Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Remediating Microsoft Defender ASR Blocking Executables

            Modified on Wed, Sep 17 at 3:42 PM

            Summary

            Some applications, including games such as Dune Awakening, may fail to launch when Microsoft Defender’s Attack Surface Reduction (ASR) rules are enabled.
            A common block notification looks like this:

            Risky action blocked
            App or process blocked: WmiPrvSE.exe
            Blocked by: Attack surface reduction
            Rule: Block process creations originating from PSExec and WMI commands
            Affected items: ...\SteamLibrary\steamapps\common\DuneAwakening\DuneSandbox.exe

            This behavior occurs because the game attempts to start a process through WMI (WmiPrvSE.exe), which ASR interprets as potentially malicious.

            Root Cause

            The ASR rule “Block process creations originating from PSExec and WMI commands” (GUID:
            D1E49AAC-8F56-4280-B9BA-993A6D77406C) prevents process launches initiated through WMI or PSExec.
            This rule is designed to stop malware that abuses WMI for lateral movement, but it can also block legitimate apps.

            Resolution

            Option 1: Add an ASR-Only Exclusion

            Normal Defender folder exclusions do not apply to ASR rules.
            You must configure an ASR-only exclusion for the affected executable.

            Local PowerShell command (run as Administrator):

            Add-MpPreference -AttackSurfaceReductionOnlyExclusions "F:\SteamLibrary\steamapps\common\DuneAwakening\DuneSandbox.exe"

            To exclude the whole Steam directory (less secure):

            Add-MpPreference -AttackSurfaceReductionOnlyExclusions "F:\SteamLibrary\steamapps\common"

            Option 2: Adjust the ASR Rule

            If exclusions aren’t sufficient, you can reconfigure the ASR rule:

            • Audit Mode – Logs but does not block.

            • Disabled – Turns off the rule entirely (not recommended).

            Switch to Audit Mode via PowerShell:

            Add-MpPreference -AttackSurfaceReductionRules_Actions @{ "D1E49AAC-8F56-4280-B9BA-993A6D77406C" = "AuditMode" }

            Option 3: Central Management (Intune or GPO)

            In enterprise environments, configure exclusions and rule settings through Microsoft Intune or Group Policy:

            • Intune: Endpoint Security → Attack Surface Reduction → Configure exclusions or set rule action.

            • GPO: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > ASR Rules.

            Recommendation

            • Use ASR-only exclusions for trusted applications rather than disabling rules.

            • Apply the exclusion to the specific executable (DuneSandbox.exe) instead of the entire directory where possible.

            • Use Audit Mode temporarily if troubleshooting multiple blocks.

            References

            Next Steps:
            YES Helpdesk staff can apply Option 1 locally for individual users, or escalate to YES Solution Architects for Intune/GPO policy changes if the issue is widespread throughout an organization.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0