ASR Rules block launching Teams meetings from Outlook

%3CLINGO-SUB%20id%3D%22lingo-sub-1580518%22%20slang%3D%22en-US%22%3EASR%20Rules%20block%20launching%20Teams%20meetings%20from%20Outlook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1580518%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20deploying%20the%20security%20baselines%20which%20enables%20the%20ASR%20rule%20'Block%20Office%20communication%20application%20from%20creating%20child%20processes'%20(26190899-1602-49E8-8B27-EB1D0A1CE869)%20users%20are%20no%20longer%20able%20to%20launch%20Teams%20meetings%20from%20a%20calendar%20entry%20in%20Outlook.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20following%20is%20logged%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EMicrosoft%20Defender%20Exploit%20Guard%20has%20blocked%20an%20operation%20that%20is%20not%20allowed%20by%20your%20IT%20administrator.%0A%20For%20more%20information%20please%20contact%20your%20IT%20administrator.%0A%20%20ID%3A%2026190899-1602-49E8-8B27-EB1D0A1CE869%0A%20%20Detection%20time%3A%202020-08-11T07%3A03%3A51.689Z%0A%20%20User%3A%20CACT%5Cuser%0A%20%20Path%3A%20C%3A%5CProgramData%5Cuser%5CMicrosoft%5CTeams%5Ccurrent%5CTeams.exe%0A%20%20Process%20Name%3A%20C%3A%5CProgram%20Files%20(x86)%5CMicrosoft%20Office%5Croot%5COffice16%5COUTLOOK.EXE%0A%20%20Security%20intelligence%20Version%3A%201.321.1142.0%0A%20%20Engine%20Version%3A%201.1.17300.4%0A%20%20Product%20Version%3A%204.18.2007.8%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20create%20an%20exception%20only%20for%20the%20Teams%20client%20to%20launch%20as%20it%20is%20installed%20on%20a%20per-user%20basis%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1580518%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588362%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20block%20launching%20Teams%20meetings%20from%20Outlook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588362%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F755649%22%20target%3D%22_blank%22%3E%40Tom13984%3C%2FA%3E%26nbsp%3B%20Which%20Windows%2010-version%20have%20you%20seen%20this%20one%20on%3F%20Multiple%20different%20versions%3F%20Your%20PC's%20have%20W10%20E3%20as%20license%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFeels%20odd%2C%20I%20have%20this%20ASR-rule%20in%20block%20on%20multiple%20computers%20where%20this%20problem%20have%20not%20surfaced.%20In%20124%20examples%20only%20excel%2C%20powerpoint%20and%20word%20has%20been%20affected%20in%20an%20example%20environment%20and%20these%20users%2Fcomputers%20have%20accessed%20teams-meetings%20from%20outlook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588457%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20block%20launching%20Teams%20meetings%20from%20Outlook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588457%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20reply.%20We're%20running%20E5%20on%20these%20devices.%20It%20is%20occurring%20on%20multiple%20machines.%20They%20are%20all%202004.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588547%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20block%20launching%20Teams%20meetings%20from%20Outlook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588547%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F755649%22%20target%3D%22_blank%22%3E%40Tom13984%3C%2FA%3E%26nbsp%3B%20No%20problems.%20I%20haven't%20encountered%20this%20issue.%20I%20tested%20the%20rule%20and%20opened%20a%20Teams-meeting%20in%20Outlook%20on%20a%20Windows%202004%20%2B%20with%20E5.%20Maybe%20it's%20related%20to%20your%20office-patch%20level%20somehow%3F%20Do%20you%20run%20O365%20C2R%20SAC%3F%20If%20I%20were%20you%20I%20would%20open%20a%20case%20to%20Microsoft%2C%20this%20can't%20be%20expected%20behaviour.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20when%20you%20have%20E5%20you%20can%20exclude%20stuff%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fasr%3Fviewid%3Dexclusions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Fasr%3Fviewid%3Dexclusions%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Exclude.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212379iF3B822FF40942B23%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Exclude.png%22%20alt%3D%22Exclude.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fcustomize-attack-surface-reduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fcustomize-attack-surface-reduction%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

After deploying the security baselines which enables the ASR rule 'Block Office communication application from creating child processes' (26190899-1602-49E8-8B27-EB1D0A1CE869) users are no longer able to launch Teams meetings from a calendar entry in Outlook.

 

The following is logged:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
 	Detection time: 2020-08-11T07:03:51.689Z
 	User: CACT\user
 	Path: C:\ProgramData\user\Microsoft\Teams\current\Teams.exe
 	Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
 	Security intelligence Version: 1.321.1142.0
 	Engine Version: 1.1.17300.4
 	Product Version: 4.18.2007.8

 

Is it possible to create an exception only for the Teams client to launch as it is installed on a per-user basis?

3 Replies

@Tom13984  Which Windows 10-version have you seen this one on? Multiple different versions? Your PC's have W10 E3 as license?

 

Feels odd, I have this ASR-rule in block on multiple computers where this problem have not surfaced. In 124 examples only excel, powerpoint and word has been affected in an example environment and these users/computers have accessed teams-meetings from outlook.

Thanks for your reply. We're running E5 on these devices. It is occurring on multiple machines. They are all 2004.

@Tom13984  No problems. I haven't encountered this issue. I tested the rule and opened a Teams-meeting in Outlook on a Windows 2004 + with E5. Maybe it's related to your office-patch level somehow? Do you run O365 C2R SAC? If I were you I would open a case to Microsoft, this can't be expected behaviour. 

 

Anyway, when you have E5 you can exclude stuff here: https://security.microsoft.com/asr?viewid=exclusions

Exclude.png

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize...