Why isnt the remediation improving the exposure score in Microsoft defender?

Cataster 641 Reputation points

I am trying to improve our exposure score on Microsoft Defender and noted that "Block persistence through WMI event subscription" has a remediation which Ive already applied since almost a month now.


  • Ensure that Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. (checked and applied given the 0 exposed devices, and 0 impact) defender on


  • Enable this ASR rule in Block mode using Group Policy (done) ASR enabled


However, despite the attack surface reduction rule blocking persistence through WMI event subscriptions as reported on MEM (endpoint manager/intune), it just doesnt seem to be really syncing with the remediation on Microsoft defender. The impact appears to have remained the same, and even my PC, despite the latest updates, appears to still reflect as an exposed device.


Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,805 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,571 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee

    Corrected response. Thinking

    The "Turn on Antivirus" example looks correct. You have 0 exposed so the exposure is 0.

    The WMI ASR rule may not be recognizing the method you are using. The OMA-URI rule. If you look in the Endpoint Security section there is a built-in policy for ASR rule configuration. Way easier than OMA-URI and harder to make mistakes.

  2. Andrew Blumhardt 9,676 Reputation points Microsoft Employee

    I am not clear based on the images shared. Your first image to for antivirus. You should be looking under Secure Score or Recommendations in the M365 Defender portal, specifically for WMI persistence finding. You might also look at the ASR report.