We have ASR configurations in Intune that MDE is enforcing...sort of. We have some ASR rules deployed in the Microsoft Defender for Endpoint Baseline (which doesn't contain an exceptions option). There are additional ASR rules in the Attack Surface Reduction blade of Intune, which does allow for exceptions. Both of these sections contain some ASR rules that are exactly the same, so the question is which ASR rule set from MDE actually enforce? The ones in the baseline or the ones in the ASR blade? Here are the ASR rules from each section for reference so you can understand what I'm talking about (the orange ones denote the same rule in both places):
Microsoft Defender for Endpoint Baseline
- Block Office communication apps from creating child processes
- Block Adobe Reader from creating child processes
- Block Office applications from injecting code into other processes
- Block Office applications from creating executable content
- Block JavaScript or VBScript from launching downloaded executable content
- Enable network protection
- Block untrusted and unsigned processes that run from USB
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block executable content download from email and webmail clients
- Block all Office applications from creating child processes
- Block execution of potentially obfuscated scripts (js/vbs/ps)
- Block Win32 API calls from Office macro
Attack Surface Reduction section
- Block Adobe Reader from creating child processes
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macros
- Block credential stealing from the Windows local security authority subsystem
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block JavaScript or VBScript from launching downloaded executable content
- Block Office communication application from creating child processes
- Block all Office applications from creating child processes
- Block untrusted and unsigned processes that run from USB
- Block persistence through WMI event subscription
- Block abuse of exploited vulnerable signed drivers (Device)
- Block process creations originating from PSExec and WMI commands
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Use advanced protection against ransomware
- Block executable content from email client and webmail