Forum Discussion

RyanSteele-CoV's avatar
RyanSteele-CoV
Iron Contributor
Jul 18, 2025
Solved

ASR rule blocking execution of OneDriveSetup.exe

A member of our Service Desk team was working with a user to troubleshoot an issue with the OneDrive sync client on their Windows workstation. As part of their troubleshooting, they uninstalled the c...
  • RyanSteele-CoV's avatar
    RyanSteele-CoV
    Jul 22, 2025

    Hi Surya_Narayana​, and thanks for your detailed reply.

    However, I note that I am no longer seeing the issue where OneDriveSetup.exe is being blocked from running, even when I run it from a location other than the one you shared and the one I set the exclusion on.

    I am left to assume that someone at Microsoft has resolved the issue that was causing the legitimate OneDriveSetup.exe installer from being blocked (perhaps after seeing my post?)

Surya_Narayana's avatar
Surya_Narayana
MCT
Jul 19, 2025

hi RyanSteele-CoV​  You're encountering a known issue where Microsoft Defender Attack Surface Reduction (ASR) rules, specifically the rule "Block use of copied or impersonated system tools" (Rule ID: 56a863a9-875e-4185-98a7-b882c64b5ce5), block legitimate executables like OneDriveSetup.exe during reinstallation scenarios.

Is this a false positive or intended behavior?

This is intended behavior, not a false positive. The ASR rule is working as designed, but the design can result in overblocking if setup files are copied or not run from expected locations.

Why it happens?

The ASR rule in question blocks copied system utilities or ones that impersonate system tools to prevent attackers from using renamed or copied versions of Windows binaries for malicious purposes.

OneDriveSetup.exe may be flagged in these cases:

  • It's copied manually (e.g., from another PC or a shared drive).
  • It's run from a non-default location.
  • It's detected as not matching trusted system signatures.

Recommended Approach

To prevent recurrence without broadly disabling protection, follow one of these supported methods:

 

Option 1: Use the official Microsoft OneDrive installer location

Instead of manually downloading OneDriveSetup.exe, use the built-in system path that’s trusted by Defender:

%localappdata%\Microsoft\OneDrive\Update\OneDriveSetup.exe

This version should not be blocked by the ASR rule because it’s already signed and resides in a known/trusted location.

 

Option 2: Use Microsoft’s Deployment Tools (for enterprises)

If you manage multiple machines, use:

  • Intune
  • Configuration Manager
  • OneDrive Group Policy deployment

These approaches ensure OneDrive is installed in a trusted, repeatable way.

 

Option 3: Add a Specific Exception (as you did)

If reinstalling from a specific path is required, you can:

  • Create a path-based or hash-based exception for OneDriveSetup.exe in Defender ASR.
  • But this should be limited in scope and monitored regularly.

Avoid doing this unless necessary:

  • Don't globally disable the ASR rule unless you have a confirmed and persistent conflict.
  • Don’t whitelist too broadly, as that could introduce exposure to real threats.

Should you report this to Microsoft?

No, this does not require reporting as a false positive, since Microsoft considers it expected behavior.

You can provide feedback if you believe there's a usability issue:

  • Submit feedback via the Microsoft Security Center console or the Feedback Hub on Windows.
  • But don't submit it as a "false positive" via the Defender portal unless it clearly matches their criteria.

Resources