Managing Defender Exploit Guard Attack Surface Reduction

• Windows 10 Defender Exploit Guard Attack Surface Reduction can help protect devices from malware.
• The best Attack Surface Reduction management options may require Windows Enterprise E5 licenses.
• Attack Surface Reduction requires significant ongoing monitoring because it may block useful applications.

Windows Defender Exploit Guard (Exploit Guard) is part of the Windows 10 Defender suite of security-related components built into Windows 10 Enterprise and Education editions. Prior to Windows 10 version 1709, Exploit Guard was named Device Guard. (For an overview of where Exploit Guard fits in the Windows 10 Defender software suite, see “Understanding Defender Device, Exploit, and Credential Guard and Application Control”.)

Attack Surface Reduction (ASR) is a main component of Exploit Guard. ASR reduces both the number of attack vectors (places where malware targets the software running on devices) and blocks the common methods that malware uses to compromise the OS or applications. Since application developers often exploit these same methods to deliver application functionality, managing ASR requires substantial ongoing monitoring and configuration tuning.