{
	"id": "95605366-cc28-4636-8dde-40515c645210",
	"created_at": "2026-04-06T00:07:14.140769Z",
	"updated_at": "2026-04-10T13:12:49.940828Z",
	"deleted_at": null,
	"sha1_hash": "89c1b810d533d92fb068341ea5e06777b39c5848",
	"title": "Enable attack surface reduction rules - Microsoft Defender for Endpoint",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129941,
	"plain_text": "Enable attack surface reduction rules - Microsoft Defender for\r\nEndpoint\r\nBy limwainstein\r\nArchived: 2026-04-05 23:51:26 UTC\r\nAttack surface reduction rules help prevent actions that malware often abuses to compromise devices and\r\nnetworks. This article describes how to enable and configure attack surface reduction rules via:\r\nMicrosoft Intune\r\nMobile Device Management (MDM)\r\nMicrosoft Configuration Manager\r\nGroup policy (GP)\r\nPowerShell\r\nTo use the entire feature-set of attack surface reduction rules, the following requirements must be met:\r\nMicrosoft Defender Antivirus must be set as the primary antivirus. It must not be running in passive mode\r\nor be disabled.\r\nReal-time protection must be on.\r\nCloud-Delivery Protection must be on (some rules require Cloud Protection).\r\nYou must have Cloud Protection network connectivity\r\nRecommended: Microsoft 365 E5\r\nAlthough attack surface reduction rules don't require a Microsoft 365 E5 license, it is recommended to use\r\nattack surface reduction rules with a Microsoft 365 E5 license (or similar licensing SKU) to take advantage\r\nof advanced management capabilities, including monitoring, analytics, and workflows available in\r\nDefender for Endpoint, as well as reporting and configuration capabilities in the Microsoft Defender XDR\r\nportal. While these advanced capabilities aren't available with an E3 license, with an E3 license you can\r\nstill use Event Viewer to review attack surface reduction rule events.\r\nIf you have another license, such as Windows Professional or Microsoft 365 E3 that doesn't include\r\nadvanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools\r\non top of the events that are generated at each endpoint when attack surface reduction rules are triggered\r\n(for example, Event Forwarding).\r\nTo learn more about Windows licensing, see Windows 10 Licensing and get the Volume Licensing guide\r\nfor Windows 10.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 1 of 12\n\nYou can set attack surface reduction rules for devices that are running any of the following editions and versions\r\nof Windows:\r\nWindows 11 Pro\r\nWindows 11 Enterprise\r\nWindows 10 Pro, version 1709 or later\r\nWindows 10 Enterprise, version 1709 or later\r\nWindows Server, version 1803 (Semi-Annual Channel) or later\r\nWindows Server 2012 R2\r\nWindows Server 2016\r\nWindows Server 2019\r\nWindows Server 2022\r\nWindows Server 2025\r\nAzure Stack HCI OS, version 23H2 and later\r\nNote\r\nSome attack surface reduction rules are only enforced if Office executables are installed under the system-defined\r\n%ProgramFiles% or %ProgramFiles(x86)% directories (on most systems, %ProgramFiles% points to C:\\Program\r\nFiles). If Office is installed in a custom path outside one of these system-defined directories, these rules won't\r\napply. The affected rules are:\r\nBlock Office communication applications from creating child processes (26190899-1602-49e8-8b27-\r\neb1d0a1ce869)\r\nBlock all Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A)\r\nBlock Office applications from injecting code into other processes (75668C1F-73B5-4CF0-BB93-\r\n3ECF5CB7CC84)\r\nEach attack surface reduction rule contains one of four settings:\r\nNot configured or Disabled: Disable the attack surface reduction rule\r\nBlock: Enable the attack surface reduction rule\r\nAudit: Evaluate how the attack surface reduction rule would impact your organization if enabled\r\nWarn: Enable the attack surface reduction rule but allow the end user to bypass the block\r\nYou can enable attack surface reduction rules by using any of the following methods:\r\nMicrosoft Intune\r\nMobile Device Management (MDM)\r\nMicrosoft Configuration Manager\r\nGroup policy (GP)\r\nPowerShell\r\nEnterprise-level management such as Intune or Microsoft Configuration Manager is recommended. Enterprise-level management overwrites any conflicting group policy or PowerShell settings on startup.