Status Page
Monitoring -
Discontinuation of PST Export Service - 8/31

Effective August 31, 2022, AppRiver will no longer provide services for on-demand PST exports. We do want to note that customers still have many options in performing this service either via our products or themselves. One option is to add our CloudAlly service to their account. Additionally, customers have the option to create the exports themselves. We have a number of KnowledgeBase articles on that topic including the following:


How do I export a PST File From Office 365 using eDiscovery?
How do I export a PST File by Date Range from Outlook 2013/2016?
How do I export PST File from Outlook 2013/2016?
How do I export data to a .pst file in Outlook 2013?



Additionally, Microsoft provides a guide for creating them from O365:

Export or backup email, contacts, and calendar to an Outlook .pst file



And if you are using macOS:

Export items to an archive file in Outlook for Mac



Please contact your account representative for any questions regarding this change and/or the Cloud Ally product.


Aug 16, 2022 - 12:21 CDT
Update - Microsoft has announced deprecation, or sunsetting, of legacy authentication protocols (Basic Authentication), beginning October 1, 2022. Basic authentication has been replaced with Modern Authentication, which supports Multi-Factor Authentication for enhanced security.

IMPORTANT

To resolve the Outlook desktop disconnection issue, you will first need to ensure modern authentication is enabled on the local machine. The below article will walk you through how to enable Modern Authentication as well as provide you steps for getting Outlook successfully reconnected:

How to enable modern authentication for Outlook to resolve end of basic authentication issue - How do I enable Modern Authentication?

To resolve the Mobile Device disconnection issue, you will just need to remove the current account from the device and then add it back:

- Iphone Configuration
- Android Configuration

* All versions of Outlook and Office that are still supported today support the use of Modern Authentication.

* All modern mobile devices, including iPhones and other iOS devices, as well as Android devices including Samsung and Motorola devices, support Modern Authentication in their native email client applications (including the Gmail app for all modern Android devices).

* Outlook for iOS and Android supports Modern Authentication and is the recommended email client for mobile devices.

* While IMAP and POP protocols now support modern authentication, this is intended for continued use of third-party applications ONLY. There is no plan for Outlook clients to support OAuth for POP and IMAP, but Outlook can connect using MAPI/HTTP (Windows clients) and EWS (Outlook for Mac). IMAP, POP and SMTP Auth

Check out the latest blog post from Microsoft on this topic.

This WILL NOT affect domains that are on our Hosted Exchange (Hex) platform.


Oct 14, 2022 - 09:44 CDT
Update - We are continuing to monitor for any further issues.
Oct 14, 2022 - 09:26 CDT
Update - Microsoft has announced deprecation, or sunsetting, of legacy authentication protocols (Basic Authentication), beginning October 1, 2022. Basic authentication has been replaced with Modern Authentication, which supports Multi-Factor Authentication for enhanced security.

IMPORTANT:
What does this mean for your organization?

It is very unlikely your organization will be affected by the change as this is a phased rollout that has been occurring over a few years.
* Modern Authentication is already enabled by default for all Office 365 tenants.
* All versions of Outlook and Office that are still supported today support the use of Modern Authentication.
* All modern mobile devices, including iPhones and other iOS devices, as well as Android devices including Samsung and Motorola devices, support Modern Authentication in their native email client applications (including the Gmail app for all modern Android devices).
* Outlook for iOS and Android supports Modern Authentication and is the recommended email client for mobile devices
* While IMAP and POP protocols now support modern authentication, this is intended for continued use of third-party applications. Microsoft recommends the use of Outlook on the Web (OWA) over POP or IMAP in mail client applications, including Microsoft Outlook desktop applications, for end users email client access.
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#pop-imap-and-smtp-auth

* AD Connect supports Modern Authentication for organizations with hybrid identity management.

There are a limited number of scenarios where an organization may have client applications that still use Basic authentication which could be affected. We have provided step by step instructions with links to resources for administrators to identify potentially affected applications and users in the following KB article for your reference:
https://support.zixcorp.com/app/answers/detail/a_id/1781

Microsoft has provided updates on this topic in a series of blog posts over the past few years to help administrators prepare for these changes to enhance security of Office 365 services and applications.
The official documentation including the announcement and resources to ensure your organization is prepared can be found here:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

To check out the latest blog post from Microsoft on this topic please refer to the following:
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-may-2022/ba-p/3301866

How to enable modern authentication for Outlook to resolve end of basic authentication issue - How do I enable Modern Authentication?

