Exploit Guard blocking Chrome making calls Win32k.sys

Question

I am in the process of implementing Exploit Guard in our W10 corporate image. I configured it using the GPO "Use a common set of exploit protection settings" that makes use of a XML file. Initially, Chrome.exe was not included in the XML file.

I realized that when I opened Chrome, an event ID 10 appeared in
Application and Service Logs -> Microsoft -> Windows -> Security Mitigations -> Kernel mode

Process '\Device\HarddiskVolume2\Program Files (x86)\Google\Chrome\Application\chrome.exe' (PID 9740) was blocked from making system calls to Win32k.sys.

I even explicitly included chrome.exe as an exception in the Program Setting list, forcing OFF in the setting "Disable Win32 system calls". To do that, I just added this code to the XML file:

<AppConfig Executable="chrome.exe">     
   <SystemCalls> DisableWin32kSystemCalls="false"/>   
</AppConfig>

But nothing changes, and the same event ID appears. One interesting thing is that Chrome seems to work fine, with no error windows or crashes.

Any idea how to solve this situation?

Answer 1

To my great surprise I have the same warning.

To my greater surprise, I also have this same warning for browser_broker.exe, which is a component of Microsoft Edge. As its name suggests, this is probably the component that decides which browser to call for a URL.

Since this warning is happening on Microsoft's own software when it's working correctly, and is also happening on Chrome when it's working correctly, I think that it is harmless and unavoidable.