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 2 of 12\n\nYou can exclude files and folders from being evaluated by most attack surface reduction rules. This means that\r\neven if an attack surface reduction rule determines the file or folder contains malicious behavior, it doesn't block\r\nthe file from running.\r\nImportant\r\nExcluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded\r\nfiles are allowed to run, and no report or event are recorded. If attack surface reduction rules are detecting files\r\nthat you believe shouldn't be detected, you should use audit mode first to test the rule. An exclusion is applied\r\nonly when the excluded application or service starts. For example, if you add an exclusion for an update service\r\nthat is already running, the update service continues to trigger events until the service is stopped and restarted.\r\nWhen adding exclusions, keep these points in mind:\r\nExclusions are typically based on individual files or folders (using folder paths or the full path of the file to\r\nbe excluded).\r\nExclusion paths can use environment variables and wildcards. See Use wildcards in the file name and\r\nfolder path or extension exclusion lists\r\nWhen deployed through group policy, PowerShell, or Intune, you can configure exclusions for specific\r\nattack surface reduction rules. For Intune instructions, see Configure attack surface reduction rules per-rule\r\nexclusions.\r\nExclusions can be added based on certificate and file hashes, by allowing specified Defender for Endpoint\r\nfile and certificate indicators. See Overview of indicators.\r\nIf a conflicting policy is applied via MDM and GP, the setting applied from Group Policy takes precedence.\r\nAttack surface reduction rules for managed devices support behavior for merging settings from different policies\r\nto create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy\r\nconflicts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting,\r\nboth policies were flagged as being in conflict, and no settings from either profile were deployed.\r\nAttack surface reduction rule merge behavior works as follows:\r\nAttack surface reduction rules from the following profiles are evaluated for each device to which the rules\r\napply:\r\nDevices \u003e Configuration profiles \u003e Endpoint protection profile \u003e Microsoft Defender Exploit\r\nGuard \u003e Attack Surface Reduction. (See Attack Surface Reduction.)\r\nEndpoint security \u003e Attack surface reduction policy \u003e Attack surface reduction rules. (See\r\nAttack surface reduction rules.)\r\nEndpoint security \u003e Security baselines \u003e Microsoft Defender ATP Baseline \u003e Attack Surface\r\nReduction Rules. (See Microsoft Defender for Endpoint security baseline settings reference for\r\nMicrosoft Intune.)\r\nSettings that don't have conflicts are added to a superset of policy for the device.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 3 of 12\n\nWhen two or more policies have conflicting settings, the conflicting settings aren't added to the combined\r\npolicy, while settings that don't conflict are added to the superset policy that applies to a device.\r\nOnly the configurations for conflicting settings are held back.\r\nThis section provides configuration details for the following configuration methods:\r\nIntune\r\nCustom profile in Intune\r\nMDM\r\nMicrosoft Configuration Manager\r\nGroup policy\r\nPowerShell\r\nThe following procedures for enabling attack surface reduction rules include instructions for how to exclude files\r\nand folders.\r\n1. Select Endpoint Security \u003e Attack surface reduction. Choose an existing attack surface reduction rule or\r\ncreate a new one. To create a new one, select Create Policy and enter information for this profile. For\r\nProfile type, select Attack surface reduction rules. If you've chosen an existing profile, select Properties\r\nand then select Settings.\r\n2. In the Configuration settings pane, select Attack Surface Reduction and then select the desired setting\r\nfor each attack surface reduction rule.