Interview with the ASR rules

Interview with the ASR rules

Protecting your devices with Windows Defender ASR rules is best practice but… make sure you’re aware of the caveats. The sun was probably shining when you configured your ASR rules! And after you decided you wanted to use Solarwinds for monitoring your devices, you pushed the agent to your endpoints. Then suddenly the weather changed…

If like me, you configured a new Solarwinds Win32 with the packaging tool.

After you start deploying it to some test devices. You’ll notice a Toast notification about a new App and you open the C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming  folder to watch for new installs. And there it is! But after the installation file downloaded nothing happened. No MSI installer progress, nothing…

You start troubleshooting, open the Management Extension log. Searching within the detection rule log tells you the app is not installed (false). But are there no other logs?

Nope, except one. A nice ASR event 1121 within the Windows Defender operational log.

So one of the ASR rules is specifically blocking your installation.
But which of the ASR rules did it? Which of you made me look at all the logs?

When checking the id 01443614-cd74-433a-b99e-2ecdc07bfc25 it translates to “Block executable files from running unless they meet a prevalence, age, or trusted list criteria”

When changing the ASR setting in Intune, Solarwinds will be installed with no problem.

Conclusion:

Even a small setting like an ASR rule can prevent new installations on existing devices. When deploying new devices this setting will be no problem because the Application is installed before the ASR device configuration kicks in.  Looking at the Windows defender log is a good thing to remember when troubleshooting Win32 app Installations.

Personally I think it’s a little weird Solarwinds their device Agent is blocked by ASR but deploying Chocolatey is no problem at all?

Leave a Reply

Your email address will not be published. Required fields are marked *