Dear IT Pros,
Today we discuss about All things about WDAC – Windows Defender Application Control.
WDAC was introduced with Windows 10 and could be applied to Windows server 2016 and l...
Updated Jun 25, 2021
Version 5.0
Blog Post
Hi all,
happy NAIDOC 2021 week.
I'm working through MDAC and have it all working in BLOCK mode, aside from the Company Portal - Managed installer piece.
I have a case open with MS Premium Support & the MS Fast Track team, however I'm not making any headway.
We are running Azure/Intune only joined/managed laptops, no on-prem/SCCM presence.
I've included the managed installer option in both base and supplemental policy - and I can confirm these are being deployed as they are visible on client C:\Windows\System32\CodeIntegrity\CiPolicies\Active directory. Also visible in the Microsoft-Windows-CodeIntegrity/Operational event log. So far so good!
I have deployed an AppLocker policy via Intune as follows. (Note; each "OMA-URI Setting" requires it's own entry in the policy otherwise you'll get an "Syncml(516): Command was inside Atmoci element...." error. (google it).)
Windows 10 - Custom - AppLocker Intune Managed Installer policy - Default EXE
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ThisIsRandomString25/EXE/Policy
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
<FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
--------------------------------------------------------------------------------------------------------------------------------------
Windows 10 - Custom - AppLocker Intune Managed Installer policy - Default DLL
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ThisIsRandomString26/DLL/Policy
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
--------------------------------------------------------------------------------------------------------------------------------------
Windows 10 - Custom - AppLocker Intune Managed Installer policy - Default MSI
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ThisIsRandomString30/MSI/Policy
<RuleCollection Type="MSI" EnforcementMode="NotConfigured" />
--------------------------------------------------------------------------------------------------------------------------------------
Windows 10 - Custom - AppLocker Intune Managed Installer policy - Default Script
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ThisIsRandomString31/Script/Policy
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
--------------------------------------------------------------------------------------------------------------------------------------
Windows 10 - Custom - AppLocker Intune Managed Installer policy - Managed Installer Exe
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ThisIsRandomString35/EXE/Policy
<RuleCollection Type="ManagedInstaller" EnforcementMode="Enable">
<FilePublisherRule Id="ebd0307f-a4b2-4253-85e0-2b0b7bdc4580" Name="MICROSOFT® INTUNE™, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® INTUNE™" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
I tried using both FilePath and FilePublisher condition (indeed I even tried combining both) but in each case apps (msi's) downloaded by end user via Intune Company Portal are blocked. The block is visible in the Microsoft-Windows-AppLocker/MSI and Script event log.
So has anyone actually managed to get Intune Company Portal listed as a managed installed in a MDAC/WDAC BLOCK mode deployment?
I've spent weeks on this (on and off) so I'm happy to try/troubleshoot/lab any suggestions.
Thanks y'all!