\r\n3. Under List of additional folders that need to be protected, List of apps that have access to protected\r\nfolders, and Exclude files and paths from attack surface reduction rules, enter individual files and\r\nfolders.\r\nYou can also select Import to import a CSV file that contains files and folders to exclude from attack\r\nsurface reduction rules. Each line in the CSV file should be formatted as follows:\r\nC:\\folder , %ProgramFiles%\\folder\\file , C:\\path\r\n4. Select Next on the three configuration panes, then select Create if you're creating a new policy or Save if\r\nyou're editing an existing policy.\r\nNote\r\nIn the latest Intune interface, Configuration profiles is located under Devices \u003e Configuration profiles.\r\nEarlier versions of Intune showed this under Device configuration \u003e Profiles.\r\nIf you don't see \"Configuration Profile\" as written in older instructions, look for Configuration profiles under the\r\nDevices menu.\r\n1. Select Device configuration \u003e Profiles. Choose an existing endpoint protection profile or create a new\r\none. To create a new one, select Create profile and enter information for this profile. For Profile type,\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 4 of 12\n\nselect Endpoint protection. If you've chosen an existing profile, select Properties and then select\r\nSettings.\r\n2. In the Endpoint protection pane, select Windows Defender Exploit Guard, and then select Attack\r\nSurface Reduction. Select the desired setting for each attack surface reduction rule.\r\n3. Under Attack Surface Reduction exceptions, enter individual files and folders. You can also select\r\nImport to import a CSV file that contains files and folders to exclude from attack surface reduction rules.\r\nEach line in the CSV file should be formatted as follows:\r\nC:\\folder , %ProgramFiles%\\folder\\file , C:\\path\r\n4. Select OK on the three configuration panes. Then select Create if you're creating a new endpoint\r\nprotection file or Save if you're editing an existing one.\r\nYou can use Microsoft Intune OMA-URI to configure custom attack surface reduction rules. The following\r\nprocedure uses the rule Block abuse of exploited vulnerable signed drivers for the example.\r\n1. In the Microsoft Intune admin center at https://intune.microsoft.com, select Devices \u003e Manage devices \u003e\r\nConfiguration. Or, to go directly to the Devices | Configuration page, use\r\nhttps://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/configuration.\r\n2. On the Policies tab of the Devices | Configuration page, select Create \u003e New policy.\r\nScreenshot of the Policies tab of the Devices - Configuration page in the Microsoft Intune admin center\r\nwith Create selected.\r\n3. In the Create a profile flyout that opens, configure the following settings:\r\nPlatform: Select Windows 10 and later.\r\nProfile type: Select one of the following values:\r\nTemplates\r\nIn the Template name section that appears, select Custom.\r\nor\r\nIf attack surface reduction rules are already set through Endpoint security, select Settings\r\nCatalog.\r\nWhen you're finished on the Create a profile flyout, select Create.\r\nThe rule profile attributes in the Microsoft Intune admin center portal.\r\n4. The Custom template tool opens to step 1 Basics. In 1 Basics, in Name, type a name for your template, and\r\nin Description you can type a description (optional).\r\nThe basic attributes in the Microsoft Intune admin center portal\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 5 of 12\n\n5. Click Next. Step 2 Configuration settings opens. For OMA-URI Settings, click Add. Two options now\r\nappear: Add and Export.\r\nScreenshot showing the configuration settings in the Microsoft Intune admin center portal.\r\n6. Click Add again. The Add Row OMA-URI Settings opens. In Add Row, fill in the following\r\ninformation:\r\n1. In Name, type a name for the rule.\r\n2. In Description, type a brief description.\r\n3. In OMA-URI, type or paste the specific OMA-URI link for the rule that you're adding. Refer to the\r\nMDM section in this article for the OMA-URI to use for this example rule. For attack surface\r\nreduction rule GUIDS, see Per rule descriptions.