You have a Microsoft 365 tenant with Defender for Endpoint. Intune is set up and installed on your Windows 10 devices.
You open the Microsoft Endpoint Manager admin center and create an attack surface reduction policy. The policy is shown in the image below.
Check the box next to each statement that's true.