Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How to show devices that would be impacted by ASR setting

Copper Contributor

I have the ASR rule "Block persistence through WMI event subscription" set to audit and it shows that enabling it will be ok for 400 of 410 computers.  IT also shows which computers are not set as recommended... Is there a way to a list of computers that it WILL impact?  I would like to look at the impacted computers to see what makes them different than the other 400.

 

The recommendation also shows "open remediation for safe devices' as though there is a way to enable it for only the devices that would not be impacted by the change. Is there a way to enable ASR rules only on devices that the audit shows will not be impacted?

3 Replies

@stever3901 

I would imagine you could check for devices with the query below.

The query will list unique devices, but you can show the specific events by removing the third line.

 

 

DeviceEvents
| where ActionType == "AsrPersistenceThroughWmiAudited"
| distinct DeviceName

 

 

The actiontypes per rule is listed here.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-r...

@Jonhed when i try the mentioned query nothing happens even though I know the rule is applied ? 

@GD2009985 

That seems odd.

Did you try to widen the time frame for the search to the last 30 days? (the maximum)