Maybe it was onclear in my first post, all endpoints are onboard to intune all asr excpetions are set through intune, using provided csv or manually with wildcards...
enpoints are hybrid ad joined and co-managed with workload in intune, no exploit guard setting in mecm in the past
using powershell command Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids & AttackSurfaceReductionRules_Actions we can see wich rules are configured and set to block mode
Get-MpPreference | select AttackSurfaceReductionOnlyExclusions never show any exclusions in audit nor in block mode on the endpoint... this is the issue
Using Set-MpPreference -AttackSurfaceReductionOnlyExclusions will work partially... will show in the previous command but the excluded item still show up in the intune report... so not excluded from my point of view