IntunePolicies/policies/settingscatalog/Win - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode).json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
  "createdDateTime": "2025-03-16T05:44:04.8293157Z",
  "creationSource": null,
  "description": "",
  "lastModifiedDateTime": "2025-03-16T05:44:04.8293157Z",
  "name": "Win - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode)",
  "platforms": "windows10",
  "priorityMetaData": null,
  "roleScopeTagIds": [
    "0"
  ],
  "settingCount": 2,
  "technologies": "mdm,microsoftSense",
  "id": "9c7639ec-9ffe-4d87-85c2-2ed1a14ae64f",
  "templateReference": {
    "templateId": "e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1",
    "templateFamily": "endpointSecurityAttackSurfaceReduction",
    "templateDisplayName": "Attack Surface Reduction Rules",
    "templateDisplayVersion": "Version 1"
  },
  "settings": [
    {
      "id": "0",
      "settingInstance": {
        "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance",
        "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules",
        "settingInstanceTemplateReference": {
          "settingInstanceTemplateId": "19600663-e264-4c02-8f55-f2983216d6d7"
        },
        "groupSettingCollectionValue": [
          {
            "settingValueTemplateReference": null,
            "children": [
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuseofcopiedorimpersonatedsystemtools",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuseofcopiedorimpersonatedsystemtools_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockrebootingmachineinsafemode",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockrebootingmachineinsafemode_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_audit",
                  "children": []
                }
              },
              {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                  "settingValueTemplateReference": null,
                  "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_audit",
                  "children": []
                }
              }
            ]
          }
        ]
      }
    },
    {
      "id": "1",
      "settingInstance": {
        "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
        "settingDefinitionId": "device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess",
        "settingInstanceTemplateReference": {
          "settingInstanceTemplateId": "78c83b32-56c0-445a-932a-872d69af6e49"
        },
        "choiceSettingValue": {
          "value": "device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess_2",
          "settingValueTemplateReference": {
            "settingValueTemplateId": "e57db701-c3c6-4264-ab50-7896cb90dfd6",
            "useTemplateDefault": false
          },
          "children": []
        }
      }
    }
  ]
}