Event ID 1121 – Exploit Guard – Microsoft Intune

Event ID 1121 – Exploit Guard – Microsoft Intune

Today I was getting Event ID 1121 in Windows Event Viewer while managing Windows Defender through Microsoft Intune. It took me a little bit of time to track down the exact cause as Microsoft have removed the GUIDs from the descriptions in the policy properties. I thought it would be a good idea to give an overview and include some useful references.

Background

Firstly, this blog applies to those running Attack Surface Reduction (ASR) through Microsoft Intune. These settings can be managed through Config Mgr or Group Policy but they are not in the scope of this post.

In this scenario, I have an ASR rule setup to point to a group of devices. The rule that I have setup, prevent Word from performing some legacy functions required in an old .Net 3rd party application. To fix the problem, the ASR rule needed to be changed.

Warning, make sure you have fully considered the consequences of lowering security rules in your organisation and always test before pushing live.

If you want to learn more about ASR rules, you can do some further reading from the Microsoft Docs Attack Surface Reduction Rules – Learn More | Microsoft Docs

The Problem – Event ID 1121

A third party application we use is producing this error in Event Viewer. The user is unable to use the application to retrieve the data they need.

Event Viewer – Event ID 1121

This event information can be found here:

Event Viewer | Applications and Services Logs | Microsoft | Windows | Windows Defender | Operational

The details of the event show some very useful information. As you can see from the image below

Event Viewer- GUID Location

If we unpack the details here, the key part is the ID which I have pointed directly at. This is what is going to tell you which part of the policy is affecting your users.

We can also confirm we have the correct error by checking the affected applications.

We can use this ID to work out the solution.

The Solution – Intune ASR Rules

Head over to Intune. Specifically in the Endpoint Security blade.

Endpoint Security | Attack Surface Reduction | Select your ASR rule for the affected device(s)

Select Properties and click Edit next to the Configuration Settings section

Now we need to use that ID from the event viewer details to determine the cause of the issue.

Unfortunately it looks like Microsoft have removed the GUID from the policy tip that used to appear next to each setting. So I have included a table below which should help navigate the policy easier.

In the GUID column you will find the ID from the Event Viewer entry details and in the Name you will find the name of the policy setting as it appears in Intune

GUIDName
e6db77e5-3df2-4cf1-b95a-636979351e5bBlock persistence through WMI event subscription
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2Block credential stealing from the Windows local security authority subsystem (lsass.exe)
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2cBlock Adobe Reader from creating child processes
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84Block Office applications from injecting code into other processes
3B576869-A4EC-4529-8536-B80A7769E899Block Office applications from creating executable content
D4F940AB-401B-4EFC-AADC-AD5F3C50688ABlock all Office applications from creating child processes
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7BBlock Win32 API calls from Office macro
26190899-1602-49e8-8b27-eb1d0a1ce869Block Office communication apps from creating child processes 
5BEB7EFE-FD9A-4556-801D-275E5FFC04CCBlock execution of potentially obfuscated scripts (js/vbs/ps)
D3E037E1-3EB8-44C8-A917-57927947596DBlock JavaScript or VBScript from launching downloaded executable content 
d1e49aac-8f56-4280-b9ba-993a6d77406cBlock process creations originating from PSExec and WMI commands
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4Block untrusted and unsigned processes that run from USB
01443614-cd74-433a-b99e-2ecdc07bfc25eBlock executable files from running unless they meet a prevalence, age, or trusted list criteria
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550Block executable content download from email and webmail clients
c1db55ab-c21a-4637-bb3f-a12568109d35Use advanced protection against ransomware
Intune GUID to Description Reference Table

To Fix

Once you have located the correct setting in the policy, you need to change it from Block to one of the other optional settings. You can change to

  • Not Configured
  • Block
  • Audit Mode
  • Warn [not available for all settings]

Warn is new and my favoured option here. This pops up a warning to the user that the action they are about to perform is risky. Gives them the chance to allow it. If they allow its, its only for 24 hours and then its automatically blocked again. The cycle will then repeat as many times as required.

After you have changed the setting, make sure you save the policy!

Remember

One thing you need to remember, once you have made a change in Intune, you need to sync your device settings.

You can hurry the process up by going to Settings | Accounts | Access Work or School | Click the connected Domain | Info | Sync

You may experience a delay for your settings to sync, I have seen this take 30 minutes plus, even with hitting the sync button.

Comments are closed.