This WILL NOT affect domains that are on our Hosted Exchange (Hex) platform.

Sep 27, 2022 - 13:41 CDT
Update - Monitoring - Microsoft has announced deprecation, or sunsetting, of legacy authentication protocols (Basic Authentication), beginning October 1, 2022. Basic authentication has been replaced with Modern Authentication, which supports Multi-Factor Authentication for enhanced security.

IMPORTANT:
What does this mean for your organization?

It is very unlikely your organization will be affected by the change as this is a phased rollout that has been occurring over a few years.
* Modern Authentication is already enabled by default for all Office 365 tenants.
* All versions of Outlook and Office that are still supported today support the use of Modern Authentication.
* All modern mobile devices, including iPhones and other iOS devices, as well as Android devices including Samsung and Motorola devices, support Modern Authentication in their native email client applications (including the Gmail app for all modern Android devices).
* Outlook for iOS and Android supports Modern Authentication and is the recommended email client for mobile devices
* While IMAP and POP protocols now support modern authentication, this is intended for continued use of third-party applications. Microsoft recommends the use of Outlook on the Web (OWA) over POP or IMAP in mail client applications, including Microsoft Outlook desktop applications, for end users email client access.
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#pop-imap-and-smtp-auth

* AD Connect supports Modern Authentication for organizations with hybrid identity management.

There are a limited number of scenarios where an organization may have client applications that still use Basic authentication which could be affected. We have provided step by step instructions with links to resources for administrators to identify potentially affected applications and users in the following KB article for your reference:
https://support.zixcorp.com/app/answers/detail/a_id/1781

Microsoft has provided updates on this topic in a series of blog posts over the past few years to help administrators prepare for these changes to enhance security of Office 365 services and applications.
The official documentation including the announcement and resources to ensure your organization is prepared can be found here:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

To check out the latest blog post from Microsoft on this topic please refer to the following:
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-may-2022/ba-p/3301866

How to enable modern authentication for Outlook to resolve end of basic authentication issue - How do I enable Modern Authentication? (zixcorp.com)

This WILL NOT affect domains that are on our Hosted Exchange (Hex) platform.

Sep 12, 2022 - 11:33 CDT
Update - We are continuing to monitor for any further issues.
Aug 25, 2022 - 14:39 CDT
Monitoring - Microsoft has announced deprecation, or sunsetting, of legacy authentication protocols (Basic Authentication), beginning October 1, 2022. Basic authentication has been replaced with Modern Authentication, which supports Multi-Factor Authentication for enhanced security.

IMPORTANT:
What does this mean for your organization?

It is very unlikely your organization will be affected by the change as this is a phased rollout that has been occurring over a few years.
* Modern Authentication is already enabled by default for all Office 365 tenants.
* All versions of Outlook and Office that are still supported today support the use of Modern Authentication.
* All modern mobile devices, including iPhones and other iOS devices, as well as Android devices including Samsung and Motorola devices, support Modern Authentication in their native email client applications (including the Gmail app for all modern Android devices).
* Outlook for iOS and Android supports Modern Authentication and is the recommended email client for mobile devices
* While IMAP and POP protocols now support modern authentication, this is intended for continued use of third-party applications. Microsoft recommends the use of Outlook on the Web (OWA) over POP or IMAP in mail client applications, including Microsoft Outlook desktop applications, for end users email client access.
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#pop-imap-and-smtp-auth

* AD Connect supports Modern Authentication for organizations with hybrid identity management.

There are a limited number of scenarios where an organization may have client applications that still use Basic authentication which could be affected. We have provided step by step instructions with links to resources for administrators to identify potentially affected applications and users in the following KB article for your reference:
https://support.zixcorp.com/app/answers/detail/a_id/1781

Microsoft has provided updates on this topic in a series of blog posts over the past few years to help administrators prepare for these changes to enhance security of Office 365 services and applications.
The official documentation including the announcement and resources to ensure your organization is prepared can be found here:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

To check out the latest blog post from Microsoft on this topic please refer to the following:
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-may-2022/ba-p/3301866

This will not affect domains that are on our Hosted Exchange (Hex) platform.

