• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Has someone else had a similar experience

Started by Thadders, April 02, 2025, 01:00:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Thadders

April 02, 2025, 01:00:42 AM
Hello,

We are using PMPC alongside Intune and the Microsoft Defender Stack. Recently we switched on Attack Surface Reduction (ASR) Rules in Intune. They were designed for improving the security Posture on devices. On reviewing the Block Events we noticed the "PatchMyPC-ScriptRunner.exe" file was blocked by one Rule: "Block credential stealing from the Windows security authority subsystem."
Why is the file blocked for that reason (It needs to try to access the Windows local security subsystem LSASS). Has someone else  had a similar experience and did you notice an Impact in App Distribution?

I appreciate any Feedback.

Liviu (Patch My PC)

#1
April 02, 2025, 06:43:57 AM Last Edit: April 02, 2025, 06:46:31 AM by Liviu (Patch My PC)
Hello Thadders,

LSASS is used when displaying the "Conflicting Processes" deferral notification to end users, to allow them to postpone the installation if needed.
Are you using the "Manage conflicting processes" right-click option>
Using that functionality is how the notification is displayed to the logged on user while Intune does the installation of the software in the SYSTEM context.

Please note that Microsoft recommends whitelisting the IMECache folder from AV scans to prevent win32 app installation issues such as this one.
https://patchmypc.com/recommended-antivirus-exclusions
Print
Go Up Pages1
User actions