Phase 1 Security Update – Office Protection ASR
Beginning September 2025, your Windows computer will receive the first set of Microsoft Defender Attack Surface Reduction (ASR) rules.
These five rules focus on Microsoft Office and are designed to stop some of the most common malware techniques—before they do harm.
What exactly is changing?
Rule (plain-English name) | What it stops | Typical attacker goal it breaks |
|---|---|---|
Block all Office apps from creating child processes | Prevents Word, Excel, PowerPoint, etc. from secretly launching other programs (for example | Drop or run ransomware after a user opens a malicious doc. (Microsoft Learn) |
Block Office communication apps (Outlook, Teams, Skype) from creating child processes | Same protection, but scoped to mail/chat clients. | Use a booby-trapped email to run malware. (Microsoft Learn) |
Block Office apps from creating executable content | Stops Office files or macros from saving | Write a hidden malware file to your PC. (Microsoft Learn) |
Block Office apps from injecting code into other processes | Blocks techniques that insert malicious code into trusted programs. | Hide inside a legitimate process to evade antivirus. (Microsoft Learn) |
Block Win32 API calls from Office macros | Prevents advanced macros from calling low-level Windows functions. | Disable security tools or tamper with the OS. (Microsoft Learn) |
How this helps you
Stops “macro-based” malware often delivered via email attachments.
Reduces zero-day risk—these rules look at behavior, not just known virus signatures.
No action needed on your part; the policies come through automatically.
When will I see this?
Date | What you may notice |
|---|---|
Sept 15 - Sept 30(Audit mode) | The rules run silently. ITS reviews logs but nothing is blocked yet. |
Oct 1 onward(Block mode) | If a macro or add-in tries something disallowed, Windows Security shows a pop-up |
Could this affect my work?
Most people will not notice a change.
However, advanced Excel add-ins, mail-merge scripts, or macros that launch other programs might be blocked. Known examples elsewhere include:
Excel add-ins that spawn
msedgewebview2.exeto render web content (Microsoft Learn)Outlook plug-ins that rely on helper executables (Microsoft Learn)
Macros that call Windows API functions, causing Outlook icons or browser shortcuts to disappear (Microsoft Learn)
If you see the block toast and something you legitimately need stops working, follow the steps below.
What to do if you’re blocked
Take a screenshot of the Windows Security notification (or note the rule name and time).
Try again — sometimes the first launch of an add-in triggers a one-time block.
Contact ITS with the details:
How to reach us | What to include |
|---|---|
Ticket:https://kb.uconn.edu/portal/1?createRequest=true&portalId=1&requestTypeId=83 |
|
Phone: 860-486-4357 | Same info as above |
Email: techsupport@uconn.edu | Attach the screenshot if possible |
If the software is business-critical and passes a security check, we can create a per-rule exception so it works without lowering protection for everyone else.
Frequently Asked Questions
Question | Answer |
|---|---|
Will this stop normal Office macros? | Standard macros that automate tasks inside Office usually still run. Only risky behaviors (launching programs, writing executables, calling low-level APIs) are blocked. |
Can I turn the rule off myself? | No, the policy is managed centrally to keep the environment secure. |
I build legitimate macros—how can I test? | During the Audit window (July 15 – Aug 5) nothing is blocked, but events are logged. Run your workflow then; if it appears in the ITS audit reports we’ll contact you proactively. |