Merge pull request #3921 from LeonardoMele-MSFT/docs-editor/attack-surface-reduction-rules-1748434311

denisebmsft · web-flow · commit 97e8279a020e · 2025-06-05T15:12:31.000-07:00
Update attack-surface-reduction-rules-deployment-test.md
diff --git a/defender-endpoint/attack-surface-reduction-rules-deployment-test.md b/defender-endpoint/attack-surface-reduction-rules-deployment-test.md
@@ -17,7 +17,7 @@ ms.collection:
  - highpri
  - tier1
  - mde-asr
-ms.date: 03/26/2025
+ms.date: 06/05/2025
 search.appverid: met150
 ---
 
@@ -28,18 +28,18 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
-Testing Microsoft Defender for Endpoint attack surface reduction rules helps you determine if rules impede line-of-business operations prior to enabling any rule. By starting with a small, controlled group, you can limit potential work disruptions as you expand your deployment across your organization.
+Testing Microsoft Defender for Endpoint attack surface reduction rules helps you determine if rules impede line-of-business operations before you enable rules. By starting with a small, controlled group, you can limit potential work disruptions as you expand your deployment across your organization.
 
-In this section of the attack surface reduction rules deployment guide, you'll learn how to:
+In this section of the attack surface reduction rules deployment guide, you learn how to:
 
-- configure rules using Microsoft Intune
-- use Microsoft Defender for Endpoint attack surface reduction rules reports
-- configure attack surface reduction rules exclusions
-- enable attack surface reduction rules using PowerShell
-- use Event Viewer for attack surface reduction rules events
+- Configure rules using Microsoft Intune
+- Use Microsoft Defender for Endpoint attack surface reduction rules reports
+- Configure attack surface reduction rules exclusions
+- Enable attack surface reduction rules using PowerShell
+- Use Event Viewer for attack surface reduction rules events
 
 > [!NOTE]
-> Before you begin testing attack surface reduction rules, it's recommended that you first disable all rules that you have previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the attack surface reduction rules report disabling attack surface reduction rules.
+> Before you begin testing attack surface reduction rules, it's recommended that you first disable all rules that were previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the attack surface reduction rules report disabling attack surface reduction rules.
 
 Begin your attack surface reduction rules deployment with ring 1.
 
@@ -56,38 +56,44 @@ Begin the testing phase by turning on the attack surface reduction rules with th
 You can use Microsoft Intune Endpoint Security to configure custom attack surface reduction rules.
 
 1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
 2. Go to **Endpoint Security** > **Attack surface reduction**.
+
 3. Select **Create Policy**.
+
 4. In **Platform**, select **Windows 10, Windows 11, and Windows Server**, and in **Profile**, select **Attack surface reduction rules**.
 
-    > [!div class="mx-imgBorder"]
-    > :::image type="content" source="media/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="media/asr-mem-create-profile.png":::
+   > [!div class="mx-imgBorder"]
+   > :::image type="content" source="media/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="media/asr-mem-create-profile.png":::
 
 5. Select **Create**.
+
 6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your attack surface reduction rules policy.
+
 7. In the **Configuration settings** tab, under **Attack Surface Reduction Rules**, set all rules to **Audit mode**.
 
-    > [!div class="mx-imgBorder"]
-    > :::image type="content" source="media/asr-mem-configuration-settings.png" alt-text="The configuration of attack surface reduction rules to Audit mode" lightbox="media/asr-mem-configuration-settings.png":::
+   > [!div class="mx-imgBorder"]
+   > :::image type="content" source="media/asr-mem-configuration-settings.png" alt-text="The configuration of attack surface reduction rules to Audit mode" lightbox="media/asr-mem-configuration-settings.png":::
+
+   > [!NOTE]
+   > There are variations in some attack surface reduction rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.
 
-    > [!NOTE]
-    > There are variations in some attack surface reduction rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.
+8. [Optional] In the **Scope tags** pane, you can add tag information to specific devices. You can also use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the correct Intune objects. Learn more: [Use role-based access control (RBAC) and scope tags for distributed IT in Intune](/mem/intune/fundamentals/scope-tags).
 
-8. [Optional] In the **Scope tags** pane, you can add tag information to specific devices. You can also use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. Learn more: [Use role-based access control (RBAC) and scope tags for distributed IT in Intune](/mem/intune/fundamentals/scope-tags).
-9. In the **Assignments** pane, you can deploy or "assign" the profile to your user or device groups. Learn more: [Assign device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-profile-assignment)
+9. In the **Assignments** pane, you can deploy or assign the profile to your user or device groups. For more information, see [Assign device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-profile-assignment).
 
-    > [!NOTE]
-    > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
+   > [!NOTE]
+   > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
 10. Review your settings in the **Review + create** pane. Select **Create** to apply the rules.
 
-    > [!div class="mx-imgBorder"]
-    > :::image type="content" source="media/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="media/asr-mem-review-create.png":::
+   > [!div class="mx-imgBorder"]
+   > :::image type="content" source="media/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="media/asr-mem-review-create.png":::
 
 Your new attack surface reduction policy for attack surface reduction rules is listed in **Endpoint security | Attack surface reduction**.
 
 > [!div class="mx-imgBorder"]
-   > :::image type="content" source="media/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="media/asr-mem-my-asr-rules.png":::
+> :::image type="content" source="media/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="media/asr-mem-my-asr-rules.png":::
 
 <a name='step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal'></a>
 
@@ -141,11 +147,11 @@ The **GroupBy** returns results set to the following groups:
 > :::image type="content" source="media/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="media/asr-defender365-filter.png":::
 
 > [!NOTE]
-> If you have a Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365  Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab.
+> If you have a license for Microsoft 365 Security E5 or A5, or Windows E5 or A5, the following link opens the Microsoft Defender portal with detections visible: [Attack surface reduction detections](https://security.microsoft.com/asr?viewid=detections).
 
