Forum Discussion
How to show devices that would be impacted by ASR setting
I have the ASR rule "Block persistence through WMI event subscription" set to audit and it shows that enabling it will be ok for 400 of 410 computers. IT also shows which computers are not set as recommended... Is there a way to a list of computers that it WILL impact? I would like to look at the impacted computers to see what makes them different than the other 400.
The recommendation also shows "open remediation for safe devices' as though there is a way to enable it for only the devices that would not be impacted by the change. Is there a way to enable ASR rules only on devices that the audit shows will not be impacted?
- JonhedSteel Contributor
I would imagine you could check for devices with the query below.
The query will list unique devices, but you can show the specific events by removing the third line.
DeviceEvents | where ActionType == "AsrPersistenceThroughWmiAudited" | distinct DeviceName
The actiontypes per rule is listed here.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-persistence-through-wmi-event-subscription