@Tiennes 

Thx for the reply.

the issue is the ASR rule as described in my post. Outlook.exe is the initiating process but per documentation and all the other of my 1760 machines the ASR rule is applying to System Context and as a result does NOT block or take action on %userprofile% variables .

However on 40 of the machines the ASR rule is applying to user context or %userprofile% variable.

controlled folder access is in Audit Mode 

@David Schrag 

Issue persists and microsoft support is reviewing logs/traces.  MS Docs team advised to me that they are not aware of any new behavior changes to ASR so this sounds like a possible bug.  I will let you know if I find anything else out.  I will be uploading more logs but the number of machines in my environment that is effected has grown to around 180 of 1800 so it is spreading but not sure what the root cause is yet.

@brink668 Is it your experience that on unaffected machines, add-in behavior is associated with %appdatalocal%\assembly\dl3, but on affected machines the path is %appdatalocal%\assembly\tmp? That's what it looked like to me comparing ProcMon output from two different computers. My hypothesis is that something causes a switch from the normal dl3 folder to the tmp folder and the ASR rules see the latter but not the former as a threat. I am definitely working at the outer limits of my familiarity with how .NET and Windows applications work, though.

In perusing various documents this article was updated today.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-m...

• so a platform update is incoming today/tomorrow for “patch Tuesday” .
• There is a comment that there are “improved” ways to exclude… not sure the specifics of what that means
• Another interesting thing is on the same page back in March there was a platform update that fixed Outlook Addins getting blocked in ASR.

This ASR issue is affecting our existing Outlook add-ins, we haven't deployed any new Outlook add-ins @MikePalmer75 

Some of our users are also experiencing the similar problems. It started in last 2-3 days and number is growing it seems like.

For us, the issue occurs when a user creates a new Teams Meeting in Outlook and click on the Meeting Options. The meeting options dialog box opens but shows nothing, then a Defender notifications pop up stating that risky action blocked.

Upon further investigation, it seems that Attach Surface Reduction (ASR) feature is blocking the addin files. When a user clicks on "meeting options", it creates a temporary folder and few .js files in C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\IE\UDA76Y7T

The ASR considers that a potential threat and blocks it.

We tried to clear the cache, delete temporary files but that didn't fix the issue. We also tried to use Microsoft Support and Recovery Assistant (MSRA) but that didn't fix the issue either.