question

berket2020 avatar image
0 Votes"
berket2020 asked Jason-MSFT commented

Exclude Powershell from ASR rule

Hi

In Endpoint security we have an attack surface reduction policy setup.

We noticed that this policy was preventing our PowerShell scripts from running from SCCM.

We made an exclusion here:

122033-image.png



This allowed SCCM to execute scripts one the exception was made.

The issue however is, this will allow the end user to execute PowerShell scripts as well since their is an exclusion.

Is there anyway to let SCCM be excluded but still prevent users from running PowerShell scripts?

Thanks

mem-intune-device-configurations
image.png (9.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT commented

What setting exactly in your ASR policy do you have configured that you believe is blocking PowerShell script execution (as there are no built-in rules that do this)?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Jason-MSFT

Ihere is a screenshot of the configuration122298-policiesendpoint1.jpg



I am not sure which one would block SCCM scripts. However when I exclude the powershell path, the SCCM script works fine.

II have tried to exclude the exact path to the script with no luck.

0 Votes 0 ·
policiesendpoint1.jpg (113.3 KiB)

Ultimately, ASR rules cannot be filtered by user. My guess here is that the obfuscation rule is blocking their execution though. Can you test flipping that?

0 Votes 0 ·

Hi @Jason-MSFT

You are correct the obfuscation rule is the one blocking SCCM Scripts.

With that confirmation, can we exempt SCCM but have other scripts blocked?

0 Votes 0 ·
Show more comments
JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered Jason-MSFT commented

@berket2020 Thanks for posting in our Q&A.
we can use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. On the Scope Groups page, select the groups containing the users that you want to prevent running PowerShell scripts.
Please refer to: https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JarvisSun-MSFT

I have a group to which this policy is assigned to. It works fine and blocks powershell.

The issue is, because its blocked, SCCM can not exectur powershell scripts when we need to push something out to the endpoints.


How can we create an exception for SCCM but still have it blocked for the end user?

Can we exclude the service account SCCM uses?

122295-groups.jpg


0 Votes 0 ·
groups.jpg (14.4 KiB)

@berket2020 I think we can try your proposal, exclude the service account SCCM uses, and see if it works.

0 Votes 0 ·

ConfigMgr doesn't have or use any service accounts and that's not how policies work in Intune.

0 Votes 0 ·