Exclude Powershell from ASR rule

berketjune2012 371 Reputation points
2021-08-10T15:08:38.3+00:00

Hi

In Endpoint security we have an attack surface reduction policy setup.

We noticed that this policy was preventing our PowerShell scripts from running from SCCM.

We made an exclusion here:

122033-image.png

This allowed SCCM to execute scripts one the exception was made.

The issue however is, this will allow the end user to execute PowerShell scripts as well since their is an exclusion.

Is there anyway to let SCCM be excluded but still prevent users from running PowerShell scripts?

Thanks

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,747 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,176 Reputation points Microsoft Employee
    2021-08-11T15:36:59.39+00:00

    What setting exactly in your ASR policy do you have configured that you believe is blocking PowerShell script execution (as there are no built-in rules that do this)?


1 additional answer

Sort by: Most helpful
  1. Jarvis Sun-MSFT 10,096 Reputation points Microsoft Vendor
    2021-08-11T08:15:15.187+00:00

    @berketjune2012 Thanks for posting in our Q&A.
    we can use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. On the Scope Groups page, select the groups containing the users that you want to prevent running PowerShell scripts.
    Please refer to: https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.