{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", "createdDateTime": "2025-03-16T05:44:05.3293364Z", "creationSource": null, "description": "DO NOT ASSIGN THIS POLICY WITHOUT VALIDATING VIA AUDIT MODE FIRST!\nhttps://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize", "lastModifiedDateTime": "2025-03-16T05:44:05.3293364Z", "name": "Win - ES - Attack Surface Reduction - D - ASR Rules (L2)", "platforms": "windows10", "priorityMetaData": null, "roleScopeTagIds": [ "0" ], "settingCount": 2, "technologies": "mdm,microsoftSense", "id": "30a895ab-f29c-4b92-a40c-2759a9fd493b", "templateReference": { "templateId": "e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1", "templateFamily": "endpointSecurityAttackSurfaceReduction", "templateDisplayName": "Attack Surface Reduction Rules", "templateDisplayVersion": "Version 1" }, "settings": [ { "id": "0", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "19600663-e264-4c02-8f55-f2983216d6d7" }, "groupSettingCollectionValue": [ { "settingValueTemplateReference": null, "children": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_warn", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_warn", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuseofcopiedorimpersonatedsystemtools", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuseofcopiedorimpersonatedsystemtools_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_warn", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_warn", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockrebootingmachineinsafemode", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockrebootingmachineinsafemode_audit", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail", "settingInstanceTemplateReference": null, "choiceSettingValue": { "settingValueTemplateReference": null, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block", "children": [] } } ] } ] } }, { "id": "1", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "78c83b32-56c0-445a-932a-872d69af6e49" }, "choiceSettingValue": { "value": "device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess_2", "settingValueTemplateReference": { "settingValueTemplateId": "e57db701-c3c6-4264-ab50-7896cb90dfd6", "useTemplateDefault": false }, "children": [] } } } ] }