Forum Discussion
ASR rule blocking execution of OneDriveSetup.exe
A member of our Service Desk team was working with a user to troubleshoot an issue with the OneDrive sync client on their Windows workstation. As part of their troubleshooting, they uninstalled the client with the intent to re-install it, but when they attempted to run OneDriveSetup.exe, they received an error. It turned out that execution was being blocked by the "Block use of copied or impersonated system tools" Attack Surface Reduction rule.
I was able to work around the issue by creating an exception in our Attack Surface Reduction Rules policy, but this situation consumed most of my morning and seriously impacted the productivity of one of our users, so I would like to ensure that it does not happen again.
Should I report this as a false positive (per https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-asr#report-a-false-positive-or-false-negative ), or is this policy somehow working as designed? If it is the latter, what is the correct approach for reinstalling the OneDrive sync client on a machine with this ASR rule applied to it?
Hi Surya_Narayana, and thanks for your detailed reply.
However, I note that I am no longer seeing the issue where OneDriveSetup.exe is being blocked from running, even when I run it from a location other than the one you shared and the one I set the exclusion on.
I am left to assume that someone at Microsoft has resolved the issue that was causing the legitimate OneDriveSetup.exe installer from being blocked (perhaps after seeing my post?)
2 Replies
Hi Surya_Narayana, and thanks for your detailed reply.
However, I note that I am no longer seeing the issue where OneDriveSetup.exe is being blocked from running, even when I run it from a location other than the one you shared and the one I set the exclusion on.
I am left to assume that someone at Microsoft has resolved the issue that was causing the legitimate OneDriveSetup.exe installer from being blocked (perhaps after seeing my post?)
hi RyanSteele-CoV You're encountering a known issue where Microsoft Defender Attack Surface Reduction (ASR) rules, specifically the rule "Block use of copied or impersonated system tools" (Rule ID: 56a863a9-875e-4185-98a7-b882c64b5ce5), block legitimate executables like OneDriveSetup.exe during reinstallation scenarios.
Is this a false positive or intended behavior?
This is intended behavior, not a false positive. The ASR rule is working as designed, but the design can result in overblocking if setup files are copied or not run from expected locations.
Why it happens?
The ASR rule in question blocks copied system utilities or ones that impersonate system tools to prevent attackers from using renamed or copied versions of Windows binaries for malicious purposes.
OneDriveSetup.exe may be flagged in these cases:
- It's copied manually (e.g., from another PC or a shared drive).
- It's run from a non-default location.
- It's detected as not matching trusted system signatures.
Recommended Approach
To prevent recurrence without broadly disabling protection, follow one of these supported methods:
Option 1: Use the official Microsoft OneDrive installer location
Instead of manually downloading OneDriveSetup.exe, use the built-in system path that’s trusted by Defender:
%localappdata%\Microsoft\OneDrive\Update\OneDriveSetup.exe
This version should not be blocked by the ASR rule because it’s already signed and resides in a known/trusted location.
Option 2: Use Microsoft’s Deployment Tools (for enterprises)
If you manage multiple machines, use:
- Intune
- Configuration Manager
- OneDrive Group Policy deployment
These approaches ensure OneDrive is installed in a trusted, repeatable way.
Option 3: Add a Specific Exception (as you did)
If reinstalling from a specific path is required, you can:
- Create a path-based or hash-based exception for OneDriveSetup.exe in Defender ASR.
- But this should be limited in scope and monitored regularly.
Avoid doing this unless necessary:
- Don't globally disable the ASR rule unless you have a confirmed and persistent conflict.
- Don’t whitelist too broadly, as that could introduce exposure to real threats.
Should you report this to Microsoft?
No, this does not require reporting as a false positive, since Microsoft considers it expected behavior.
You can provide feedback if you believe there's a usability issue:
- Submit feedback via the Microsoft Security Center console or the Feedback Hub on Windows.
- But don't submit it as a "false positive" via the Defender portal unless it clearly matches their criteria.
