Forum Discussion
Proactive Remediations - Security Recommendations Defender Endpoint
Thanks for your reply.
You cant disable persistence via WMI via Intune.
This one you can - GUID - d1e49aac-8f56-4280-b9ba-993a6d77406c
This one you cant - GUID - e6db77e5-3df2-4cf1-b95a-636979351e5b
As explained here
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
It requires a PowerShell script to be written, signed with both the script and the signing certificate published to Windows endpoints. I haven't signed the PowerShell script yet and are figuring out a safe way to store it "publicly" - I have no website so are thinking about putting them into a SharePoint site that is available to all. I have run the PowerShell ASR script locally on 3 test machines and are waiting for Defender Endpoint to report back to see if the recommendation closes on these machines (which it should as this happens when I close recommendations on a test machine (test) then the entire tenant).
I will get back to you asap (probably a week - my day job isn't info tech) on the Acrobat problem and your recommendation, but now might investigate if I can close these via hash blocks in Defender Endpoint (some additional testing now required on how Acrobat runs java and flash).
Thanks.
.png){kind=link}
Btw: this setting is currently in development to be configured through the portal. If I were you I would hold on a little longer and configure it natively. https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#new-setting-for-attack-surface-reduction-rules-to-block-malware-from-gaining-persistence-through-wmi
I have enabled this via PowerShell although I found issues with Azure AD and Intune
I will move this to the native solution when available and keep developing PowerShell scripts to deploy to fix the other short comings.
Thanks