Call4Cloud

Interview with the ASR rules

Protecting your devices with Microsoft Defender ASR rules is best practice but… make sure you’re aware of the caveats. The sun was probably shining when you configured your ASR rules! And after you decided you wanted to use Solarwinds for monitoring your devices, you pushed the agent to your endpoints. Then suddenly the weather changed…

I will divide this blog into multiple parts

  1. Analyzing the problem
  2. Solving the problem

1.Anyalyzing the Problem

If you are using Solarwinds/ N-able as an additional RMM tool, you probably configured a new Win32App with the Win32 App Packaging Tool. So did we!

I guess like everyone, we were using Autopilot pre-provisioning. We configured this Solarwinds app as a required app because we want that app to be installed before the device was shipped to the customer. But sometimes (randomly) we ended up in a Red Screen telling us there was a Time-Out.

So we wiped the device and started monitoring C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming  folder to watch for new installs. And there it was! But after the installation file was downloaded nothing happened. No MSI installer progress, nothing…

2. Troubleshooting the Problem

When you need to start troubleshooting, you will need to take a good look at the Management Extension log and start digging around. Just like I showed you in this blog! It will guide you through each step of the ESP!

After searching the part mentioning the app detection rules, we noticed the app was not installed (false). But we were still missing some information about “the why” it wasn’t detected after installation. Okay so the Intune management log didn’t showed us what happened, I guess we need to look further!

Looking closer at some other event logs and especially the Windows Defender event log, it showed us some warnings.. a lot of them! As shown below, a lot of nice ASR events 1121 within the Windows Defender operational log.

So one of the ASR rules is specifically blocking your installation. But which of the ASR rules did it? Which of you made me look at all the logs?

When googling the ID 01443614-cd74-433a-b99e-2ecdc07bfc25 it showed us it was actually the id for the ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criteria

So we changed the ASR setting in Intune, to make sure that one was disabled. After disabling that ASR rule, Solarwinds was installed with no issue at all.

Another possibility could be to exclude the incoming path in the ASR rules, but for now, I just turned off the Block executable files from running unless they meet a prevalence, age, or trusted list criteria rule. That one did more harm than good!

Conclusion:

Even a small setting like an ASR rule could prevent new Win32 App installations on existing and even on new devices. When deploying new devices this setting could be or could not be a problem because sometimes the Application was already installed successfully before the ASR device configuration could kick in. 

Looking at the Windows defender log is a good thing to remember when troubleshooting Win32 app Installations. Because Windows Defender could be blocking something, you didn’t expect!

Blocked GIFs | Tenor

Personally, I think it’s a little weird Solarwinds their device Agent is blocked by ASR but deploying Chocolatey is no problem at all?

Leave a Reply

Your email address will not be published. Required fields are marked *

4  +  5  =