Forum Discussion
ASR "Block process creations originating from PSExec and WMI commands" in enterprise context
Hi all,
I like to set this ASR to block in an enterprise environment that is managed by SSCM and/or intune.
anyone has this done ? and what are the best practices to accomplish this so an admin can still do the job?
Regards,
Peter
2 Replies
- Hi,
You can use this ASR rule only with Intune since it is incompatible with management through Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly (see this table for reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rules-supported-configuration-management-systems)
Other than that, I would opt to deploy it in audit mode to all admins that need to use it and evaluate the results through the ASR report in M365 Defender (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide).
After evaluating (think 7-14 days minimum) you can create exclusions if necessary (though these would affect all ASR rules), deploy it to block mode for all admins, or if you want to be really sure you can deploy it to a couple of admins in the target group to see if nothing happens that was missed during the evaluation period mentioned before.
I hope this helpsAs you right quoted this rule should only by used when managing devices with Intune or another MDM solution (but not with Microsoft Endpoint Configuration Manager, SCCM or whatever the name may now be). Then you state “Other than that, I would opt to deploy it in audit mode to all admins that need to use”. Isn’t it the SCCM client where the WMI commands originate from? So are you suggesting to not managed admin workstation with SCCM, co-managed? Could you please elaborate so that is more clear? Thank you !