Aug 03, 2022 - 10:08 CDT
Identified - Secure Cloud is experiencing intermittent issues ordering and migrating Microsoft products. This is due to several factors including:

1. Microsoft Partner Center API outages and instability due to high order volumes
2. Microsoft's rollout for the ordering changes (discontinuation of Legacy CSP ordering)

Due to the issues, some of the behavior you may experience includes:

1. Inability to access the O365 licensing page
2. Longer than expected completion time for Microsoft orders
3. Issues with management of O365 licensed users

This is our highest priority. We are actively working with Microsoft to mitigate and eliminate these issues as soon as possible.

Mar 10, 2022 - 16:03 CST
Monitoring - Below is the link to our statement about concerns with the conflict in Ukraine.

https://blogs.opentext.com/opentext-corporate-statement-concerning-the-conflict-in-ukraine/

Mar 07, 2022 - 08:12 CST
Monitoring - What changes is occurring?
On October 1st 2022, Hosted Exchange will be disabling TLS 1.0 and TLS 1.1 and moving all of our online services to TLS 1.2.

How does this affect me?
As of October 1, 2022, Hosted Exchange will no longer support TLS 1.0 and 1.1. By October 1, 2022, all client and browser combinations should use TLS version 1.2 (or a later version) to ensure connection without issues to our services. This may require updates to certain clients and browser combinations. If you do not update to TLS version 1.2 (or later) by October 1, 2022, you may experience issues when connecting to Hosted Exchange. If you experience an issue related to the use of an old TLS version after October 1, 2022, you will be required to update to TLS 1.2 as part of the resolution.

What do I need to do to prepare for this change?
We recommend you proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in your environments and disabling TLS 1.0/1.1 at the operating system level where possible. Clients using Outlook 2010 for Windows or Outlook 2011 for Mac will need to change to be replaced with newer versions. Clients using Outlook 2013 SP1 (or higher), Outlook 2016 for Mac will need to ensure that they are up to date. Windows 7 users can use TLS 1.2 client applications and browsers if changes are made using the following Microsoft guidance at Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows (microsoft.com).

Jul 14, 2022 - 16:13 CDT
Update - We have updated our plan of roll out to be March 8th at 9 AM CST.
Mar 07, 2022 - 13:01 CST
Monitoring -

As a security update to help combat spoofing and unauthorized email, we are making improvements to our Relay Server (relay.appriver.com) on March 1st, 2022. This server was mainly used for alerting or scan to email systems.


The security update will be an SPF record validation on incoming connections to our relay server. The SPF record check will verify the sending IP address is listed in the domain's SPF record. We understand this improvement will require many customers to add their sending IP address to their SPF record. The Set Up a SPF Record for AppRiver Hosted Services article provides more information on setting up an SPF record for Zix|Appriver services. An example of an valid SPF record is below.


Example: "v=spf1 include:edgepilot.com ip4:1.2.3.4 ∼all"


For O365 customers, you will need to use one of the options described in the How to set up a device or application to send using M365 article as O365 is not permitted to use the relay server and can lead to being blocked.


Feb 16, 2022 - 13:25 CST
Update - We have reverted the SPF security update for now. We are planning on implementing this in a future security update to our relay server. We recommend anyone using our relay server to update their SPF to include the IP of the application/software to avoid future issues.
Feb 03, 2022 - 11:24 CST
Update - We have scheduled this change to go into effect Feb 1st, 2022 (Tuesday). Please ensure your SPF records are correctly listing your IP's you will connect from to ensure no issues with use of our Relay Server.
Jan 26, 2022 - 11:50 CST
Update - We are updating our security settings for our Relay Server which is normally used for scan-to-email systems. We are implementing an SPF check on incoming connections to ensure the sender of the email is validity listed in their SPF records. Any customer using relay will need to follow the guide below and update their SPF to include their sending IP in their SPF. This will be in the format of "v=sp1 ip4:1.2.3.4 -all" as an example. The below article will go over this as well. If you have any questions please reach out to support via ticket to support@appriver.com


SPF Update

Jan 24, 2022 - 08:48 CST
Identified - We are updating our security settings for our Relay Server which is normally used for scan-to-email systems. We are implementing an SPF check on incoming connections to ensure the sender of the email is validity listed in their SPF records. Any customer using relay will need to follow the guide below and update their SPF to include their sending IP in their SPF. This will be in the format of "v=spf1 include:edgepilot.com ip4:1.2.3.4 -all" as an example. The below article will go over this as well. If you have any questions please reach out to support via ticket to support@appriver.com


SPF Update

Jan 24, 2022 - 08:47 CST
Secure Cloud Platform Operational
Customer Portal Operational
Partner Portal Operational
Billing Area Operational
Secure Hosted Exchange Operational
Exchange 2013/2016+ (EXG7) Operational
Office 365 Operational
Email Security ? Operational
Email Encryption Operational
Email Continuity Operational
Archive Operational
DNS Hosting Plus Operational
Support Infrastructure Operational
AppRiver Phone System Operational
AppRiver Live Chat Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Past Incidents
Feb 2, 2023

No incidents reported today.

