Microsoft Office error during Secure Exchanges update (ASR blockage)
1. Context
Microsoft Defender includes a security rule called "Block executable content from email client and webmail" that blocks executable content from email clients. This rule blocks all content considered executable when it originates from an email or email client (Outlook, webmail, etc.).
Secure Exchanges uses ClickOnce to deploy updates to C:\Users\[username]\AppData\Local\Apps\2.0\ ASR rule parameters:
Setting | Value |
Rule name | Block executable content from email client and webmail |
GUIDE | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 |
Intune Name | Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) |
The blockage occurs during the Secure Exchanges connector update, not during the initial installation.
2. Identify the blockage in Microsoft Defender
2.1 Kusto query (Advanced Hunting)
To confirm that the ASR rule is responsible for the problem, use the following query in Microsoft 365 Defender > Advanced Hunting:
DeviceEvents
| where ActionType == "AsrExecutableEmailContentBlocked"
| where FileName contains "SecureExchanges"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| Order by Timestamp Description
2.2 Typical result
In the results, you will see:
- ActionType : AsrExecutableEmailContentBlocked
- FileName: SecureExchangesSDK.dll
- FolderPath : C:\Users\[username]\AppData\Local\Apps\2.0\...
3. Why is SecureExchangesSDK.dll blocked?
Secure Exchanges uses a software component (DLL) to:
- Manage secure communication between Outlook and the server
- Confirm actions performed in Outlook (sending encrypted messages)
- Processing encrypted/decrypted messages
This is not a real threat. It's a common false positive in secure environments.
4. Security principle: targeted exclusions
Never exclude the entire folder C:\Users\*\AppData\Local\Apps\2.0\
ClickOnce stores ALL applications deployed via ClickOnce in this folder. By excluding this folder, you:
- Disable ASR protection for all ClickOnce applications
- Create a major security vulnerability
- Allow an attacker to deploy malware via ClickOnce undetected
5. Understanding the types of ASR exclusions
Crucial point: The type of exclusion depends on your management tool. This distinction is essential for security.
Tool | Type of exclusion | Impact |
Intune / MDE | Per-rule | Exclusion applied ONLY to the specific rule. |
GPO | Global | Exclusion applied to ALL active ASR rules. |
MECM / SCCM | Global | Exclusion applied to ALL active ASR rules. |
PowerShell | Global | Exclusion applied to ALL active ASR rules. |
6. Files to exclude
The following paths must be added to the exclusions:
Secure Exchanges core DLLs
C:\Users\*\AppData\Local\Temp\Deployment\*\*\SecureExchangesSDK.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\OSecureExchange.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\OSecureExchange.resources.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\SecureExchangesSDK.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\OSecureExchange.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\OSecureExchange.resources.dll iText DLLs
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.barcodes.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.bouncy-castle-adapter.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.bouncy-castle-connector.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.commons.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.forms.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.io.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.kernel.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.layout.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.pdfa.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.pdfua.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.sign.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.styledxmlparser.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.svg.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.barcodes.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.bouncy-castle-adapter.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.bouncy-castle-connector.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.commons.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.forms.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.io.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.kernel.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.layout.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.pdfa.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.pdfua.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.sign.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.styledxmlparser.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.svg.dll Third-party DLLs
C:\Users\*\AppData\Local\Temp\Deployment\*\*\BouncyCastle.Cryptography.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\CsvHelper.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\Newtonsoft.Json.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\PhoneNumbers.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\BouncyCastle.Cryptography.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\CsvHelper.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\Newtonsoft.Json.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\PhoneNumbers.dll Multiple wildcards (*\*\) are needed to cover the variable folder structure of ClickOnce.
A. Application via Intune
Intune allows you to configure exclusions per rule (ASR Only Per Rule Exclusions), limiting the impact on overall security.
- Go to Endpoint Security → Attack Surface Reduction
- Select or create an ASR policy
- Locate the rule " Block executable content from email client and webmail "
- In ASR Only Per Rule Exclusions , add the paths from section 6
- Save and deploy the policy
B. Application via GPO (enterprise deployment)
Exclusions configured via GPO apply to ALL ASR rules, not just the rule in question.
- Open gpedit.msc (or GPMC for a domain)
- Navigate to: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Microsoft Defender Exploit Guard → Reducing the Attack Surface
- Double-click on " Exclude files and paths from attack surface reduction rules "
- Activate the strategy and add the paths from section 6
- Apply the strategy: gpupdate /force
C. Application via PowerShell
As with GPO, PowerShell exclusions are GLOBAL and apply to all ASR rules.
Add an exclusion:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\*\AppData\Local\Apps\2.0\*\SecureExchangesSDK.dll"
Check current exclusions:
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions
7. Verify that the exception works
- Wait for propagation (up to 90 minutes for GPO/Intune)
- Testing a Secure Exchanges update on a workstation *This happens automatically when Outlook restarts
- Check in Advanced Hunting to see if any new blocks appear.
- If no results are found → The exclusion is working correctly
If the problem persists
Possible causes:
- The exclusion was not applied correctly (check the syntax).
- GPO/Intune has not yet been rolled out.
- A conflict with another security policy
Troubleshooting actions:
- Rerun the Kusto query to identify all blocked files
- Check if any new DLLs are being blocked and add them to the exclusions.
- Verify the application of the GPOs: gpresult /h C:\temp\rapport_gpo.html
- Force an update: gpupdate /force
Microsoft References
- Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint | Microsoft Learn
- Reference information on attack surface reduction rules - Microsoft Defender for Endpoint | Microsoft Learn
Related Articles
Microsoft error during installation or update of Secure Exchanges
Microsoft Office may display an error message when installing or updating the Secure Exchange Connector in Outlook. In most cases, this problem is caused by a corrupted local cache used by Microsoft for installed applications. This error originates ...November 26, 2025: Update to the PDFSignForm tool in Outlook Classic
This procedure explains how to update the Outlook Secure Exchanges Outlook Area Sign Form tool. The update is necessary to ensure compatibility with the latest changes introduced by Microsoft. Important warning The steps below must be followed in the ...Error adding a signature file or document with Secure Exchanges
If an error occurs when you try to attach a file or document for signature in an email protected by Secure Exchanges, it usually means that the file is already being used by another application or is temporarily blocked by your antivirus software. In ...How do I configure Secure Exchanges in Outlook?
Secure Exchanges offers several configurable settings directly within Outlook to tailor the security level, sending behavior, and signature management to your needs. This article explains each settings tab , specifying its purpose and how to use it. ...How do I install and activate Secure Exchanges for Outlook?
Identify your version of Outlook This procedure applies only to Outlook Classic users. If you are using Outlook Classic instead: The New Outlook, or Outlook Web (browser) You must follow this procedure: How to install and activate Secure Exchanges on ...