[German]To secure Windows, Microsoft recommends Windows Defender Application Control in enterprise environments. The last few days, however, this feature seems to cause issues due to an definition update. I have received reports that users "suddenly" could neither open files nor run programs. Even accessing network drives or opening Internet pages was no longer possible. They were told that the app was blocked by Windows Defender Application Control. It looks like the Microsoft Defender Security Intelligence Update version 1.391.1503.0 is the cause.
Advertising
Report #1 about Windows 11 22H2
This week I was alerted on Facebook by an IT service provider to a post from June 12, 2023 (i.e., before Patchday) in a closed group that I couldn't really make sense of off the top of my head. At least I was not aware of anything similar from the readership. The service provider described his problem as follows:
Good morning colleagues,
Call from customer this morning – Can't open files, run programs, access network drives, or open web pages.
Message: "Your organization has blocked this app using Windows Defender Application Control."
Windows 11 Pro operating system – 22H2.
Briefly went through by phone. Ran until Friday with no abnormalities. Nothing changed since then – except: install update KB5026372" [security update dated May 9, 2021].
Short research – error seems identical to the following post.
The user then linked to my old German blog post Defender Application Control blockt Programme/Downloads afrom November 2017, which was about the Windows 10 Fall Creators Update, where the Windows Defender Application Control feature caused issues and showed users the following message when downloading and invoking programs.
Your organisation used Windows Defender Application Control to block this app
So exactly the error that the above-mentioned IT service provider also got reported by the customer. However, the workarounds mentioned in my article no longer worked (it is now Windows 11 22H2). The IT service provider then added:
Will be at the customer's site this afternoon and try the solution approach from the above article.
Question to you: Do any of you have/had this problem as well?
Can it really be due to the mentioned update (Release: 09.05.2023)?
On the MS site there is no entry in the known issues.
Thanks
There was no feedback from other affected parties, but the IT service provider gets back to us later with the following information:
Advertising
Short update: Deactivating Secure Boot did not help. In the meantime, a second device with identical equipment and error pattern has also been added.
"Disable driver signature forcing" provides at least temporary relief (until the next reboot).
Driver updates in the near past – missing.
Unsigned drivers: exactly one – OpenCL.dll
Can anyone make sense of this?
The poster still intended to contact a driver manufacturer, I have no feedback until today what has happened. Since it looked like an "isolated case", I didn't raise the issue here on the blog till now.
Solution: Clean install of Windows 10
After I posted the bug yesterday within my German blog, I got a new feedback from that person, stating that he has made the following experience.
Good morning Günter,
quite a lot has happened. This week was very stressful. I'm only now getting around to giving info.
Feedback from Intel was a beta driver. But this did not solve the problem. No further feedback.
Feedback from the vendor Wortmann (manufacturer of the devices) was that there is no solution to date. Recommendation: reinstallation.
I then rolled back to a restore point in the past (t-4 weeks), as a test. Result -> The problem persisted!
Then I tried an Inplace Upgrade (Windows 11). Selected option (Keep personal files only, delete settings and apps). Result -> The problem persisted! So far so bad. Windows 11 [is] not the preferred OS anyway.
So another inplace upgrade (in this case actually a downgrade) to Windows 10 afterwards. This time option "Keep nothing". Result -> The problem persisted!
How exactly the routines work in the background I can not overview. For me, however, something must have dug pretty deep into the system. Where it came from and why is a mystery to me.
End of the story: A complete, clean reinstallation via USB stick (Windows 10) led to everything running again. Updates pulled, new setup. System runs.
Not very satisfactory for me, since I could not find the cause and thus ultimately can not prevent this error from reappearing at some point.
I would classify it as a "single case", although it actually affected 2 independent devices and that in a time interval of about 5-6 hours.
So much for the feedback from the IT service provider (to whom I hereby express my thanks). All in all, a very unsatisfactory situation, even if the customer can now work with his systems again.
Report #2 about Windows 11 22H2
Two days ago Jens sent me a rather cryptic direct message (thanks for that), which I couldn't really understand at first. To this he wrote:
Microsoft distributes malware and then blocks itself correctly?
Happens several times in an enterprise environment
Included was a screenshot (hidden as content warning), which I pulled out below. The screenshot shows a rule based blocking of an action (by WDAG=) – here PowerPoint.exe. This application was blocked by Attack Surface Reduction because a script there was "obfuscated".
I asked Jens for more details and got the following information:
Complaints in the company that various Office programs can no longer be started because of the "Risky action".
Seems to affect so far only people in the Asian region.
I could find only older cases, that sounds similar (see here). Only the post Defender polices- Blocking Office APP, dated May 11, 2023 seems similar. But the post has been published before June 2023. And I remember the post Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore from Januar y2023 – but the issue doesn't fit exactly.
Resolution: Faulty signature file
However, Jens then contacted me again after a day and reported that a faulty signature file was probably responsible for Defender. He wrote in response:
The solution of the case has just been announced: As an update we worked with the vendor to troubleshoot the issue. Primarily we are seeing a bad definition update from Microsoft that caused the blocks. the Bad version number for AV definitions is 1.391.1503.0.
So it was a Security Intelligence Update, as Microsoft calls it, meaning the signature file 1.391.1503.0 for Microsoft Defender caused the problems. As of June 17, 2023, version 1.391.1708.0 has already been released – so the bug should be gone. Thanks to the two readers for the tips. Was anyone else from the readership affected?
Advertising
