{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", "createdDateTime": "2025-03-16T05:44:04.8293157Z", "creationSource": null, "description": "", "lastModifiedDateTime": "2025-03-16T05:44:04.8293157Z", "name": "Win - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode)", "platforms": "windows10", "priorityMetaData": null, "roleScopeTagIds": [ "0" ], "settingCount": 2, "technologies": "mdm,microsoftSense", "id": "9c7639ec-9ffe-4d87-85c2-2ed1a14ae64f", "templateReference": { "templateId": "e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1", "templateFamily": "endpointSecurityAttackSurfaceReduction", "templateDisplayName": "Attack Surface Reduction Rules", "templateDisplayVersion": "Version 1" }, "settings": [ { "id": "0", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "19600663-e264-4c02-8f55-f2983216d6d7" }, "groupSettingCollectionValue": [ { "settingValueTemplateReference": null, "children": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuseofcopiedorimpersonatedsystemtools", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuseofcopiedorimpersonatedsystemtools_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockrebootingmachineinsafemode", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockrebootingmachineinsafemode_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_audit", "children": [] } } ] } ] } }, { "id": "1", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "78c83b32-56c0-445a-932a-872d69af6e49" }, "choiceSettingValue": { "value": "device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess_2", "settingValueTemplateReference": { "settingValueTemplateId": "e57db701-c3c6-4264-ab50-7896cb90dfd6", "useTemplateDefault": false }, "children": [] } } } ] }