\r\n4. In Value, type or paste the GUID value, the \\= sign and the State value with no spaces\r\n( GUID=StateValue ):\r\n0 : Disable (Disable the attack surface reduction rule)\r\n1 : Block (Enable the attack surface reduction rule)\r\n2 : Audit (Evaluate how the attack surface reduction rule would impact your organization if\r\nenabled)\r\n6 : Warn (Enable the attack surface reduction rule but allow the end-user to bypass the\r\nblock)\r\nThe OMA URI configuration in the Microsoft Intune admin center portal.\r\n7. Select Save. Add Row closes. In Custom, select Next. In step 3 Scope tags, scope tags are optional. Do\r\none of the following:\r\nSelect Select Scope tags, select the scope tag (optional) and then select Next.\r\nOr select Next\r\n8. In step 4 Assignments, in Included Groups, for the groups that you want this rule to apply, select from the\r\nfollowing options:\r\nAdd groups\r\nAdd all users\r\nAdd all devices\r\nThe assignments in the Microsoft Intune admin center portal\r\n9. In Excluded groups, select any groups that you want to exclude from this rule, and then select Next.\r\n10. In step 5 Applicability Rules for the following settings, do the following:\r\n1. In Rule, select either Assign profile if, or Don't assign profile if.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 6 of 12\n\n2. In Property, select the property to which you want this rule to apply.\r\n3. In Value, enter the applicable value or value range.\r\nThe applicability rules in the Microsoft Intune admin center portal.\r\n11. Select Next. In step 6 Review + create, review the settings and information you've selected and entered,\r\nand then select Create.\r\nScreenshot showing the Review and create option in the Microsoft Intune admin center portal.\r\nRules are active and live within minutes.\r\nNote\r\nRegarding conflict handling, if you assign a device two different attack surface reduction policies, potential policy\r\nconflicts can occur, depending on whether rules are assigned different states, whether conflict management is in\r\nplace, and whether the result is an error.\r\nNonconflicting rules don't result in an error, and such rules are applied correctly. The first rule is applied, and\r\nsubsequent nonconflicting rules are merged into the policy.\r\nUse the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider\r\n(CSP) to individually enable and set the mode for each rule.\r\nThe following is a sample for reference, using GUID values for Attack surface reduction rules reference.\r\nOMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules\r\nValue: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=2|3b576869-a4ec-4529-8536-b80a7769e899=1|d4f940ab-401b-4efc-aadc-ad5f3c50688a=2|d3e037e1-3eb8-44c8-a917-57927947596d=1|5beb7efe-fd9a-4556-801d-275e5ffc04cc=0|be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=1\r\nThe values to enable (Block), disable, warn, or enable in audit mode are:\r\n0: Disable (Disable the attack surface reduction rule)\r\n1: Block (Enable the attack surface reduction rule)\r\n2: Audit (Evaluate how the attack surface reduction rule would impact your organization if enabled)\r\n6: Warn (Enable the attack surface reduction rule but allow the end-user to bypass the block). Warn mode is\r\navailable for most of the attack surface reduction rules.\r\nUse the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service\r\nprovider (CSP) to add exclusions.\r\nExample:\r\nOMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions\r\nValue: c:\\path|e:\\path|c:\\Exclusions.exe\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 7 of 12\n\nNote\r\nBe sure to enter OMA-URI values without spaces.\r\n1. In Microsoft Configuration Manager, go to Assets and Compliance \u003e Endpoint Protection \u003e Windows\r\nDefender Exploit Guard.\r\n2. Select Home \u003e Create Exploit Guard Policy.\r\n3. Enter a name and a description, select Attack Surface Reduction, and select Next.\r\n4. Choose which rules will block or audit actions and select Next.\r\n5. Review the settings and select Next to create the policy.\r\n6. After the policy is created, select Close.