Microsoft confirms WMIC removal in Windows 11 25H2 to boost security and block malware

Late last month, Microsoft released Windows 11 version 25H2, and removed legacy tool like the Windows Management Instrumentation Command-line (WMIC) utility. These changes are part of Microsoft’s ongoing efforts to streamline the operating system and enhance security.

Now, in a recent Microsoft 365 Message Center update spotted by folks at Bleeping Computer, the company has urged admins to transition from using WMIC to more modern tools, confirming its removal.

To be precise, Microsoft recommends using PowerShell and other alternative utilities for tasks previously handled by WMIC. With this move, Microsoft is looking to reduce the attack surface and improve system integrity. You can check the WMIC’s deprecation timeline published by Microsoft below.

Now, you may ask: why is WMIC being removed? Well, WMIC has long been considered a “living-off-the-land binary” (LOLBIN), a Microsoft-signed executable that threat actors exploit for various malicious activities during attacks.

For example, ransomware attakers commonly use the WMIC command to delete Shadow Volume Copies, ensuring that victims can’t use them to recover encrypted data. That’s not all; Malware has also been observed using WMIC to add exclusions to Microsoft Defender, evading detection when launched.

By removing WMIC, Microsoft aims to thwart these attack tactics and bolster overall security. The tool’s removal will make it more challenging for malicious actors to execute certain commands, thereby enhancing the system’s defense mechanisms.