Create Defender for Endpoint ASR Policy With PowerShell

This Defender for Endpoint article will show how to create an Attack Surface Reduction (ASR) policy with Graph API PowerShell.

In our previous article about ASR, we showed how to create an ASR policy using the Microsoft Intune management portal. Today, we will show how to make the same policy using PowerShell.

To create an ASR policy using the Intune portal, visit the following article.

Enable and Monitor Attack Surface Reduction (ASR) With Intue

Configuration

I’m using the Microsoft Graph PowerShell module, a wrapper for the Graph API SDK for Micorosft and Azure, to create an ASR Policy.

Note: The code below uses the beta version of the Graph API

Import-Module Microsoft.Graph.Beta.DeviceManagement

$params = @{
	"@odata.type" = "#microsoft.graph.windows10EndpointProtectionConfiguration"
	description = "Endpoint protection Graph API Beta version"
	displayName = "ASR Policy - Beta Graph API"
	version = 7
	defenderAdobeReaderLaunchChildProcess = "auditmode"
    efenderPreventCredentialStealingType =  "enable"
    defenderScriptDownloadedPayloadExecution =  "auditmode"
    defenderOfficeCommunicationAppsLaunchChildProcess = "auditmode"
    defenderOfficeAppsLaunchChildProcess =  "auditmode"
    defenderOfficeMacroCodeAllowWin32ImportsType = "auditmode"
    defenderScriptObfuscatedMacroCodeType = "auditmode"
    defenderEmailContentExecution = "auditmode"
    defenderAdvancedRansomewareProtectionType = "auditmode"
    defenderUntrustedUSBProcessType = "auditmode"
}

New-MgBetaDeviceManagementDeviceConfiguration  -BodyParameter $params -Verbose

Connect to Graph API and run the above code to deploy the policy.

Once the policy has been deployed, you can check it by running the following cmdlet.

Get-MgDeviceManagementDeviceConfiguration  | select displayname, Description