Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

AsrPSexecWmiChildProcess audit trail

Copper Contributor

Hi !

I'm working on deploying ASR rules and have a question regarding Block process creations originating from PSExec and WMI commands. The documentation states this: 


Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.


We have deployed the ASR rules in Audit mode using Intune.

However these devices are co-managed, so I would expect to see the audit triggers for MECM (and then be able to exclude them). Is that assumption correct? 

The recommendation states that the rule should not be used when using MECM, does that mean that excluding the files seen is not sufficient? What is the recommendation for co-managed devices?


Thanks in advance for any information :)




0 Replies