ll  Nov 11, 2022
Hahaha. Lost hours to deploy Defender ASR rules + Network protection to Win servers via SCCM. Turns out there's a bug and it won't work. No ETA for a fix. Great.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#microsoft-endpoint-configuration-manager
Enable attack surface reduction rules

Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.

Show threadPaul BiggsNov 11, 2022
@ll Thanks, thatโ€™s useful. I had that route in mind for any ASR-on-server compliance requests. Perhaps Microsoft will allow servers to enroll into Intune for ASR policies ๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚
Show threadBrian Clark
@zenliberator @ll Been there. You can successfully deploy ASR rules via GPO. I can confirm that workโ€™s correctly
Nov 11, 2022 at 2:17pmWeb
Show threadll  Nov 11, 2022
@deepthoughts10 @zenliberator Thanks. GPO is our last resort route. It's much easier to manage ASR server policies/profiles and exclusions via SCCM. GPOs can be messy if you need granularity.
Show threadNathan McNultyNov 12, 2022

@ll @deepthoughts10 @zenliberator The problem with ConfigMgr is that it doesn't support all of the rules..

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rules-supported-configuration-management-systems

You could use CIs/Baselines with Set-MpPreference if you really wanted to set them all from ConfigMgr

Otherwise, GPO with security group filtering is your best bet (unless you're running MDE for Servers and they're hybrid).

Attack surface reduction rules reference

Lists details about Microsoft Defender for Endpoint (MDE) attack surface reduction (ASR) rules on a per-rule basis.

Show threadNathan McNultyNov 12, 2022
@ll @deepthoughts10 @zenliberator Oh, almost forgot. Whatever you do, do not enable the "Block process creations originating from PSExec and WMI commands" rule ;)