Microsoft Office error during Secure Exchanges update (ASR blockage)
1. Context
Microsoft Defender includes a security rule called "Block executable content from email client and webmail" that blocks executable content from email clients. This rule blocks all content considered executable when it originates from an email or email client (Outlook, webmail, etc.).
Secure Exchanges uses ClickOnce to deploy updates to C:\Users\[username]\AppData\Local\Apps\2.0\ ASR rule parameters:
Setting | Value |
Rule name | Block executable content from email client and webmail |
GUIDE | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 |
Intune Name | Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) |
The blockage occurs during the Secure Exchanges connector update, not during the initial installation.
2. Identify the blockage in Microsoft Defender
2.1 Kusto query (Advanced Hunting)
To confirm that the ASR rule is responsible for the problem, use the following query in Microsoft 365 Defender > Advanced Hunting:
DeviceEvents
| where ActionType == "AsrExecutableEmailContentBlocked"
| where FileName contains "SecureExchanges"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| Order by Timestamp Description
2.2 Typical result
In the results, you will see:
- ActionType : AsrExecutableEmailContentBlocked
- FileName: SecureExchangesSDK.dll
- FolderPath : C:\Users\[username]\AppData\Local\Apps\2.0\...
3. Why is SecureExchangesSDK.dll blocked?
Secure Exchanges uses a software component (DLL) to:
- Manage secure communication between Outlook and the server
- Confirm actions performed in Outlook (sending encrypted messages)
- Processing encrypted/decrypted messages
This is not a real threat. It's a common false positive in secure environments.
4. Security principle: targeted exclusions
Never exclude the entire folder C:\Users\*\AppData\Local\Apps\2.0\
ClickOnce stores ALL applications deployed via ClickOnce in this folder. By excluding this folder, you:
- Disable ASR protection for all ClickOnce applications
- Create a major security vulnerability
- Allow an attacker to deploy malware via ClickOnce undetected
5. Understanding the types of ASR exclusions
Crucial point: The type of exclusion depends on your management tool. This distinction is essential for security.
Tool | Type of exclusion | Impact |
Intune / MDE | Per-rule | Exclusion applied ONLY to the specific rule. |
GPO | Global | Exclusion applied to ALL active ASR rules. |
MECM / SCCM | Global | Exclusion applied to ALL active ASR rules. |
PowerShell | Global | Exclusion applied to ALL active ASR rules. |
6. Files to exclude
The following paths must be added to the exclusions:
Secure Exchanges core DLLs
C:\Users\*\AppData\Local\Temp\Deployment\*\*\SecureExchangesSDK.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\OSecureExchange.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\OSecureExchange.resources.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\SecureExchangesSDK.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\OSecureExchange.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\OSecureExchange.resources.dll iText DLLs
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.barcodes.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.bouncy-castle-adapter.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.bouncy-castle-connector.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.commons.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.forms.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.io.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.kernel.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.layout.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.pdfa.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.pdfua.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.sign.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.styledxmlparser.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\itext.svg.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.barcodes.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.bouncy-castle-adapter.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.bouncy-castle-connector.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.commons.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.forms.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.io.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.kernel.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.layout.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.pdfa.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.pdfua.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.sign.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.styledxmlparser.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\itext.svg.dll Third-party DLLs
C:\Users\*\AppData\Local\Temp\Deployment\*\*\BouncyCastle.Cryptography.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\CsvHelper.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\Newtonsoft.Json.dll
C:\Users\*\AppData\Local\Temp\Deployment\*\*\PhoneNumbers.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\BouncyCastle.Cryptography.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\CsvHelper.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\Newtonsoft.Json.dll
C:\Users\*\AppData\Local\Apps\2.0\*\*\PhoneNumbers.dll Multiple wildcards (*\*\) are needed to cover the variable folder structure of ClickOnce.
A. Application via Intune
Intune allows you to configure exclusions per rule (ASR Only Per Rule Exclusions), limiting the impact on overall security.
- Go to Endpoint Security → Attack Surface Reduction
- Select or create an ASR policy
- Locate the rule " Block executable content from email client and webmail "
- In ASR Only Per Rule Exclusions , add the paths from section 6
- Save and deploy the policy
B. Application via GPO (enterprise deployment)
Exclusions configured via GPO apply to ALL ASR rules, not just the rule in question.
- Open gpedit.msc (or GPMC for a domain)
- Navigate to: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Microsoft Defender Exploit Guard → Reducing the Attack Surface
- Double-click on " Exclude files and paths from attack surface reduction rules "
- Activate the strategy and add the paths from section 6
- Apply the strategy: gpupdate /force
C. Application via PowerShell
As with GPO, PowerShell exclusions are GLOBAL and apply to all ASR rules.
Add an exclusion:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\*\AppData\Local\Apps\2.0\*\SecureExchangesSDK.dll"
Check current exclusions:
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions
7. Verify that the exception works
- Wait for propagation (up to 90 minutes for GPO/Intune)
- Testing a Secure Exchanges update on a workstation *This happens automatically when Outlook restarts
- Check in Advanced Hunting to see if any new blocks appear.
- If no results are found → The exclusion is working correctly
If the problem persists
Possible causes:
- The exclusion was not applied correctly (check the syntax).
- GPO/Intune has not yet been rolled out.
- A conflict with another security policy
Troubleshooting actions:
- Rerun the Kusto query to identify all blocked files
- Check if any new DLLs are being blocked and add them to the exclusions.
- Verify the application of the GPOs: gpresult /h C:\temp\rapport_gpo.html
- Force an update: gpupdate /force
Microsoft References
- Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint | Microsoft Learn
- Reference information on attack surface reduction rules - Microsoft Defender for Endpoint | Microsoft Learn
Related Articles
Error adding a signature file or document with Secure Exchanges
If an error occurs when you try to attach a file or document for signature in an email protected by Secure Exchanges, it usually means that the file is already being used by another application or is temporarily blocked by your antivirus software. In ...Deploying Secure Exchanges via GPO/Intune on Outlook
If you plan to deploy Secure Exchanges using Group Policy Objects (GPO) or Microsoft Intune, the necessary PowerShell scripts are available at the bottom of this article. For any questions, please contact us at support@secure-exchanges.comHow to activate an API license in Secure Exchanges
Activating an API license allows you to use the advanced features of Secure Exchanges in your applications. Here are the steps to follow: You can find the API and SDK help documentation here: https://help.secure-exchanges.com 1. Log in to the online ...What is Secure Exchanges' Refund and Upgrade Policy?
At Secure Exchanges, we are committed to providing high-quality service to our customers. Please read our refund policy below: Free Trial Period We offer a free 30-day trial period so you can discover our services. During this period, you can explore ...