In this Microsoft Defender for Endpoint and Intune article, we will enable the Attack surface reduction (ACR) rule on Windows devices and monitor them.
Microsoft Defender for Endpoint (MDE) ACR rules allow us to limit the attack surface malicious code and cybersecurity vulnerabilities that impact endpoint devices.
ACR rules protect the areas a malicious code can launch an attack inside an endpoint and limit the capabilities of an attacker from starting an attack. For example, ACR blocks scripts that attempt to download and run executables on an endpoint.
Audit Mode
To minimise the disruption of ASR online 0f business applications that are legitimate when introducing ASR, we highly recommend using it in Audit mode.
Nothing is being blocked in audit mode, and all ASR rules are recorded and can be viewed later in the reporting portal.
To create an ACR rule, Open Microsoft Intune
Click on Endpoint Security
Click on Attack surface reduction
Create a profile for Windows 10, Windows 11 and Windows Server.
In the configuration page, enable all the rules or specific ones and set them to Audit
View Audit Events
To view the audit reports, follow the steps below.
Microsoft 365 Defender portal
Click on Reports
Click on Attack surface reduction rules
Wait a few hours and review the rules and add exclusions as needed.