Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,221 questions
[https://twitter.com/MSFT365Status/status/1613871552256155649?s=20
Defender ASR policy block win32api disabled Edge and Chrome
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 33%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Jan De Smet
156
Reputation points
Today all users in one of our customer's tenants started reporting their Edge and Chrome being removed from their desktop (shortcuts), Outlook issues were reported as well. When we set the asr policy Block Win32 API calls from Office macro to audit, everything started working again as expected. Office repair also repaired the office apps. Any one else noticed this behaviour? Thanks
Microsoft Edge
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,250 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
370 questions
11 answers
Sort by: Most helpful
-
-
Jan De Smet 156 Reputation points
2023-01-13T15:06:54.5633333+00:00 We recommend that you put the ASR rule to Audit Mode to avoid further impact. This can be done through the following options: - Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode - Using Intune: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem - Using Group Policy: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy - Note that ASR rule "Block Win32 API calls from Office macros" with ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b You can also set the rule to disabled mode. In that case, please use the following Powershell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled Current status: We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete. We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment. Further information on how to perform these steps are listed within the More info section of this communication.
-
ShiJieLi-MSFT 8,416 Reputation points Microsoft Vendor2023-01-16T03:10:29.3933333+00:00 Hi all,
Microsoft has acknowledged the issue and delivered a workaround. You can see the complete doc here.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Best Regards,
Shijie Li
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 21%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Patjar 5 Reputation points2023-01-16T09:21:30.0566667+00:00 Fix for this ASR issue.
[https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011 -
Pavel yannara Mirochnitchenko 12,391 Reputation points MVP2023-01-16T18:46:15.9433333+00:00 I ran v1.1 of the script and it recovered only Word icon from Office, other icons are still missing:
[https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/bc-p/3717330#M2209