ASR Rules block launching Teams meetings from Outlook

Copper Contributor

After deploying the security baselines which enables the ASR rule 'Block Office communication application from creating child processes' (26190899-1602-49E8-8B27-EB1D0A1CE869) users are no longer able to launch Teams meetings from a calendar entry in Outlook.

 

The following is logged:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
 	Detection time: 2020-08-11T07:03:51.689Z
 	User: CACT\user
 	Path: C:\ProgramData\user\Microsoft\Teams\current\Teams.exe
 	Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
 	Security intelligence Version: 1.321.1142.0
 	Engine Version: 1.1.17300.4
 	Product Version: 4.18.2007.8

 

Is it possible to create an exception only for the Teams client to launch as it is installed on a per-user basis?

6 Replies

@Tom13984  Which Windows 10-version have you seen this one on? Multiple different versions? Your PC's have W10 E3 as license?

 

Feels odd, I have this ASR-rule in block on multiple computers where this problem have not surfaced. In 124 examples only excel, powerpoint and word has been affected in an example environment and these users/computers have accessed teams-meetings from outlook.

Thanks for your reply. We're running E5 on these devices. It is occurring on multiple machines. They are all 2004.

@Tom13984  No problems. I haven't encountered this issue. I tested the rule and opened a Teams-meeting in Outlook on a Windows 2004 + with E5. Maybe it's related to your office-patch level somehow? Do you run O365 C2R SAC? If I were you I would open a case to Microsoft, this can't be expected behaviour. 

 

Anyway, when you have E5 you can exclude stuff here: https://security.microsoft.com/asr?viewid=exclusions

Exclude.png

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize...

Were you ever able to figure this one out? I'm trying to roll out this ASR rule but I'm seeing the same exact behavior in the audit entries. I'd like to figure it out before I enable the rule and cause problems. Thanks!

@jschwager 

Hi, I'm in the same case of you. I try to active this ASR rule but for around of 2500 employes only 4-5 users have this issue. I don't find why only some users...  I don't want to do a exception only for that, and create a breach of security.  Do you find anythings since your last posts?
Thank you for your help!

I ended up having the user reinstall Teams and the issue went away.