Forum Discussion
Teams.exe - Was blocked from making system calls to Win32k.sys.
What is the below event log message a result of? Should we be making any type of exclusion? Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 2129...
Hi Michael,
I had similar alerts for OneDrive, Notepad and Teams when I enabled folder protection as part of the attack surface reduction rules. You are unable to specify which programs are trusted as Microsoft determines that. I ended up putting the rule into Audit mode. You can verify if it's being blocked by attack surface reduction rules by going to Security Centre and run the query below in Advanced Hunting.
DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
I hope that helps.
Si
I had similar alerts for OneDrive, Notepad and Teams when I enabled folder protection as part of the attack surface reduction rules. You are unable to specify which programs are trusted as Microsoft determines that. I ended up putting the rule into Audit mode. You can verify if it's being blocked by attack surface reduction rules by going to Security Centre and run the query below in Advanced Hunting.
DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
I hope that helps.
Si
Prefer to have this in block mode. Any other options?