[https://twitter.com/MSFT365Status/status/1613871552256155649?s=20
Defender ASR policy block win32api disabled Edge and Chrome
Today all users in one of our customer's tenants started reporting their Edge and Chrome being removed from their desktop (shortcuts), Outlook issues were reported as well. When we set the asr policy Block Win32 API calls from Office macro to audit, everything started working again as expected. Office repair also repaired the office apps. Any one else noticed this behaviour? Thanks
11 answers
Sort by: Most helpful
-
-
Jan De Smet 156 Reputation points
2023-01-13T15:06:54.5633333+00:00 We recommend that you put the ASR rule to Audit Mode to avoid further impact. This can be done through the following options: - Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode - Using Intune: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem - Using Group Policy: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy - Note that ASR rule "Block Win32 API calls from Office macros" with ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b You can also set the rule to disabled mode. In that case, please use the following Powershell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled Current status: We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete. We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment. Further information on how to perform these steps are listed within the More info section of this communication.
-
ShiJieLi-MSFT 10,021 Reputation points Microsoft Vendor
2023-01-16T03:10:29.3933333+00:00 Hi all,
Microsoft has acknowledged the issue and delivered a workaround. You can see the complete doc here.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Best Regards,
Shijie Li
-
Patjar 5 Reputation points
2023-01-16T09:21:30.0566667+00:00 Fix for this ASR issue.
[https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011 -
Pavel yannara Mirochnitchenko 12,601 Reputation points MVP
2023-01-16T18:46:15.9433333+00:00 I ran v1.1 of the script and it recovered only Word icon from Office, other icons are still missing:
[https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/bc-p/3717330#M2209