How to deploy Attack Surface Reduction rules to Azure VMs using Azure Guest Configurations

Disclaimer: Under normal circumstances ASR rules should only be deployed using the following methods mentioned in this document:

In rare cases where VMs are server OSs, non-domain joined, and not managed by SCCM or third-party management solutions, Azure State Configuration or the new version of Azure DSC, using the guest configuration feature of Azure Policy, can be used as an alternative solution to centrally deploy ASR rules. Learn more about Azure Guest configuration.

Example Scenario:

Let's assume there is a requirement to enable and deploy the ASR rule: Block execution of potentially obfuscated (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc) Follow the steps below to accomplish this task.

Step 1: Create the MOF configuration file

The following is a sample state configuration script using the DSC Script resource.

$test= $asr_rules.Contains("5beb7efe-fd9a-4556-801d-275e5ffc04cc")

 Configuration ASRDSC
    Import-DscResource -ModuleName 'PSDscResources'
    Node localhost
        Script ASRTest
          SetScript = { 
                 Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" -AttackSurfaceReductionRules_Actions AuditMode

          TestScript ={ 

          GetScript = { @{ Result = “String" } }

Once the state configuration checks whether or not the ASR rule ID 5beb7efe-fd9a-4556-801d-275e5ffc04cc exists, it will run the Add-MpPreference command, setting the rule into an audit state on the local VM. ASR rules can also be set into enabled state using the same, Add-MpPreference, command.

This script can be compiled using the dot sourcing method. 


. C:Scriptsasrtest.ps1

Once resolved, a file called localhost.mof should be created and found under the C:ScriptsASRTEST folder.

Step 2: Create the artifacts package

Now that we have the MOF file, we can create the package.  instructions can be found here. 

# Create a package 
New-GuestConfigurationPackage `
  -Name 'MyConfig' `
  -Configuration './ASRTEST/localhost.mof' `
  -path 'C:scripts' `
  -Type Audit `

Step 3: Publish the package

Now that the package is ready, we can publish (upload) the package to an Azure account where it is ready to be consumed by Azure Policy.  instructions can be found here.

Step 4: Create a policy definition

To start deploying this package to target VMs in a resource group, for example, a new Azure policy definition needs to be created. We want to create this policy definition by using the “guest configuration” category. Creating this new policy requires using the New-GuestConfigurationPolicy and New-AzPolicyDefinition commands to publish the policy to the Azure Policy portal. instructions can be found here.

Now we can deploy ASR rules centrally and have a compliance view right from Azure Policy.

Please note: This method for deploying ASR should only be used as a last resort due to the complex nature and knowledge necessary for using DSC powershell scripting and its limitation.

We hope that you found this article and the additional step-by-step resources helpful.


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.