Windows-itpro-docs: Unable to find "block persistence through wmi event subscription"
The Microsoft Defender Security Center Threat & Vulnerability Management security recommendations refer to "Block persistence through WMI event subscription" as an action to be taken to reduce the attack surface.
Creating an Attack Surface Reduction profile via the Microsoft Endpoint Manager admin center does not show "Block persistence through WMI event subscription" as a configuration option.
The only WMI related option is "Block process creations originating from PSExec and WMI commands"?
Document details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 5d747289-63b2-f71a-b40c-31b52982215c
- Version Independent ID: b52f6593-03f2-aa57-ec0e-eaef560dcaf0
- Content: Use attack surface reduction rules to prevent malware infection - Windows security
- Content Source: windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
- Product: w10
- Technology: windows
- GitHub Login: @denisebmsft
- Microsoft Alias: deniseb
SteffanH
All 11 comments
Same here....
MVDB1984
on 3 Jul 2020
And here
kimoppalfens
on 3 Jul 2020
Dear @SteffanH ,
the option "block persistence through wmi event subscription" is not available (or not available yet) in Intune. I created a PR to fix this in the article.
You can enable this rule using PowerShell or GPO.
Thank you
MaratMussabekov
on 19 Jul 2020
@MaratMussabekov , where can I find documentation how to enable this via PowerShell?
SteffanH
on 19 Jul 2020
Hello @SteffanH ,
please see this article.
Thank you
MaratMussabekov
on 21 Jul 2020
Not sure why this was assigned to me? It's not an area I know anything about and isn't my article.
jaimeo
on 27 Jul 2020
@jaimeo Apologies for the mistake from my end. The issue should in fact be closed as it has been answered by Marat. Thank you.
e0i
on 5 Aug 2020
You can simply use a custom Configuration Profile in Intune with the CSP GUID for the ASR rule.
OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Data type: String
Value: {e6db77e5-3df2-4cf1-b95a-636979351e5b}=1
DarrenBennett
on 8 Oct 2020
This shouldn't be closed.
The policy is still not available via Endpoint Manager.
And I personally don't want to write up an entire ASR Rule into a String to use for a Policy CSP.
ivassallo19
on 17 Dec 2020
When will this ARS rule be possible to set via Endpoint Manager?
wbach82
on 22 Dec 2020
When will this ARS rule be possible to set via Endpoint Manager?
That looks like a question for the Microsoft developers. To reach them, you should post your question in the Feedback App or Feedback feature within your OS.
Also, if I may add some practical information, just for the sake of keeping you informed:
Wish I could help, but this repository is not intended for regular support issues, support requests or support questions.
You may want to look elsewhere for answers, unless you have suggestions for improving one or more specific pages in the MS Docs repository.
Disclaimer: I am not affiliated with Microsoft or the Microsoft Docs teams here on GitHub.
The intention of this repository is to improve on the existing documentation by providing the users a way to report factual errors, improvement suggestions and request updates for new versions.
The MS Docs team members might not have time to answer your question, both due to the small size of the team and the big workload.
Try the following resources to get in touch with users who may be able to help you:
- TechNet forums: https://social.technet.microsoft.com/Forums/en-US/home
- MSDN: https://social.msdn.microsoft.com/Forums/en-US/home
- Microsoft Community: https://answers.microsoft.com/
illfated
on 22 Dec 2020
Related issues
weiss-gal
·
3Comments
LanceMcCarthy
·
3Comments
ang216
·
3Comments
ATR-Master
·
3Comments
thohun
·
3Comments