In February I briefly tweeted about an issue I ran into an issue at a customer that could not launch an HTA during their OSD task sequence using ServiceUI.exe. I looked for some obvious things and after quickly coming up empty handed started looking deeper.
Cause
The customer used Windows Defender Exploit Guard, but not only configured via Group Policy, a base policy XML was also imported during the build process. The import happened before the HTA was launched (the HTA was launched post-image in the full Windows OS). Their Exploit Guard configuration included enabling ASLR, which is off by default. Basically, ASLR and ServiceUI.exe don’t mix.
Fix
I created the following ASLR exception for ServiceUI.exe in the Exploit Guard policy XML, which fixed the issue:
<AppConfig Executable=”ServiceUI.exe”>
<ASLR Enable=”false” ForceRelocateImages=”false” OverrideForceRelocateImages=”false”></ASLR>
</AppConfig>
-Colin
Colin Ford Blog 