Defender ASR policy block win32api disabled Edge and Chrome

Jan De Smet 156 Reputation points
2023-01-13T12:11:22.14+00:00

Today all users in one of our customer's tenants started reporting their Edge and Chrome being removed from their desktop (shortcuts), Outlook issues were reported as well. When we set the asr policy Block Win32 API calls from Office macro to audit, everything started working again as expected. Office repair also repaired the office apps. Any one else noticed this behaviour? Thanks

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,348 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,402 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
429 questions
0 comments No comments
{count} votes

11 answers

Sort by: Most helpful
  1. Jan De Smet 156 Reputation points
    2023-01-13T14:58:26.63+00:00

    [https://twitter.com/MSFT365Status/status/1613871552256155649?s=20

    0 comments No comments

  2. Jan De Smet 156 Reputation points
    2023-01-13T15:06:54.5633333+00:00

    We recommend that you put the ASR rule to Audit Mode to avoid further impact. This can be done through the following options: - Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode - Using Intune: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem  - Using Group Policy: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy  - Note that ASR rule "Block Win32 API calls from Office macros" with ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b   You can also set the rule to disabled mode. In that case, please use the following Powershell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled  Current status: We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete. We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment. Further information on how to perform these steps are listed within the More info section of this communication.

    0 comments No comments

  3. ShiJieLi-MSFT 10,021 Reputation points Microsoft Vendor
    2023-01-16T03:10:29.3933333+00:00

    Hi all,

    Microsoft has acknowledged the issue and delivered a workaround. You can see the complete doc here.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,

    Shijie Li

    0 comments No comments

  4. Patjar 5 Reputation points
    2023-01-16T09:21:30.0566667+00:00

    Fix for this ASR issue.
    [https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011

    0 comments No comments

  5. Pavel yannara Mirochnitchenko 12,601 Reputation points MVP
    2023-01-16T18:46:15.9433333+00:00

    I ran v1.1 of the script and it recovered only Word icon from Office, other icons are still missing:

    [https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/bc-p/3717330#M2209

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.