Why isnt the remediation improving the exposure score in Microsoft defender?

Question

I am trying to improve our exposure score on Microsoft Defender and noted that "Block persistence through WMI event subscription" has a remediation which Ive already applied since almost a month now.

Remediation:

• Ensure that Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. (checked and applied given the 0 exposed devices, and 0 impact) defender on

• Enable this ASR rule in Block mode using Group Policy (done) ASR enabled

However, despite the attack surface reduction rule blocking persistence through WMI event subscriptions as reported on MEM (endpoint manager/intune), it just doesnt seem to be really syncing with the remediation on Microsoft defender. The impact appears to have remained the same, and even my PC, despite the latest updates, appears to still reflect as an exposed device.

Answer 1

Corrected response. Thinking

The "Turn on Antivirus" example looks correct. You have 0 exposed so the exposure is 0.

The WMI ASR rule may not be recognizing the method you are using. The OMA-URI rule. If you look in the Endpoint Security section there is a built-in policy for ASR rule configuration. Way easier than OMA-URI and harder to make mistakes.

Answer 2

I am not clear based on the images shared. Your first image to for antivirus. You should be looking under Secure Score or Recommendations in the M365 Defender portal, specifically for WMI persistence finding. You might also look at the ASR report.