We've been struggling trying to get Patch manager operational for us. We use windows firewall on the client side to block incoming SMB. It's really the best way to protect from a lot of trojans out there today - everything from Wannacry to EMOTET, and we started recently doing this as a recommendation from one of our high regarded security groups.
This obviously causes issues with things like patch manager and other central deployment software. I figured, we can let some servers through, but keep the client to client stuff still blocked as well as servers that don't need to talk SMB to the clients.
I've tried a few different approaches in solving this, the first being to just put an allow rule in from specific IP addresses over the typical SMB ports (445, 135, 139). This doesn't work because the block rule takes precedence.
In reading a few primers on this, I decided to bring out a test GPO and do the following methods:
Put Allow rules in for File and Print services, then modify the two SMB rules to only allow from secure connections, and add the patch manager computer to the allow list. This did not work - it allows SMB from everything.
The other method I tried (and failed) was to enable "Windows Defender Firewall: Allow inbound file and print sharing exception" - and then adding the IP address of our patch manager server. This had the same result as above, SMB was allowed from everywhere.
This was performed on a clean OU that blocked GPO inheritance - so I'm not getting some conflict elsewhere.
I also looked at the agent as a possible solution, but it seems that would also need SMB access to get installed.
Does anyone have any recommendations/suggestions for next step with this? We do block SMB between our LAN segments, but this does not protect computers on the same LAN from each other - so this is a protection we want to keep in place.