Feb 1, 2023

No incidents reported.

Jan 31, 2023

No incidents reported.

Jan 30, 2023

No incidents reported.

Jan 29, 2023

No incidents reported.

Jan 28, 2023

No incidents reported.

Jan 27, 2023

No incidents reported.

Jan 26, 2023

No incidents reported.

Jan 25, 2023
Resolved - Users may have been unable to access multiple Microsoft 365 services
ID: MO502273

Status
Service Degradation

Impacted services
Microsoft 365 suite, Exchange Online

Restored services
SharePoint Online, Power BI, Microsoft Intune, OneDrive for Business, Microsoft Teams, Microsoft Defender for Cloud Apps

Details
Title: Users may have been unable to access multiple Microsoft 365 services

User Impact: Users may have been unable to access multiple Microsoft 365 services.

More info: Impact was to the following services, but was not limited to them:

-Microsoft Teams

-Exchange Online

-Outlook

-SharePoint Online

-OneDrive for Business

-Microsoft Graph

-Power BI

-Microsoft 365 admin portal

-Microsoft Intune

-Microsoft Defender for Cloud Apps, Identity and Endpoint.

Users who could access may have experienced degraded feature functionality within the services.

Final status: We've confirmed, after a period of monitoring, that the majority of impacted services have been recovered and remain stable. We're investigating some potential impact to the Exchange Online Service when connecting through Outlook on the web. For further information on the impact to the Exchange Online service please see EX502694 in the Service Health Dashboard.

Scope of impact: Any user serviced by the affected infrastructure may have unable to access multiple Microsoft 365 services.

Start time: Wednesday, January 25, 2023, at 7:05 AM UTC

End time: Wednesday, January 25, 2023, at 12:43 PM UTC

Preliminary root cause: A wide-area networking (WAN) routing change resulted in users being unable to access multiple Microsoft 365 services.

Jan 25, 10:04 CST
Identified - The majority of services have recovered, and the service is stable. Engineers are continuing to take actions to investigate and mitigate any residual impact caused by this incident.

This quick update is designed to give the latest information on this issue.

Title: Users may be unable to access multiple Microsoft 365 services

User Impact: Users may be unable to access multiple Microsoft 365 services.

More info: Impact is occurring to the following services but is not limited to them:

-Microsoft Teams

-Exchange Online

-Outlook

-SharePoint Online

-OneDrive for Business

-Microsoft Graph

-Power BI

-Microsoft 365 admin portal

-Microsoft Intune

-Microsoft Defender for Cloud Apps, Identity and Endpoint.

Users who can access may experience degraded feature functionality within the services.

Current status: The majority of the services have recovered and remain stable. However we’re investigating limited residual impact within the Exchange Online Service and we're performing targeted mitigations to resolve the issue.

Scope of impact: Any user serviced by the affected infrastructure may be unable to access multiple Microsoft 365 services.

Root cause: A wide-area networking (WAN) routing change is causing impact to the multiple services.

Next update by: Wednesday, January 25, 2023, 8:00 AM (2:00 PM UTC)

Jan 25, 07:09 CST
Update - Microsoft is continuing to investigate this issue.
Jan 25, 03:46 CST
Investigating - Users are currently having issues with following Microsoft services: -Microsoft Teams -Exchange Online -Outlook -SharePoint Online -OneDrive for Business -Microsoft Graph -PowerBi - Microsoft 365 Admin Center. Any user serviced by the affected infrastructure may be unable to access multiple Microsoft 365 services.

Microsoft is currently working on getting the issue resolved and has provided no ETR.

Jan 25, 03:45 CST
Jan 24, 2023

No incidents reported.

