Hey everyone, happy Friday! I'm looking to switch my on-premises servers over to Microsoft Defender for Business because I've bought the server licenses and set everything up with Azure Arc. However, I'm confused about how to enable the ASR (Attack Surface Reduction) rules on these servers. I currently manage ASR rules through Intune, but since these servers aren't showing up there, I'm wondering if I made the wrong choice in licensing. Should I have gone for Defender for Cloud instead? Thanks for any help!
2 Answers
For managing ASR rules, I typically use on-premises Group Policy Objects (GPOs) instead of Intune for servers. It might not offer the same granular controls like per-rule exclusions, but the audits and block logs show up in Defender like they should, which is great.
There's actually an Intune connector for Microsoft Defender that can help onboard your servers to Intune. They’re not fully enrolled yet, but just onboarded to MDE. However, Microsoft recommends using Defender for Servers (the cloud version) through Azure Arc for better management.
That’s right! Just ensure that the connector is enabled. I handle server policies through the endpoint security section in Intune, and it works pretty well.