Why is my Windows agent installation failing?

You may come across a message "Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator." Installation fails when Attack Surface Reduction (ASR) rules are in place. Specifically, this occurs with the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion." The rule blocks the msi from unpacking temporary files to the User Profile's \AppData\Local\Temp\ directory.

To fix this, create an exception using Inclusions and the MSI's public certificate.

  1. Extract the public certificate from the msi file: Right click the MSI -> Properties -> Digital Signatures tab -> Details -> View Certificate -> Details -> Copy to File. 
  2. Then select the DER encoded binary X509 (.cer)).
  3. Navigate to the Indicators page in Defender for Endpoint (Settings > Endpoints > Indicators (under Rules).
  4. Add an Indicator using the extracted .cer file. 

For more information on indicators, see https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-certificates?view=o365-worldwide

Was this article helpful?
3 out of 6 found this helpful
Have more questions?
Submit a request

Comments

0 comments

Article is closed for comments.

Articles in this section