\r\nWarning\r\nThere's a known issue with the applicability of attack surface reduction on Server OS versions which is marked as\r\ncompliant without any actual enforcement. Currently, there's no defined release date for when this will be fixed.\r\nImportant\r\nIf you're using \"Disable admin merge\" set to true on devices, and you're using any of the following\r\ntools/methods, adding ASR rules per-rule exclusions or local ASR rule exclusions don't apply:\r\nDefender for Endpoint Security Settings Management (Disable Local Admin Merge)\r\nIntune (Disable Local Admin Merge)\r\nThe Defender CSP (DisableLocalAdminMerge)\r\nGroup Policy (Configure local administrator merge behavior for lists) To modify this behavior, you need to\r\nchange \"Disable admin merge\" to false .\r\nWarning\r\nIf you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level\r\nmanagement platform, the management software overwrites any conflicting group policy settings on startup.\r\n1. Open the Group Policy Management Console (GPMC) on your Group Policy management computer.\r\n2. In the GPMC console tree, expand Group Policy Objects in the forest and domain containing the GPO that\r\nyou want to edit.\r\n3. Right-click on the GPO, and then select Edit.\r\n4. In the Group Policy Management Editor, go to Computer configuration \u003e Administrative templates \u003e\r\nWindows components \u003e Microsoft Defender Antivirus \u003e Microsoft Defender Exploit Guard \u003e Attack\r\nSurface Reduction.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 8 of 12\n\n5. In the details pane of Attack Surface Reduction, the available settings are:\r\nConfigure Attack Surface Reduction rules\r\nExclude files and paths from Attack surface reduction rules\r\nApply a list of exclusions to specific attack surface reduction (ASR) rules\r\nTo open and configure an ASR rule setting, use any of the following methods:\r\nDouble-click on the setting.\r\nRight-click on the setting, and then select Edit\r\nSelect the setting, and then select Action \u003e Edit.\r\nThe available settings are described in the following subsections.\r\nImportant\r\nQuotation marks aren't supported in any of the group policy values.\r\nDon't use leading or trailing spaces in ASR rule IDs.\r\nMicrosoft renamed Windows Defender Antivirus to Microsoft Defender Antivirus beginning with Windows 10\r\nversion 2004 (May 2020). Group Policy paths on earlier versions of Windows might still reference Windows\r\nDefender Antivirus, while newer builds show Microsoft Defender Antivirus. Both names refer to the same policy\r\nlocation.\r\n1. In the details pane of Attack Surface Reduction, open the Configure Attack Surface Reduction rules\r\nsetting.\r\n2. In the setting window that opens, configure the following options:\r\n1. Select Enabled.\r\n2. Set the state for each ASR rule: Select Show....\r\n3. In the Set the state for each ASR rule dialog that opens, configure the following settings:\r\nValue name: Enter the GUID value of the ASR rule.\r\nValue: Enter one of the following values:\r\n0: Off\r\n1: Block\r\n2: Audit\r\n5: Not configured\r\n6: Warn\r\nScreenshot of Configure Attack Surface Reduction rules in Group Policy.\r\nFor more information, see ASR rule modes.\r\nRepeat this step as many times as necessary. When you're finished, select OK.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 9 of 12\n\n1. In the details pane of Attack Surface Reduction, open the Exclude files and paths from Attack surface\r\nreduction rules setting.\r\n2. In the setting window that opens, configure the following options:\r\n1. Select Enabled.\r\n2. Exclusions from ASR rules: Select Show....\r\n3. In the Exclusions from ASR rules dialog that opens, configure the following settings:\r\nValue name: Enter the GUID value of the ASR rule.\r\nValue: Enter one of the following types of values:\r\nTo exclude all files in a folder, enter the full folder path. For example, C:\\Data\\Test .\r\nTo exclude a specific file in a specify folder (recommended), enter the path and filename.\r\nFor example, C:\\Data\\Test\\test.exe .\r\nRepeat this step as many times as necessary. When you're finished, select OK.