From d0915eb16254b972109005e180a45c907a8d045c Mon Sep 17 00:00:00 2001
From: Justin Hall <justinha@microsoft.com>
Date: Tue, 7 May 2019 15:54:54 -0700
Subject: [PATCH] added description

---
 .../attack-surface-reduction-exploit-guard.md               | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index bc11df2dc3..8ea88cdbf2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -82,7 +82,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Supported
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
 
 Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
 
@@ -270,11 +270,11 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 ### Block persistence through WMI event subscription
 
-Windows Defender Advanced Threat Protection prevented an attempt to establish entity persistence in the WMI repo through a WMI event subscription.
+Fileless threats employ various tactics to stay hidden, to avoid being seen as a regular file in the file system. To gain periodic execution control, some threats could abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. 
 
 Intune name: Block persistence through WMI event subscription
 
-SCCM name: Not applicable
+SCCM name: Not yet available
 
 GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b