Warp installation blocked by Microsoft Defender ASR (prevalence/age rule) – affects updates, fresh installs (exe) and winget #8794
Description
Pre-submit Checks
- I have searched Warp bugs and there are no duplicates
- I have searched Warp known issues page and my issue is not there
- I have an issue with AI and have included the debugging ID (Optional, but helps expedite the AI quality fix). Debugging ID instructions
- I have technical issue and have included the logs (optional, but helps expedite the bug fix). Log instructions
Describe the bug
Warp installation blocked by Microsoft Defender ASR (prevalence/age rule)
Summary
Warp cannot be installed in our enterprise Windows environment due to a Microsoft Defender Attack Surface Reduction (ASR) rule.
This does not only affect auto-updates — it also blocks fresh installations, both via:
- The downloaded
.exeinstaller winget install Warp.Warp
Environment
- OS: Windows 11
- Device management: Intune (MDM-managed)
- Security: Microsoft Defender for Endpoint
- ASR rule enabled:
Block executable files from running unless they meet prevalence, age, or trusted list criteria - Rule ID:
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
What happens
During installation, Microsoft Defender blocks the Warp installer bootstrapper.
Defender alert details:
- Blocked process:
windows.exe - Path:
C:\Users\<user>\AppData\Local\Temp\is-XXXXXXXX.tmp\windows.tmp - Detection type: Attack Surface Reduction
- Action: Blocked by administrator
It appears that the installer extracts and executes a temporary executable from %LOCALAPPDATA%\Temp.
Because:
- The file has a new hash per release
- It initially has low global prevalence
- It runs from a user Temp directory
…it is blocked by the ASR rule.
Interestingly, installation sometimes works after about a week, likely due to Microsoft’s cloud reputation system increasing the file’s prevalence score over time.
Impact
- Warp cannot be installed in environments using Microsoft security baselines.
- Both direct installer and winget installation are blocked.
- Requires ASR exclusions or security policy changes.
- Affects enterprise-managed developer machines.
Expected behavior
Warp should be installable in enterprise environments with Defender ASR enabled, without requiring security policy exceptions.
Request
Could you consider one or more of the following:
- Provide a true MSI installer suitable for enterprise deployment
- Avoid executing a temporary bootstrapper from
%TEMP% - Provide enterprise deployment guidance for Defender/ASR environments
- Adjust the installer/update mechanism to better support Microsoft security baselines
This issue likely affects many enterprise users operating under standard Defender ASR configurations.
If helpful, I can also provide Defender event logs or SHA256 details.
To reproduce
- tried built-in update in warp terminal
- tried uninstall and fresh install with newly downloaded .exe
- tried with winget
- tried to force other directory rather than default tmp
Expected behavior
No response
Screenshots, videos, and logs
Operating system (OS)
Windows
Operating system and version
11 - 25H2
Shell Version
No response
Current Warp version
No response
Regression
No, this bug or issue has existed throughout my experience using Warp
Recent working Warp date
No response
Additional context
No response
Does this block you from using Warp daily?
Yes, this issue prevents me from using Warp daily.
Is this an issue only in Warp?
Yes, I confirmed that this only happens in Warp, not other terminals.
Warp Internal (ignore): linear-label:b9d78064-c89e-4973-b153-5178a31ee54e
None