Shared folders
    • Use of scripts
    • Office macros
    • Other entities affected by ASR rules

Depending on your business needs, you might decide to include multiple business units to get a broad sampling of software, shared folders, scripts, macros, etc. Conversely, you might decide to limit the scope of your first ASR rules rollout to a single business unit, then repeat the entire ASR rules rollout process to your other business units, one-at-a-time.

Identify ASR rules champions

ASR rules champions are members in your organization that will help with your initial ASR rules rollout during the preliminary testing and implementation phases. Your champions are typically employees who are more technically adept, and who are not derailed by intermittent work-flow outages. The champions' involvement will continue throughout the broader expansion of ASR rules deployment to your organization. Your ASR rules champions will be first to experience each level of the ASR rules rollout.

It is important to provide a feedback and response channel for your ASR rules champions to alert you to ASR rules-related work disruptions and receive ASR rules-rollout related communications.

Get inventory of line-of-business apps and understand the business unit processes

Having a full understanding of the applications and per-business-unit processes that are used across your organization is critical to a successful ASR rules deployment. Additionally, it is imperative that you understand how those apps are used within the various business units in your organization. To start, you should get an inventory of the apps that are approved for use across the breadth of the organization. You can use tools such as the Microsoft 365 Apps admin center to help you inventory software applications. See: Overview of inventory in the Microsoft 365 Apps admin center.

Define reporting and response ASR rules team roles and responsibilities

Clearly articulating roles and responsibilities of persons responsible for monitoring and communicating ASR rules status and activity is a core activity of ASR maintenance. Therefore, it is important to determine:

  • The person or team responsible for gathering reports
  • How and with whom reports are shared
  • How escalation is addressed for newly identified threats or unwanted blockages caused by ASR rules

Typical roles and responsibilities include:

  • IT admins: Implement ASR rules, manage exclusions. Work with different business units on apps and processes. Assembling and sharing reports to stakeholders
  • Certified security operations center (CSOC) analyst: Responsible for investing high-priority, blocked processes, to determine wither the threat is valid or not
  • Chief information security officer (CISO): Responsible for the overall security posture and health of the organization

ASR rules ring deployment

For large enterprises, Microsoft recommends deploying ASR rules in "rings." Rings are groups of devices that are visually represented as concentric circles that radiate outward like non-overlapping tree rings. When the innermost ring is successfully deployed, you can transition the next ring into the testing phase. Thorough assessment of your business units, ASR rules champions, apps, and processes is imperative to defining your rings. In most cases, your organization will have designed deployment rings for phased rollouts of Windows updates. You can use your existing ring design to implement ASR rules. See: Create a deployment plan for Windows

Additional topics in this deployment collection

Attack surface reduction (ASR) rules deployment overview

Test attack surface reduction (ASR) rules

Enable attack surface reduction (ASR) rules

Operationalize attack surface reduction (ASR) rules

Attack surface reduction (ASR) rules reference