Hello @Phil M !
I will ask you a maybe obvious thing but bare with me !
Did you read this :
https://video2.skills-academy.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.
Important
You must enable cloud-delivered protection to use this rule.
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25
is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Advanced hunting action type:
- AsrUntrustedExecutableAudited
- AsrUntrustedExecutableBlocked
Dependencies: Microsoft Defender Antivirus, Cloud Protection
Could you verify the config and if possible send some screenshots or info ?
Thank you !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards