Configure Attack Surface Reduction in Windows 10
Attack Surface Reduction is a new security feature of Windows Defender Exploit Guard on Windows 10 that Microsoft introduced in the Fall Creators Update.
Attack Surface Reduction may prevent common actions of malicious software that is run on Windows 10 devices that have the feature enabled.
The feature is rules based, and designed to target actions and behavior that is typically of malware. You may enable rules that block the execution of obfuscated scripts, executable content in mail clients, or Office from spawning child processes.
Attack Surface Reduction is only available if you enable real-time protection in Windows Defender Antivirus.
Attack Surface Reduction rules
The following rules are available in the Windows 10 Fall Creators Update:
- Block execution of (potentially) obfuscated scripts (5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
) - Block executable content in email clients and web mail (BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550)
- Block Office apps from spawning child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
- Block Office applications from creating executables (3B576869-A4EC-4529-8536-B80A7769E899)
- Block Office applications from injecting data into other processes (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84)
- Block Win32 imports from Macro code in Office (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B)
- Impede JavaScript and VBScript to launch executables (D3E037E1-3EB8-44C8-A917-57927947596D)
Configuring Attack Surface Reduction
The Attack Surface Reduction protection can be configured in three different ways:
- Using Group Policy.
- Using PowerShell.
- Using MDM CSP.
Configuring rules using policies
You need to launch the Group Policy editor to get started. Note that the Group Policy editor is not available on Home editions of Windows 10.
Home users may check out Policy Plus which brings policy editing to the edition of Windows 10.
- Tap on the Windows-key, type gpedit.msc and hit the Enter-key to start the Group Policy editor on Windows 10.
- Navigate to Computer Configuration > Administrative Templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction
- Double-click on the policy "Configure Attack surface reduction rules".
- Set the policy to enabled.
- Setting the policy to enabled activates the "show" button. Click on show to load the "show contents" window.
Show contents is a table that accepts one Attack Surface Reduction rule per row. Value name is the ID that is listed under rules above in the brackets.
Value accepts the following input:
- 0 = disabled. The rule is not active.
- 1 = enabled. The rule is active, and block mode is activated.
- 2 = audit mode. Events will be recorded, but the actual rule is not enforced.
Configuring rules using PowerShell
You may use PowerShell to configure rules.
- Tap on the Windows-key, type PowerShell, hold down the Shift-key and the Ctrl-key, and load the PowerShell entry with a click.
Use the following command to add a blocking mode rule:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
Use the following command to add an audit mode rule:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
Use the following command to set a rule to disabled:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
You can combine multiple rules in a single command by separating each rule with a comma, and by listing states individually for each rule. Example:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>, <rule ID 2>, <rule ID 3> -AttackSurfaceReductionRules_Actions Disabled, Enabled, Enabled
Note: you can use Set-MpPreference or Add-MpPreference. The Set command will always overwrite the existing set of rules while the Add command adds to it without overwriting existing rules.
You can display the set of rules using the Get-MpPreference command.
Attack Surface Reduction Events
Log entries are created whenever you change rules, and when events fire rules in audit mode or in block mode.
- Download the Exploit Guard Evaluation Package from Microsoft.
- Extract the content of the archive to the local system so that asr-events.xml is accessible on the system.
- Tap on the Windows-key, type Event Viewer and select the item from the list of suggestions to load the Event Viewer interface.
- Select Action > Import custom view when the interface is open.
- Select the asr-events.xml file that you extracted previously.
- Select ok when the "import custom view file" window opens. You may add a description if you want.
The new view is listed under Custom Views afterwards that shows the following events:
- Event ID 1121 -- blocking mode events
- Event ID 1122 -- audit mode events
- Event ID 5007 -- changing settings events.
Excluding files and folders
You can exclude files or folders so that the excluded items are not evaluated by Attack Surface Reduction rules.
- Group Policy: Go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction > Exclude files and paths from Attack surface reduction Rules. Set the policy to enabled, click on the show button, and add files or folders (folder path or resource, e.g. c:\Windows in the value name, and 0 in the value field of each column.
- PowerShell: Use the command Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>" to add files or folders to the exclusions list.
Microsoft Resources
Check out the following resources on Microsoft's website for additional information on Attack Surface Reduction:
- Enable Attack surface reduction
- Customize Attack surface reduction
- Reduce attack surfaces with Windows Defender Exploit Guard
- Windows Defender Exploit Guard
- Set-MpPreference documentation
- Add-MpPreference documentation
- Get-MpPreference documentation
What mental age of reader are you targeting with the first sentence? 10?
Why not write an article on how to *avoid* upgrading from W10 to W11. Analogous to those like me who avoided upgrading from 7 to 10 for as long as possible.
If your paymaster Microsoft permits it, of course.
5. Rufus
6. Ventoy
PS. I hate reading these “SEO optimized” articles.
I used Rufus to create an installer for a 6th gen intel i5 that had MBR. It upgraded using Setup. No issues except for Win 11 always prompting me to replace my local account. Still using Win 10 Pro on all my other PCs to avoid the bullying.
bit pointless to upgrade for the sake of upgrading as you never know when you’ll get locked out because ms might suddenly not provide updates to unsupported systems.
ps…. time travelling?
written. Jan 15, 2023
Updated • Jan 13, 2023
This happens when you schedule a post in WordPress and update it before setting the publication date.
Anyone willing to downgrade to this awful OS must like inflicting themselves with harm.
I have become convinced now that anybody who has no qualms with using Windows 11/10 must fit into one of the following brackets:
1) Too young to remember a time before W10 and W11 (doesn’t know better)
2) Wants to play the latest games on their PC above anything else (or deeply needs some software which already dropped W7 support)
3) Doesn’t know too much about how computers work, worried that they’d be absolutely lost and in trouble without the “”latest security””
4) Microsoft apologist that tries to justify that the latest “features” and “changes” are actually a good thing, that improve Windows
5) Uses their computer to do a bare minimum of like 3 different things, browse web, check emails, etc, so really doesn’t fuss
Obviously that doesn’t cover everyone, there’s also the category that:
6) Actually liked W7 more than 10, and held out as long as possible before switching, begrudgingly uses 10 now
Have I missed any group off this list?
You have missed in this group just about any professional user that uses business software like CAD programs or ERP Programs which are 99% of all professional users from this list.
Linux doesn’t help anyone who is not a linux kid and apple is just a fancy facebook machine.
Microsoft has removed KB5029351 update
only from windows update though
KB5029351 is still available from the ms update catalog site
1. This update is labaled as PREVIEW if it causes issues to unintelligent people, then they shouldn’t have allowed Preview updates ot install.
2. I have installed it in a 11 years old computer, and no problems at all.
3. Making a big drama over a bluescreen for an updated labeled as preview is ridiculous.
This is probably another BS internet drama where people ran programs and scripts that modified the registry until they broke Windows, just for removing stuff that they weren’t even using just for the sake of it.
Maybe people should stop playing geeks and actually either use Windows 10 or Windows 11, but don’t try to modify things just for the sake of it.
Sometimes removing or stopping things (like defender is a perfect example) only need intelligence, not scripts or 3rd party programs that might mess with windows.
Windows 11 was a pointless release, it was just created because some of the Windows team wanted to boost sales with some sort of new and improved Windows 10. Instead, Microsoft cannot support one version well let alone two.
Windows 11 is the worst ugly shame by Microsoft ever. They should release with every new W11 version a complete free version of Starallback inside just to make this sh** OS functionally again.
motherboard maker MSI has recently released a statement regarding the “unsupported processor” blue screen error for their boards using Intel 600/700 series chipsets & to avoid the KB5029351 Win11 update:
https://www.msi.com/news/detail/MSI-On–UNSUPPORTED-PROCESSOR–Error-Message-of-Windows-11-Update-KB5029351-Preview-142215
check out the following recent articles:
Neowin – Microsoft puts little blame on its Windows update after UNSUPPORTED PROCESSOR BSOD bug:
https://www.neowin.net/news/microsoft-puts-little-blame-on-its-windows-update-after-unsupported-processor-bsod-bug/
BleepingComputer – Microsoft blames ‘unsupported processor’ blue screens on OEM vendors:
https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-unsupported-processor-blue-screens-on-oem-vendors/
While there may be changes or updates to the Windows 10 Store for Business and Education in the future, it is premature to conclude that it will be discontinued based solely on rumors.
My advice, I left win 15 years ago. Now I’m a happy linux user (linuxmint) but there is Centos, Fedora, Ubuntu depending on your needs.
motherboard maker MSI has recently released new BIOS/firmware updates for their Intel 600 & 700 series motherboards to fix the “UNSUPPORTED_PROCESSOR” problem (Sept. 6):
https://www.msi.com/news/detail/Updated-BIOS-fixes-Error-Message–UNSUPPORTED-PROCESSOR–caused-BSOD-on-MSI-s-Intel-700-and-600-Series-Motherboards-142277
I try to disable the Diagnostics Tracking Service (Connected Devices Platform User Services) but it wont let me disable it, any help will be greatly appreciated.
Tank you for your help