 ### Configuration tab
 
-Lists—on a per-computer basis—the aggregate state of attack surface reduction rules: Off, Audit, Block.
+Lists, on a per-computer basis, the aggregate state of attack surface reduction rules: Off, Audit, Block.
 
 >:::image type="content" source="media/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the attack surface reduction rules report main configuration tab." lightbox="media/attack-surface-reduction-rules-report-main-configuration-tab.png":::
 
@@ -182,38 +188,39 @@ This tab provides a method to select detected entities (for example, false posit
 > :::image type="content" source="media/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="media/asr-defender365-06d.png":::
 
 > [!NOTE]
-> If you have a Microsoft Defender 365 E5 (or Windows E5?) License, this link will open the Microsoft Defender 365  Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.
+> If you have an appropriate license and permissions, this link opens the Microsoft Defender portal with [Exclusions visible](https://security.microsoft.com/asr?viewid=exclusions).
 
 For more information about using the attack surface reduction rules report, see [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md).
 
 ## Configure attack surface reduction per-rule exclusions
 
 Attack surface reduction rules now provide the capability to configure rule-specific exclusions, known as "Per Rule Exclusions."
 
-To configure specific rule exclusions, you have the choices of using the MDE Security Settings Management, Intune, and Group Policy.
+To configure specific rule exclusions, you have the choices of using the Defender for Endpoint Security Settings Management, Intune, and Group Policy.
 
-#### Via Intune:
+> [!NOTE]
+> When configuring Attack Surface Reduction per-rule exclusions, keep in mind that specifying only the file or application name (for example, `test1.exe`) isn't sufficient. You must provide the full file or application path (for example, `C:\test1.exe`) to ensure the exclusion is applied correctly.
+
+#### Via Intune
 
 1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to **Home** > **Endpoint security** > **Attack surface reduction**.
 
 2. If it isn't already configured, set the rule for which you want to configure exclusions to **Audit** or **Block**.
 
-3. In **ASR Only Per Rule Exclusion**, click the toggle to change from **Not configured** to **Configured.**
+3. In **ASR Only Per Rule Exclusion**, select the toggle to change from **Not configured** to **Configured.**
 
 4. Enter the names of the files or application that you want to exclude.
 
-5. At the bottom of the **Create profile** wizard, select **Next** and follow the wizard instructions.
+5. At the bottom of the **Create profile** wizard, select **Next**, and then follow the wizard instructions.
 
 >:::image type="content" source="media/attack-surface-reduction-rules-report-per-rule-exclusion.png" alt-text="Screenshot that shows the configuration settings for adding ASR per-rule exclusions." lightbox="media/attack-surface-reduction-rules-report-per-rule-exclusion.png":::
 
 > [!TIP]
 > Use the checkboxes next to your list of exclusion entries to select items to **Delete**, **Sort**, **Import**, or **Export**.
 
-### Via Group Policy
-
+#### Via Group Policy
 
-
-Use Group Policy to set the per-user ASR rule exclusions
+Use Group Policy to set the per-user ASR rule exclusions.
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
 
@@ -227,22 +234,20 @@ Use Group Policy to set the per-user ASR rule exclusions
 
 1. Double-click **Apply a list of exclusions to specific attack surface reduction (ASR) rules**, and set the option to **Enabled**. 
 
-1. Then click on **Show...**
-
-1. Under "**Value Name**", enter "GUID for the ASR Rule" without the double quotes
+1. Then select **Show...**.
 
-1. Under "**Value**", enter the <drive_letter:\Path\ProcessName>.  In order to add multiple processes, it's separated by a greater than sign (>)
+1. Under **Value Name**, enter GUID for the ASR Rule.
 
-   e.g.,  "C:\Notepad.exe>c:\regedit.exe>C:\SomeFolder\test.exe" without the double quotes
+1. Under **Value**, enter the <drive_letter:\Path\ProcessName>. In order to add multiple processes, it's separated by a greater than sign (>). For example, `C:\Notepad.exe>c:\regedit.exe>C:\SomeFolder\test.exe`.
    
 1. select **OK**. This setting allows the processes that are being blocked by the particular ASR Rule to continue running.
 
 > [!NOTE]
-> "If policies aren't applying, review [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
+> If policies aren't applying, review [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings).
 
 ### Use PowerShell as an alternative method to enable attack surface reduction rules
 
-Use PowerShell, as an alternative to Intune, to enable attack surface reduction rules in audit mode. This allows you to view a record of apps that would have been blocked if the feature was fully enabled. You can also see how often the rules fire during normal use.
+Use PowerShell, as an alternative to Intune, to enable attack surface reduction rules in audit mode. This configuration allows you to view a record of apps that would have been blocked if the feature was fully enabled. You can also see how often the rules fire during normal use.
 
 To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet:
 
@@ -259,15 +264,15 @@ To enable all the added attack surface reduction rules in audit mode, use the fo
 ```
 
 > [!TIP]
-> If you want to fully audit how attack surface reduction rules work in your organization, you'll need to use a management tool to deploy this setting to devices in your network.
+> If you want to fully audit how attack surface reduction rules work in your organization, you need to use a management tool to deploy this setting to devices in your network.
 
 You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.
 
 <a name='use-windows-event-viewer-review-as-an-alternative-to-the-attack-surface-reduction-rules-reporting-page-in-the-microsoft-365-defender-portal'></a>
 
 ## Use Windows Event Viewer Review as an alternative to the attack surface reduction rules reporting page in the Microsoft Defender portal
 
-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
+To review apps that would be blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
 
 Event ID | Description
 -|-
