Update enable-attack-surface-reduction.md

denisebmsft · denisebmsft · commit d01c60da3eaf · 2025-03-05T09:48:43.000-08:00
diff --git a/defender-endpoint/enable-attack-surface-reduction.md b/defender-endpoint/enable-attack-surface-reduction.md
@@ -103,12 +103,17 @@ When adding exclusions, keep these points in mind:
 1. If a conflicting policy is applied via MDM and GP, the setting applied from GP takes precedence.
 
 1. Attack surface reduction rules for managed devices now support behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged, while those that are in conflict aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:
+
    - Attack surface reduction rules from the following profiles are evaluated for each device to which the rules apply:
-     - Devices > Configuration profiles > Endpoint protection profile > **Microsoft Defender Exploit Guard** > [Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
-     - Endpoint security > **Attack surface reduction policy** > [Attack surface reduction rules](/mem/intune/protect/endpoint-security-asr-policy#devices-managed-by-intune).
-      - Endpoint security > Security baselines > **Microsoft Defender ATP Baseline** > [Attack Surface Reduction Rules](/mem/intune/protect/security-baseline-settings-defender-atp#attack-surface-reduction-rules).
+
+     - **Devices** > **Configuration profiles** > **Endpoint protection profile** > **Microsoft Defender Exploit Guard** > **Attack Surface Reduction**. (See [Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).)
+     - **Endpoint security** > **Attack surface reduction policy** > **Attack surface reduction rules**. (See [Attack surface reduction rules](/mem/intune/protect/endpoint-security-asr-policy#devices-managed-by-intune).)
+      - **Endpoint security** > **Security baselines** > **Microsoft Defender ATP Baseline** > **Attack Surface Reduction Rules**. (See [Attack Surface Reduction Rules](/mem/intune/protect/security-baseline-settings-defender-atp#attack-surface-reduction-rules).)
+
    - Settings that don't have conflicts are added to a superset of policy for the device.
+
    - When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device.
+
    - Only the configurations for conflicting settings are held back.
 
 ## Configuration methods
@@ -149,13 +154,13 @@ The following procedures for enabling attack surface reduction rules include ins
 
 1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
-1. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each attack surface reduction rule.
+2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each attack surface reduction rule.
 
-1. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from attack surface reduction rules. Each line in the CSV file should be formatted as follows:
+3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from attack surface reduction rules. Each line in the CSV file should be formatted as follows:
 
-`C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
+   `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
 
-1. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
+4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
 #### Custom profile in Intune (Alternative 2)
 
@@ -171,62 +176,67 @@ You can use Microsoft Intune OMA-URI to configure custom attack surface reductio
    - In **Profile type**, select **Templates**
    - If attack surface reduction rules are already set through Endpoint security, in **Profile type**, select **Settings Catalog**.
 
-   Select **Custom**, and then select **Create**.
+3. Select **Custom**, and then select **Create**.
 
    :::image type="content" source="media/mem02-profile-attributes.png" alt-text="The rule profile attributes in the Microsoft Intune admin center portal." lightbox="media/mem02-profile-attributes.png":::
 
-3. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type a description (optional).
+4. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type a description (optional).
 
    :::image type="content" source="media/mem03-1-basics.png" alt-text="The basic attributes in the Microsoft Intune admin center portal" lightbox="media/mem03-1-basics.png":::
 
-4. Click **Next**. Step **2 Configuration settings** opens. For OMA-URI Settings, click **Add**. Two options now appear: **Add** and **Export**.
+5. Click **Next**. Step **2 Configuration settings** opens. For OMA-URI Settings, click **Add**. Two options now appear: **Add** and **Export**.
 
-    :::image type="content" source="media/mem04-2-configuration-settings.png" alt-text="The configuration settings in the Microsoft Intune admin center portal." lightbox="media/mem04-2-configuration-settings.png":::
+   :::image type="content" source="media/mem04-2-configuration-settings.png" alt-text="The configuration settings in the Microsoft Intune admin center portal." lightbox="media/mem04-2-configuration-settings.png":::
 
-1. Click **Add** again. The **Add Row OMA-URI Settings** opens. In **Add Row**, do the following:
+6. Click **Add** again. The **Add Row OMA-URI Settings** opens. In **Add Row**, fill in the following information:
 
-   - In **Name**, type a name for the rule.
-   - In **Description**, type a brief description.
-   - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you're adding. Refer to the MDM section in this article for the OMA-URI to use for this example rule. For attack surface reduction rule GUIDS, see [Per rule descriptions](attack-surface-reduction-rules-reference.md#per-rule-descriptions) in the article: Attack surface reduction rules.
-   - In **Data type**, select **String**.
-   - In **Value**, type or paste the GUID value, the \= sign and the State value with no spaces (_GUID=StateValue_). Where:
+   1. In **Name**, type a name for the rule.
 