Jan 23, 2023
Resolved - We have resolved the delivery issue and have confirmed email delivery has resumed for those affected customers. We apologize for any inconvenience this may have caused.
Jan 23, 12:57 CST
Investigating - We are currently experiencing an issue which is affecting a subset of customers who have O365 as a mail hosting provider. We are working on resolving this issue currently. We apologize for any inconvenience this may be causing.
Jan 23, 11:12 CST
Jan 22, 2023

No incidents reported.

Jan 21, 2023

No incidents reported.

Jan 20, 2023
Resolved - Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128


Status
Service Restored

Impacted services
Microsoft 365 suite

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users were unable to utilize the Application shortcuts on the Start menu, taskbar, and desktop.

More info: Shortcut icons in the Start menu, taskbar, or desktop may have no longer been visible or may not have worked as intended. Additionally, for some users, they may have received errors when trying to run Executable (.exe) files, if they had dependencies on an affected shortcut file path. Further information remains published here: https://link.edgepilot.com/s/5324b7bf/ZLBpdLzsi0qwXnFzzOxzIA?u=https://github.com/microsoft/MDE-PowerBI-Templates/blob/master/ASR_scripts/ASR_rule_Block_Win32_API_calls_from_Office_Macro_issue_Q%2526A.md

We've completed an update deployment within the security intelligence build(s) 1.381.2164.0 and later, on Friday, January 13, 2023, at 6:03 PM UTC. This fix update did not restore previously removed shortcut files, but it did prevent any additional shortcut files from being removed by the incorrect detection logic.

Customers are encouraged to update Microsoft Defender to build 1.381.2164.0 or later.

- Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build.

- Administrators who manage updates directly can download the latest update and deploy it across their environment(s), more information here: https://link.edgepilot.com/s/96498117/930N4w0NO0KCygFIjgN1Iw?u=https://www.microsoft.com/en-us/wdsi/defenderupdates

Final status: We previously completed an update deployment within the security intelligence build(s) 1.381.2164.0 and later, on Friday, January 13, 2023, at 6:03 PM UTC, which has corrected the behavior. Customers are encouraged to update Microsoft Defender to build 1.381.2164.0 or later. Further updates regarding this issue will be made available through the Microsoft Tech Community post: https://link.edgepilot.com/s/c7dc1941/xlwiSRgsxE_svlGT2P1uEw?u=https://aka.ms/asrfprecovery.

Scope of impact: This issue may have affected users within your organization; it was not specific to Office apps and could have impacted any application's shortcut file. There was no impact for customers who (1) did not have the “Block Win32 API calls from Office macro” rule turned on in block mode or, (2) did not update to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

End time: Thursday, January 19, 2023, at 6:47 AM UTC

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next steps:

- We're improving our testing and deployment procedures to reduce the possibility of broad impact during scenarios related to this.

- We're making improvements to our detection behaviors, to further reduce the time to detection for related scenarios.

- We’re incorporating additional updates to prevent the incorrect removal of files not intended to be within scope for the ASR scan logic.

Jan 20, 14:48 CST
Identified - Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128


Status
Restoring Service

Impacted services
Microsoft 365 suite

Restored services
Microsoft 365 apps, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu, taskbar, and desktop.

More info: Shortcut icons in the Start menu, taskbar, or desktop may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on an affected shortcut file path. More information has been published here: https://link.edgepilot.com/s/5ac402ec/B1Y_ORYnEEOQULQ18x5tpA?u=https://github.com/microsoft/MDE-PowerBI-Templates/blob/master/ASR_scripts/ASR_rule_Block_Win32_API_calls_from_Office_Macro_issue_Q%2526A.md

We've completed an update deployment within the security intelligence build(s) 1.381.2164.0 and later, on Friday, January 13, 2023, at 6:03 PM UTC. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being removed by the incorrect detection logic.

Customers are encouraged to update Microsoft Defender to build 1.381.2164.0 or later.

- Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build.

