Text only | Text with Images

Support Forum: Get Support for Patch My PC Products and Services

Microsoft Configuration Manager and Intune (Enterprises/Paid) => Support and General Questions (Enterprises Using ConfigMgr and Intune) => Topic started by: synalis.schoeler on August 10, 2023, 06:59:49 AM

Title: Patch My PC and Attack Surface Reduction Rules
Post by: synalis.schoeler on August 10, 2023, 06:59:49 AM
Hello,

We are using PMPC alongside Intune and the Microsoft Defender Stack. Recently we switched on Attack Surface Reduction (ASR) Rules in Intune. They were designed for improving the security Posture on devices. On reviewing the Block Events we noticed the "PatchMyPC-ScriptRunner.exe" file was blocked by one Rule: "Block credential stealing from the Windows security authority subsystem."
Why is the file blocked for that reason (It needs to try to access the Windows local security subsystem LSASS). Has someone else  had a similar experience and did you notice an Impact in App Distribution?

I appreciate any Feedback.
Title: Re: Patch My PC and Attack Surface Reduction Rules
Post by: Wes Mitchell on August 10, 2023, 10:12:17 AM
Hi Synalis
The scriptrunner.exe will need to be excluded or patch my pc applications will not work.  There are some processes that it has to launch in the user context for notification, which may be what is triggering the alert.
Title: Re: Patch My PC and Attack Surface Reduction Rules
Post by: synalis.schoeler on August 10, 2023, 11:39:48 PM
Thank you for the quick reply. That answers the question.  :)
Title: Re: Patch My PC and Attack Surface Reduction Rules
Post by: trevorbuley on August 13, 2023, 07:02:56 PM
We use PMPC and ASR/WDAC.
The above works, but you also have to be careful with the ASR option of running Powershell scrips in constrained language mode. Some scripts (Java Install) fail.
Text only | Text with Images