-     - 0: Disable (Disable the attack surface reduction rule)
-     - 1: Block (Enable the attack surface reduction rule)
-     - 2: Audit (Evaluate how the attack surface reduction rule would impact your organization if enabled)
-     - 6: Warn (Enable the attack surface reduction rule but allow the end-user to bypass the block)
+   2. In **Description**, type a brief description.
+
+   3. In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you're adding. Refer to the MDM section in this article for the OMA-URI to use for this example rule. For attack surface reduction rule GUIDS, see [Per rule descriptions](attack-surface-reduction-rules-reference.md#per-rule-descriptions).
+
+   4. In **Data type**, select **String**.
+
+   5. In **Value**, type or paste the GUID value, the `\=` sign and the State value with no spaces (`GUID=StateValue`):
+
+      - `0`: Disable (Disable the attack surface reduction rule)
+      - `1`: Block (Enable the attack surface reduction rule)
+      - `2`: Audit (Evaluate how the attack surface reduction rule would impact your organization if enabled)
+      - `6`: Warn (Enable the attack surface reduction rule but allow the end-user to bypass the block)
 
    :::image type="content" source="media/mem05-add-row-oma-uri.png" alt-text="The OMA URI configuration in the Microsoft Intune admin center portal" lightbox="media/mem05-add-row-oma-uri.png":::
 
-1. Select **Save**. **Add Row** closes. In **Custom**, select **Next**. In step **3 Scope tags**, scope tags are optional. Do one of the following:
+7. Select **Save**. **Add Row** closes. In **Custom**, select **Next**. In step **3 Scope tags**, scope tags are optional. Do one of the following:
 
    - Select **Select Scope tags**, select the scope tag (optional) and then select **Next**.
    - Or select **Next**
       
-1. In step **4 Assignments**, in **Included Groups**, for the groups that you want this rule to apply, select from the following options:
+8. In step **4 Assignments**, in **Included Groups**, for the groups that you want this rule to apply, select from the following options:
 
    - **Add groups**
    - **Add all users**
    - **Add all devices**
 
    :::image type="content" source="media/mem06-4-assignments.png" alt-text="The assignments in the Microsoft Intune admin center portal" lightbox="media/mem06-4-assignments.png":::
 
-1. In **Excluded groups**, select any groups that you want to exclude from this rule, and then select **Next**.
+9. In **Excluded groups**, select any groups that you want to exclude from this rule, and then select **Next**.
+
+10. In step **5 Applicability Rules** for the following settings, do the following:
 
-1. In step **5 Applicability Rules** for the following settings, do the following:
+   1. In **Rule**, select either **Assign profile if**, or **Don't assign profile if**.
 
-   - In **Rule**, select either **Assign profile if**, or **Don't assign profile if**
+   2. In **Property**, select the property to which you want this rule to apply.
 
-   - In **Property**, select the property to which you want this rule to apply
-   - In **Value**, enter the applicable value or value range
+   3. In **Value**, enter the applicable value or value range.
 
    :::image type="content" source="media/mem07-5-applicability-rules.png" alt-text="The applicability rules in the Microsoft Intune admin center portal" lightbox="media/mem07-5-applicability-rules.png":::
 
-10. Select **Next**. In step **6 Review + create**, review the settings and information you've selected and entered, and then select **Create**.
+11. Select **Next**. In step **6 Review + create**, review the settings and information you've selected and entered, and then select **Create**.
 
-    :::image type="content" source="media/mem08-6-review-create.png" alt-text="The Review and create option in the Microsoft Intune admin center portal" lightbox="media/mem08-6-review-create.png":::
+   :::image type="content" source="media/mem08-6-review-create.png" alt-text="The Review and create option in the Microsoft Intune admin center portal" lightbox="media/mem08-6-review-create.png":::
 
-    Rules are active and live within minutes.
+   Rules are active and live within minutes.
 
 > [!NOTE]
 > Conflict handling:
