added description

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -82,7 +82,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Supported
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
 
 Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
 
@@ -270,11 +270,11 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 ### Block persistence through WMI event subscription
 
-Windows Defender Advanced Threat Protection prevented an attempt to establish entity persistence in the WMI repo through a WMI event subscription.
+Fileless threats employ various tactics to stay hidden, to avoid being seen as a regular file in the file system. To gain periodic execution control, some threats could abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. 
 
 Intune name: Block persistence through WMI event subscription
 
-SCCM name: Not applicable
+SCCM name: Not yet available
 
 GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b