Hi,

I’m currently working at one of my customer transitioning from on-prem domain to Azure AD, this also involves migrating from an old endpoint protection software to Windows Defender.

All devices have been enrolled in defender and the Microsoft Security Portal is being filled up with recommendations to improve security of the client environment. This platform gives an incredible amount of useful information.

Some of the recommendations are regarding “Attack Surface Reduction”. Those are a set of rules which can be used to reduce the attack surface (what’s in a name) of all clients in the environment. More info about those rules can be found here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide

We’ve enabled all rules starting on some PILOT devices, quickly we saw issues when deploying software through SCCM (migration to Intune is also on the roadmap). Looking at the events in eventviewer I’ve stumpled upon this post: https://www.imab.dk/flipping-the-switch-part-2-1-exploit-guard-asr-challenges-co-management-with-intune-mdm-and-configmgr/

What we can conclude here is that the ASR rule “Block process creations originating from PSExec and WMI commands” causes the SCCM client to malfunction, some more evidence can be found here: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/asr-quot-block-process-creations-originating-from-psexec-and-wmi/m-p/3709563

Before deploying those rules be sure to test it out properly on some devices before rolling it out to production.

Hope this helps,

Bert