How to prevent Azure Arc ESU (Extended software updates) causing With Secure EPP and EDR to give false positives?

Question

Hi All.

We set up With secure EPP (End Point protection) and EDR (Endpoint Detection and Response) few weeks ago and a week before that we had onboarded all of our servers to Azure Arc for scheduled patching etc.

Everything was fine until I enabled ESU on our three win 2012 R2 servers. Almost immediatly after enabling ESU on these three servers we stared to get alerts from EDR and EPP about these three servers.

It would be great if you could confirm that GC_Service.exe is doing what it is supposed to do and is there anything else I could to besides excluding GC_service.exe from EPP/EDR

Alerts are triggered because of Base64 decoding and GC_Server.exe using powershell.

Here is the detection tree

Answer 1

@Tomi Aaltonen - Welcome to Microsoft Q&A and thanks for reaching out to us.

It's doing what's expected Guest Config and can be excluded from End Point Detection and Response.

Hope this helps. and please feel free to reach out if you have any further questions.

---

If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.