High Risk Disruption: (Audit or Disable)
Block executable files from running unless they meet prevalence...
Use advanced protection against ransomware
Block process creations originating from PSExec and WMI commands
Block Office communication applications from creating child processes
Potentially Disruptive:(Enable, Audit or Disable if causing issue)
Block Office applications from injecting code into other processes
Block Win32 API Calls from Office macros
Block all Office applications from creating child processes
Block execution of potentially obfuscated scripts