Share This Post

GPO / Windows 10

Windows 10 Fall Creators Update GPO: Configure Attack Surface Reduction rules

With Windows 10 Fall Creators Update ready to deliver on October 17, there are some new Group Policy settings that will be introduced. As these are uncovered, we’ll highlight them here on myITforum.

  • ADMX File: WindowsDefender.admx
  • Overview: Configure Attack Surface Reduction rules
  • Class: Machine
  • Location: Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR
  • Value: ExploitGuard_ASR_Rules
  • Policy values:  (see details)
  • Details: Set the state for each Attack Surface Reduction (ASR) rule.  After enabling this setting, you can set each rule to the following in the Options section:
    – Block: the rule will be applied
– Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
– Off: the rule will not be applied
    Enabled:
Specify the state for each ASR rule under the Options section for this setting.
Enter each rule on a new line as a name-value pair:
– Name column: Enter a valid ASR rule ID
– Value column: Enter the status ID that relates to state you want to specify for the associated rule
    The following status IDs are permitted under the value column:
– 1 (Block)
– 0 (Off)
– 2 (Audit)Example:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx            0
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx            1
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx            2

    Disabled:
No ASR rules will be configured.
    Not configured:
Same as Disabled.
    You can exclude folders or files in the “”””Exclude files and paths from Attack Surface Reduction Rules”””” GP setting.

 


Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

IT/Dev Connections

Share This Post

Leave a Reply