Thank you for your patience. After cross-team discussion within product engineers, they confirmed that deploying ASR rules via MDE attach to server 2016 is not a supported scenario.

They will update the document to clarify this supportability. Apologize for the inconvenience caused.

Please feel free to let me know if you have any further questions or concerns.

Manually Fix

Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled

Block Adobe Reader from creating child processes7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macros 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block JavaScript or VBScript from launching downloaded executable content D3E037E1-3EB8-44C8-A917-57927947596D
Block all Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block process creations originating from PSExec and WMI commands D1E49AAC-8F56-4280-B9BA-993A6D77406C
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Use advanced protection against ransomware C1DB55AB-C21A-4637-BB3F-A12568109D35
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

GPO