Microsoft Defender ASR rules — the 16 you actually need, ranked for AU mid-market (2026)

Attack Surface Reduction rules are the most leveraged setting in Microsoft Defender for Endpoint and the one Australian mid-market tenants most consistently leave unconfigured. Sixteen named rules ship in 2026. Each blocks a specific technique that maps to the dominant initial-access, execution and persistence patterns in Australian breach reports. Configured correctly, ASR removes most of the day-one foothold methods attackers rely on before any human responder is involved.

The problem is operational. ASR rules in 'block' mode without proper exception handling break legitimate business processes — the macro the finance team has used for ten years, the LOB app that spawns Office processes, the deployment tool that injects DLLs. The right approach is rank, audit, tune, enforce. Below is the Frontrow ranking and rollout sequence used across Australian mid-market tenants.

Tier 1 — turn these on tomorrow (Block mode, no debate)

These five rules block techniques with virtually no legitimate business use case. They produce minimal false positives across Australian tenants we run and should be enforced from day one.

1. 1Block credential stealing from the Windows local security authority subsystem (LSASS) — GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2. Stops Mimikatz-class credential theft. No legitimate business reason for any user process to read LSASS memory.
2. 2Block execution of potentially obfuscated scripts — GUID 5beb7efe-fd9a-4556-801d-275e5ffc04cc. Catches the obfuscated PowerShell and VBScript that initial-access brokers favour.
3. 3Block Win32 API calls from Office macros — GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B. Office macros do not need Win32 API access; this blocks the macro-to-shellcode pivot.
4. 4Block Office applications from creating executable content — GUID 3B576869-A4EC-4529-8536-B80A7769E899. The macro-to-dropper pivot.
5. 5Block all Office applications from creating child processes — GUID D4F940AB-401B-4EFC-AADC-AD5F3C50688A. Tightens the macro-to-cmd/PowerShell pivot. Has rare exceptions in line-of-business Excel apps; profile in audit first.

Tier 2 — audit for 30 days, then enforce

These six rules are high-value but produce false positives that need tuning before block mode. Run them in audit mode, review the Defender events for two weeks, build the exception list, then enforce.

1. 1Block executable content from email client and webmail — GUID BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550. False positives: signed installers shared internally, some HR onboarding flows.
2. 2Block Office communication application from creating child processes — GUID 26190899-1602-49E8-8B27-EB1D0A1CE869. Outlook spawning child processes. False positives: meeting plug-ins, some integrated CRM addins.
3. 3Block JavaScript or VBScript from launching downloaded executable content — GUID D3E037E1-3EB8-44C8-A917-57927947596D. Catches the drive-by-download to exec pivot.
4. 4Block untrusted and unsigned processes that run from USB — GUID B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4. Critical in environments with USB allowed. Trivial false positives on legitimate signed tools.
5. 5Block persistence through WMI event subscription — GUID E6DB77E5-3DF2-4CF1-B95A-636979351E5B. Catches a persistence technique used by APT and ransomware operators.
6. 6Block Adobe Reader from creating child processes — GUID 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C. PDF-to-execution pivot. Some legacy workflows print PDFs via Reader; audit for those.

Tier 3 — enforce only after broader environment hardening

These five rules are valuable but interact with operating patterns that may not be in place yet. Enforce after Tier 1 and 2 are stable and after Intune-deployed configuration baselines lock down the relevant surfaces.

1. 1Block process creations originating from PSExec and WMI commands — GUID D1E49AAC-8F56-4280-B9BA-993A6D77406C. Critical for ransomware containment but can break legitimate systems management. Enforce after standardising on Intune for remote management.
2. 2Block use of copied or impersonated system tools (preview) — newer rule blocking LOLBin abuse where attackers copy legitimate binaries to non-system paths.
3. 3Block Webshell creation for Servers — GUID a8f5898e-1dc8-49a9-9878-85004b8a61e6. Server-targeted; enforce on web-server-role machines specifically.
4. 4Block rebooting machine in Safe Mode (preview) — blocks the Safe Mode boot ransomware operators use to evade endpoint protection.
5. 5Block abuse of exploited vulnerable signed drivers — GUID 56a863a9-875e-4185-98a7-b882c64b5ce5. Stops BYOVD (bring-your-own-vulnerable-driver) attacks. Enforce after validating no legitimate driver in use is on the block list.

The exception pattern that actually works

ASR rule exceptions live in the Intune Endpoint Security profile or in Defender Group Policy. The trap most AU tenants fall into is per-path exceptions — adding 'C:\Program Files\TheirApp\bin\app.exe' as an exception. Per-path exceptions are a known bypass: attackers drop their payload to the excluded path. The right pattern is per-signature exception — use the Defender event details to identify the publisher of the legitimate signed binary, then exception by certificate thumbprint or publisher name. This is more work to set up; it doesn't get bypassed by file-path-aware malware.

How to roll this out without breaking the business

1. 1Week 1: Enable all 16 rules in audit mode tenant-wide via Intune Endpoint Security ASR profile.
2. 2Week 2: Pull the Defender ASR audit events to Sentinel (or the Defender for Endpoint console). Categorise by rule, by GUID, by process, by frequency. Identify the top five noisy rules for your environment.
3. 3Week 3: Build per-signature exceptions for legitimate processes triggering the noisy rules. Document each exception with the business reason.
4. 4Week 4: Move Tier 1 rules (the five non-negotiables) to block mode. Communicate to helpdesk and IT operations.
5. 5Week 5–6: Continue auditing Tier 2 rules. Tune exceptions. Move to block mode at end of week 6.
6. 6Week 7+: Plan Tier 3 enforcement against broader environment-hardening milestones (Intune coverage, Conditional Access maturity, server role classification).

Where ASR sits in Essential Eight and APRA

ASR contributes directly to three Essential Eight strategies: Application Control (some rules block process execution patterns), Configure Office Macros (rules 4 and 5 above), and User Application Hardening (multiple rules harden the runtime). It also evidences APRA CPS 234 'reasonable measures' for endpoint security and aligns with ASD ISM controls on endpoint hardening.