Microsoft Defender ASR via PowerShell: Audit → Warn/Block (Safe Method)

Microsoft Defender ASR via PowerShell: Audit → Warn/Block (SAFE Method)

Last updated: 2026-01-02

This guide shows a safe way to configure Microsoft Defender Attack Surface Reduction (ASR) rules with PowerShell while preserving your existing rule set. Microsoft explicitly warns that Set-MpPreference overwrites the existing set of rules, so we apply changes carefully. Microsoft Learn+1

0) What you need

Run PowerShell as Administrator
Microsoft Defender Antivirus active (real-time protection in Active mode if you want Warn mode to work)
For Warn mode, your OS/platform must support it (Microsoft lists requirements and minimum Defender platform/engine versions). Microsoft Learn

1) Choose a rule (GUID) and a target mode

Pick a rule GUID from Microsoft’s ASR reference. Example GUID used by Microsoft in docs:
56a863a9-875e-4185-98a7-b882c64b5ce5 Microsoft Learn

Modes you can use in PowerShell (per Microsoft docs):

AuditMode
Warn
Enabled (Block)
Disabled Microsoft Learn+1

SAFE rollout: AuditMode → (optional) Warn → Enabled, on a pilot group first. Microsoft recommends evaluating in audit mode before blocking. Microsoft Learn

2) Baseline: export your current ASR configuration (backup)

3) SAFE method: update one rule without losing existing rules

This avoids the common mistake: using Set-MpPreference with just one GUID/action and accidentally overwriting the rest. Microsoft warns Set-MpPreference overwrites the set of rules. Microsoft Learn

3.1 Edit these two lines

3.2 Apply safely (preserve everything else)

$pref = Get-MpPreference
# Build a map of existing rules -> actions

$map = @{}

for ($i=0; $i -lt $pref.AttackSurfaceReductionRules_Ids.Count; $i++) {

  $map[$pref.AttackSurfaceReductionRules_Ids[$i].ToString()] = $pref.AttackSurfaceReductionRules_Actions[$i].ToString()

}
# Save old action for rollback

$OldAction = $map[$RuleId]
# Set or add the rule action

$map[$RuleId] = $TargetAction
# Rebuild arrays in a stable order

$ids = New-Object System.Collections.Generic.List[string]

$actions = New-Object System.Collections.Generic.List[string]

foreach ($k in ($map.Keys | Sort-Object)) {

  $ids.Add($k) | Out-Null

  $actions.Add($map[$k]) | Out-Null

}
# Apply full set (SAFE)

Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions

"OldAction for $RuleId was: $OldAction"

4) Verify (must-do)

4.1 Check that the rule is present and the action is applied

Microsoft recommends Get-MpPreference for checking active rules/actions. Microsoft Learn

4.2 Event Viewer verification (official event IDs)

Open Event Viewer →
Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational

Filter by:

1121 = rule fires in Block (Enabled) mode
1122 = rule fires in Audit mode
5007 = Defender settings changed Microsoft Learn+1

5) Rollback (clean)

Use the stored $OldAction (from step 3.2). Example:

$RuleId = "56a863a9-875e-4185-98a7-b882c64b5ce5"

$TargetAction = $OldAction  # rollback to previous state
$pref = Get-MpPreference

$map = @{}

for ($i=0; $i -lt $pref.AttackSurfaceReductionRules_Ids.Count; $i++) {

  $map[$pref.AttackSurfaceReductionRules_Ids[$i].ToString()] = $pref.AttackSurfaceReductionRules_Actions[$i].ToString()

}

$map[$RuleId] = $TargetAction
$ids = New-Object System.Collections.Generic.List[string]

$actions = New-Object System.Collections.Generic.List[string]

foreach ($k in ($map.Keys | Sort-Object)) {

  $ids.Add($k) | Out-Null

  $actions.Add($map[$k]) | Out-Null

}

Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions

6) Notes about Warn mode (important)

Warn mode shows a user prompt and allows a temporary bypass; Microsoft documents OS requirements and minimum Defender platform/engine versions for Warn mode. Microsoft Learn

Microsoft Defender ASR via PowerShell: Audit → Warn/Block