1 Correct answer
Update:
Microsoft confirmed that this is a known issue for the latest security updates, KB5005565 and KB5005566. They have created files for temporary mitigation workarounds for this issue while a permanent update is created. Please apply the appropriate Known Issue Rollback to your impacted systems and then deploy the policy as mentioned in https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback#using-group-policy-to-apply-a-kir-to-a-single-device
...
47
Replies
The registry key being deleted is an extreme way to clear your Exploit protection settings.
The same can be achieved by editing the settings in Windows Defender
Windows Security | App & Browser Control | Program Settings | AcroRd32.exe [Edit]
Export address filtering (EAF)
Override system settings (unticked) - sets On to Off automatically.
If these options are locked down then you need to look at your Defender security baselines or device configuration profiles (Endpoint Protection).
The XML entry should contain something like the following for AcroRd32.exe
<AppConfig Executable="AcroRd32.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" />
<Payload EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>This should result in the following reg value.. (values are in Binary so not easy to manipulate without export/import).
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe
AdChoices