Boost Endpoint Security in Small Business: Set Up Defender for Business Automated Investigations & Attack Surface Reduction Rules
When small and medium-sized businesses think about cybersecurity, the image is often overcomplicated tools and enterprise-grade firewalls. But Microsoft Defender for Business, included with Microsoft 365 Business Premium, changes that.
With the right setup, you can get automated response actions and attack surface controls that punch well above their weight — without needing a SOC team. In this blog, we’ll cover:
- What automated investigations are
- How to enable and configure them
- What Attack Surface Reduction (ASR) rules do
- Which ASR rules we recommend enabling right away
Let’s get right to it.
What Is Automated Investigation and Response (AIR) in Defender for Business?
Automated Investigation and Response (AIR) uses Microsoft’s cloud AI and threat intelligence to investigate and respond to suspicious activity without human input.
For example, if Defender detects malware or tampering, it can:
- Collect evidence
- Analyze the chain of events
- Quarantine files
- Kill malicious processes
- Recommend or even take remediation actions automatically
For small IT teams, this is a massive time-saver and a key layer of always-on defense.
How to Turn on Automated Investigation in Defender for Business
- Go to the Microsoft 365 Defender portal (https://security.microsoft.com)
- Navigate to Settings > Endpoints > Advanced Features
- Scroll to Automated Investigation and Response (AIR) and toggle it On
- Under Remediation level, choose:
- Full – Defender can take action automatically
- Semi – Defender investigates and recommends actions for manual approval
💡 Tip: Full automation is safe if you already have ASR rules and other core protection features in place.
Attack Surface Reduction (ASR) Rules: Lock the Front Door
ASR rules are designed to block or reduce the attack vectors that malware and threat actors commonly use. They work at the device level, hardening Windows against exploitation attempts.
Think of these like putting locks on your digital windows and doors — cheap insurance against ransomware, fileless malware, and phishing-based attacks.
Common Threats ASR Blocks:
- Malicious macros
- Credential theft tools
- Office apps launching child processes (e.g., Word launching PowerShell)
- Exploits running from email/USB
- Script-based attacks
How to Enable ASR Rules in Defender for Business
You can set ASR rules using Intune (Microsoft Endpoint Manager) or local Group Policy. Here’s how to do it in Intune, which is the preferred method for Business Premium tenants:
- Go to Intune admin center (https://intune.microsoft.com)
- Navigate to Endpoint security > Attack surface reduction
- Click + Create Policy
- Choose Platform: Windows 10 and later and Profile: Attack surface reduction rules
- Configure individual rules:
- Choose Block or Audit depending on your rollout plan
- Assign to security groups or all users/devices
Recommended ASR Rules for Small Business
Here’s a practical starting set for small businesses:
| ASR Rule | Recommendation |
|---|---|
| Block executable content from email and webmail | Enable (Block) |
| Block Office from creating child processes | Enable (Block) |
| Use advanced protection against ransomware | Enable (Block) |
| Block credential stealing from LSASS | Enable (Block) |
| Block JavaScript/WSH from launching downloaded content | Enable (Block) |
| Block Office communication with suspicious apps | Enable (Block) |
| Block Adobe Reader from creating child processes | Audit (unless required by LOB apps) |
Use Audit mode first if you’re not sure how these might impact users, then flip to Block once you’ve tested.
Why This Matters for Small Business
Most small companies aren’t going to have a full-time SOC analyst watching alerts 24/7. Defender for Business, combined with smart policies like AIR and ASR, can automatically:
- Stop threats in real-time
- Investigate suspicious behavior
- Provide detailed forensic reporting
- Reduce your attack surface without user disruption
That’s enterprise-grade security, without the enterprise-grade price tag.
Final Thoughts
If you’re running Microsoft 365 Business Premium, you already own Defender for Business. But if you’re not configuring features like Automated Investigations and ASR rules, you’re leaving serious security benefits on the table.
Set it up. Test it. And sleep better at night knowing your endpoints are protected — even when your team’s off the clock.