Configure Attack Surface Reduction rules

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: - Block: the rule will be applied - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) - Off: the rule will not be applied - Not Configured: the rule is enabled with default values - Warn: the rule will be applied and the end-user will have the option to bypass the block Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured. Enabled: Specify the state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: - Name column: Enter a valid ASR rule ID - Value column: Enter the status ID that relates to state you want to specify for the associated rule The following status IDs are permitted under the value column: - 1 (Block) - 0 (Off) - 2 (Audit) - 5 (Not Configured) - 6 (Warn) Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: No ASR rules will be configured. Not configured: Same as Disabled. You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.

No explicit registry values are set for enabled or disabled states.

• Computer
  Apply a list of exclusions to specific attack surface reduction (ASR) rules

  At least Windows Server 2016, Windows 10 Version 1709
• Computer
  Exclude files and paths from Attack Surface Reduction Rules

  At least Windows Server 2016, Windows 10 Version 1709