ASR Rule "Block persistence through WMI event subscription" missing
The ASR Rule "Block persistence through WMI event subscription" can not be configured via Intune.
Not via the "Devices | Configuration profiles" nor via "Endpoint security | Attack surface reduction"
However, this is advertised in Windows Defender ATP, Microsoft Secure Score, and docs.microsoft.com
This has been added to the Intune ASR rules.
I do not consider this closed until we get it as an option in Intune security baselines. It does not merge if added to a custom device configuration profile either. So more work needs to be done here before I'm happy.
Just added to Intune:
Configure Attack surface reduction rules to block malware from gaining persistence through WMI
You can now configure the rule named Block persistence through WMI event subscription as part of an Attack surface reduction rules profile in Endpoint security.
This rule prevents malware from abusing WMI to attain persistence on a device. Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
When configured as setting for Attack surface reduction policy for Endpoint security, the following options are available:
• Not configured (default) – The setting returns to the Windows default, which is off and persistence is not blocked.
• Block – Persistence through WMI is blocked.
• Audit – Evaluate how this rule affects your organization if its enabled (set to Block).
• Disable - Turn this rule off. Persistence is not blocked.
This rule doesn’t support the Warn option, and is also available as a Device configuration setting from the Settings catalog.
3 votes - "would be nice to configure this in Endpoint Manager (Exploit guard - ASR Rules)"
would be nice to configure this in Endpoint Manager (Exploit guard - ASR Rules)
Thorir Baldursson commented
You can also do a custom configuration policy with the following settings
Data type: String
Christopher Rhoda commented
If you don't want to wait, you can block this now in Group Policy using https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#group-policy
by using Value Name:
Also got the 'Microsoft Defender Security Center' security recommendations rating this action as a high impact recommendation (i.e. one that is important to make) and suggesting MDM or Intune as the remediation options (both of which aren't available!)
A UserVoice idea (i.e. product improvement suggestion) should not be the path to resolution.
We're not asking for a new feature, we're asking for a fix for a bug in existing functionality...
The Issue I opened for the document also isn't getting a lot of attention (https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7053)
Good to know others are not seeing this either, thought it was just me!
I don't understand why this feature is not implemented yet. This ASR Rule exists since Windows 10 1903.