Share via

Defender ASR policy block win32api disabled Edge and Chrome

Jan De Smet 156 Reputation points
2023-01-13T12:11:22.14+00:00

Today all users in one of our customer's tenants started reporting their Edge and Chrome being removed from their desktop (shortcuts), Outlook issues were reported as well. When we set the asr policy Block Win32 API calls from Office macro to audit, everything started working again as expected. Office repair also repaired the office apps. Any one else noticed this behaviour? Thanks

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,210 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,238 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
366 questions
0 comments

11 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andre Luis de Souza Vieira 5 Reputation points
    2023-01-13T12:44:40.27+00:00

    Remove the ASR rule an Microsoft Defender Endpoint of block office to "audit" with workarround.

    1 person found this answer helpful.
    0 comments
  2. James Andrews 5 Reputation points
    2023-01-13T13:22:14.32+00:00

    We've seen this behaviour across the board. The interesting thing is, we've had the Block Win32 API calls from Office macro rule enabled for ages without any issue. Suddenly, 90% of our devices are affected. Has there been any official word from Microsoft as to what has suddenly caused this? Or is this the intended behaviour and it's just that the rule hasn't been working until now.

    1 person found this answer helpful.
    0 comments
  3. Patjar 5 Reputation points
    2023-01-13T13:45:47.48+00:00

    [https://www.theregister.com/2023/01/13/happy_friday_13th_microsoft_defender/

    1 person found this answer helpful.
    0 comments
  4. Jordan Nash 0 Reputation points
    2023-01-13T13:13:18.57+00:00

    I am also experiencing this issue. All of my taskbar links are broken, and lots of "Risky action blocked" notifications.

    Risky action blocked
    Blocked by: Attack surface reduction

    Rule: Block Win32 API calls from Office macro

    Affected items: C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Startup\Send to OneNote.lnk

    Also:

    C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Startup\Send to OneNote.lnk

    C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Accessories\Internet Explorer.lnk

    C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Outlook.lnk

    C:\Users\USERNAME\AppData\Local\Microsoft\OneDrive\logs\Business1\SyncEngine-2023-01-13.1250.14448.4.odl

    C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8299.8354216.0.8354216-99b9f583c41a7a58feea69d80be60d78d2d08277\05632bbd-60c8-43b9-8d7e-e0133bad1c7d.ps1->(UTF-8)

    0 comments
  5. Edwin Gonzalez 0 Reputation points
    2023-01-13T14:48:43.7333333+00:00

    We have the same problem with the rule ASR, for the moment we have disabled the rule but no take the change.

    0 comments