- Administrators who manage updates directly can download the latest update and deploy it across their environment(s), more information here: https://link.edgepilot.com/s/66fd2f18/LHJ1noeDckKKKNwX-jqXqg?u=https://www.microsoft.com/en-us/wdsi/defenderupdates

Microsoft has confirmed the effectiveness of steps that administrators and users can take to re-create start menu links for a significant subset of the affected applications that were removed. These steps have been consolidated into the PowerShell script in the following link to help admins take recovery actions within their environment. Users or admins must be a local administrator on the machine that the script will be run on: https://link.edgepilot.com/s/08c13429/JMP0-XLSYU_NU3MeR9HysQ?u=https://aka.ms/asrfprecovery

Current status: An additional update has been made to the Microsoft Tech Community post: https://link.edgepilot.com/s/08c13429/JMP0-XLSYU_NU3MeR9HysQ?u=https://aka.ms/asrfprecovery. The blog continues to include the latest version of the script, provides resources for some admins to identify affected machines or files within their environment, and additional steps intended to further aid customers in recovering affected shortcut files.

Scope of impact: This issue may affect users within your organization; it is not specific to Office apps and can impact any application's shortcut file. There is no impact for customers who (1) did not have the “Block Win32 API calls from Office macro” rule turned on in block mode or, (2) did not update to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next update by: Friday, January 20, 2023, at 8:00 PM UTC

Jan 20, 14:40 CST
Update - Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128


Status
Restoring Service

Impacted services
Microsoft 365 suite, Microsoft 365 apps, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, at 6:03 PM UTC. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://link.edgepilot.com/s/49ebf4e9/9CDT6TkuSk2yRN7WoLCSDQ?u=https://aka.ms/asrfprecovery

Current status: We've provided an update to https://link.edgepilot.com/s/49ebf4e9/9CDT6TkuSk2yRN7WoLCSDQ?u=https://aka.ms/asrfprecovery that includes additional details regarding the issue as well as instructions to deploy the script using Microsoft Intune. We're continuing to perform extensive internal tests and are also reviewing customer feedback so we can improve upon the provided workaround details and include additional apps and scenarios. We'll provide updates to https://link.edgepilot.com/s/49ebf4e9/9CDT6TkuSk2yRN7WoLCSDQ?u=https://aka.ms/asrfprecovery as we validate our findings.

Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next update by: Monday, January 16, 2023, at 8:00 PM UTC

Jan 16, 19:44 CST
Update - Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128

Status
Service Degradation

Impacted services
Microsoft 365 suite, Microsoft 365 apps, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons may not appear or would not work. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

While we investigate the underlying issue, users can directly launch Office Apps by using the Office App, or through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found here: https://link.edgepilot.com/s/0089c8d8/ls0liFZiGEGdjqyMQ68B0w?u=https://support.microsoft.com/en-us/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a

If appropriate, admins can put the Attack Surface Reduction (ASR) rule into Audit Mode to avoid further impact. Please note that you may need to re-enable the rule once the issue has been fully resolved. This can be done through one of the following methods:

- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode

- Using Intune: https://link.edgepilot.com/s/771f333b/3PjdizBHPkWZud3MgDosxQ?u=https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide%23mem

- Using Group Policy: https://link.edgepilot.com/s/14f6930a/8JY0szeno02Hou9rpBMmYQ?u=https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide%23group-policy

- For clarity, note that ASR rule "Block Win32 API calls from Office macros" with ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is the offending rule.

If determined appropriate for your environment, you can also set the rule to disabled mode. Please note, that you may need to manually re-enable the rule once the issue has been full resolved. In that case, please use the following Powershell command:

Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled

Current status: The hotfix has completed its deployment within the build 1.381.2164.0. If you have automatic updates enabled the tool will fetch the update at the next time the service performs a check for an update. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed. We're investigating shortcut files that have already been affected by this issue.

Additional guidance on manual mitigation steps detailed in the “more info” section remain available for customers who have not yet adopted the new build containing the fix.

Scope of impact: This issue likely affects users within your organization and is not specific to Office Apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

Next update by: Friday, January 13, 2023, at 10:00 PM UTC

Jan 13, 15:23 CST
Investigating - Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128

Status
Service Degradation

Impacted services
Microsoft 365 suite, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons may not appear or would not work.

While we investigate the underlying issue, users can directly launch Office Apps by using the Office App, or through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found https://link.edgepilot.com/s/ce8ff825/jqKvGi9W4U6z10hyWcViOw?u=https://support.microsoft.com/en-us/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a .

Current status: We've identified that a specific rule was resulting in impact. We've disabled the rule and we're testing to verify that this provides relief.

Scope of impact: Impact is specific to some users who are served through the affected infrastructure.

Next update by: Friday, January 13, 2023, at 3:00 PM UTC

Jan 13, 09:17 CST
Jan 19, 2023

No incidents reported.