ll  
Hahaha. Lost hours to deploy Defender ASR rules + Network protection to Win servers via SCCM. Turns out there's a bug and it won't work. No ETA for a fix. Great.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#microsoft-endpoint-configuration-manager
Enable attack surface reduction rules

Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.

Nov 11, 2022 at 12:21pmWeb
Show thread🦒Richard Fitzenwell🦒Nov 11, 2022
@ll this is on my roadmap for next There's some significant business impact with some of the ASR rules and a mountain of logs to go through to tune properly.
Show threadll  Nov 11, 2022
@richardfitzenwell It honestly wasn't too hard deploying to thousands of Windows 10, so I figured it would fly on a few servers.
Show threadBrian ClarkNov 11, 2022
@richardfitzenwell @ll deploy them via GPO. Also, you are correct in taking a cautious approach
Show thread🦒Richard Fitzenwell🦒Nov 11, 2022
@deepthoughts10 @ll We're probably going to go through MEM/Intune for client devices. Biggest hurdle is all the Office-related rules that our business partners rely heavily on.
Show threadGoblinLucyNov 11, 2022
@ll was this under a specific rule or ASR rules in general
Show threadll  Nov 11, 2022
@goblinlucy ASR in general. Looks like it's the whole "Exploit guard" policy that never applies.
Works well if you deploy via intune, no luck with SCCM/Endpoint Mgr. More details in this reddit
https://www.reddit.com/r/SCCM/comments/s691ob/attack_surface_reduction_rules_not_applicable/
Attack Surface Reduction Rules - Not Applicable??

Pushing ASR rules through SCCM, and we're testing it on 15 boxes. All 15 of our boxes say "Compliant - not applicable" when I look at these rules...

reddit
Show threadyalemanNov 11, 2022
@ll at least they’re admitting these days when their security products just aren’t working…
Show threadPaul BiggsNov 11, 2022
@ll Thanks, that’s useful. I had that route in mind for any ASR-on-server compliance requests. Perhaps Microsoft will allow servers to enroll into Intune for ASR policies 😂😂😂
Show threadBrian ClarkNov 11, 2022
@zenliberator @ll Been there. You can successfully deploy ASR rules via GPO. I can confirm that work’s correctly
Show threadll  Nov 11, 2022
@deepthoughts10 @zenliberator Thanks. GPO is our last resort route. It's much easier to manage ASR server policies/profiles and exclusions via SCCM. GPOs can be messy if you need granularity.
Show threadNathan McNultyNov 12, 2022

@ll @deepthoughts10 @zenliberator The problem with ConfigMgr is that it doesn't support all of the rules..

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rules-supported-configuration-management-systems

You could use CIs/Baselines with Set-MpPreference if you really wanted to set them all from ConfigMgr

Otherwise, GPO with security group filtering is your best bet (unless you're running MDE for Servers and they're hybrid).

Attack surface reduction rules reference

Lists details about Microsoft Defender for Endpoint (MDE) attack surface reduction (ASR) rules on a per-rule basis.

Show threadNathan McNultyNov 12, 2022
@ll @deepthoughts10 @zenliberator Oh, almost forgot. Whatever you do, do not enable the "Block process creations originating from PSExec and WMI commands" rule ;)