\r\nNote\r\nIf the Apply a list of exclusions to specific attack surface reduction (ASR) rules setting isn't available in your\r\nGPMC, you need version 24H2 or later of the Administrative Templates files in your Central Store.\r\n1. In the details pane of Attack Surface Reduction, open the Apply a list of exclusions to specific attack\r\nsurface reduction (ASR) rules setting.\r\n2. In the setting window that opens, configure the following options:\r\n1. Select Enabled.\r\n2. Exclusions for each ASR rule: Select Show....\r\n3. In the Exclusions for each ASR rule dialog that opens, configure the following settings:\r\nValue name: Enter the GUID value of the ASR rule.\r\nValue: Enter one or more exclusions for the ASR rule. Use the syntax\r\nPath1\\ProcessName1\u003ePath2ProcessName2\u003e...PathNProcessNameN . For example,\r\nC:\\Windows\\Notepad.exe\u003ec:\\Windows\\regedit.exe\u003eC:\\SomeFolder\\test.exe .\r\nRepeat this step as many times as necessary. When you're finished, select OK.\r\nWarning\r\nIf you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level\r\nmanagement platform, the management software overwrites any conflicting PowerShell settings on startup.\r\n1. Type powershell in the Start menu, right-click Windows PowerShell and select Run as administrator.\r\n2. Type one of the following cmdlets. For more information, such as rule ID, refer to Attack surface reduction\r\nrules reference.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 10 of 12\n\nTask PowerShell cmdlet\r\nEnable attack surface\r\nreduction rules\r\nSet-MpPreference -AttackSurfaceReductionRules_Ids \u003crule ID\u003e -\r\nAttackSurfaceReductionRules_Actions Enabled\r\nEnable attack surface\r\nreduction rules in audit mode\r\nAdd-MpPreference -AttackSurfaceReductionRules_Ids \u003crule ID\u003e -\r\nAttackSurfaceReductionRules_Actions AuditMode\r\nEnable attack surface\r\nreduction rules in warn mode\r\nAdd-MpPreference -AttackSurfaceReductionRules_Ids \u003crule ID\u003e -\r\nAttackSurfaceReductionRules_Actions Warn\r\nEnable attack surface\r\nreduction Block abuse of\r\nexploited vulnerable signed\r\ndrivers\r\nAdd-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-\r\n875e-4185-98a7-b882c64b5ce5 -\r\nAttackSurfaceReductionRules_Actions Enabled\r\nTurn off attack surface\r\nreduction rules\r\nAdd-MpPreference -AttackSurfaceReductionRules_Ids \u003crule ID\u003e -\r\nAttackSurfaceReductionRules_Actions Disabled\r\nImportant\r\nYou must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.\r\nIn the following example, the first two rules are enabled, the third rule is disabled, and the fourth rule is\r\nenabled in audit mode: Set-MpPreference -AttackSurfaceReductionRules_Ids \u003crule ID 1\u003e,\u003crule ID\r\n2\u003e,\u003crule ID 3\u003e,\u003crule ID 4\u003e -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled,\r\nAuditMode\r\nYou can also use the Add-MpPreference PowerShell verb to add new rules to the existing list.\r\nWarning\r\nSet-MpPreference overwrites the existing set of rules. If you want to add to the existing set, use Add-MpPreference instead. You can obtain a list of rules and their current state by using Get-MpPreference .\r\n3. To exclude files and folders from attack surface reduction rules, use the following cmdlet:\r\nAdd-MpPreference -AttackSurfaceReductionOnlyExclusions \"\u003cfully qualified path or resource\u003e\"\r\nContinue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more files and\r\nfolders to the list.\r\nImportant\r\nUse Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will\r\noverwrite the existing list.\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 11 of 12\n\nAttack surface reduction rules reference\r\nEvaluate attack surface reduction\r\nAttack surface reduction FAQ\r\nSource: https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nhttps://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction"
	],
	"report_names": [
		"enable-attack-surface-reduction"
	],
	"threat_actors": [],
	"ts_created_at": 1775434034,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89c1b810d533d92fb068341ea5e06777b39c5848.pdf",
		"text": "https://archive.orkl.eu/89c1b810d533d92fb068341ea5e06777b39c5848.txt",
		"img": "https://archive.orkl.eu/89c1b810d533d92fb068341ea5e06777b39c5848.jpg"
	}
}