Forum Discussion

Iron Contributor

Jul 22, 2020

Can't get rid of WDAC Block

Hi All We rolled out an Endpoint Protection policy with WDAC on, but it has had a negative effect on some users. Now we have unassigned the Endpoint Protection policy with WDAC, yet apps are ...

Intune

mobile device management (mdm)

StuartK73

Iron Contributor

Jul 23, 2020

I'm pretty certain that we tried this but can retest and post the outcome here.

Regards

dj675414

Copper Contributor

Oct 16, 2020

StuartK73 Hello Stuart,

I was curious did you find a solution to this problem?

Thanks

StuartK73
Iron Contributor
Oct 16, 2020
dj675414

Hi Buddy

I think we had some National Cyber Security Centre (NCSC) Endpoint Protection policies deployed that had a WDAC payload.

Check what configs are being deployed to your devices.

Regards
- r0bu
  Brass Contributor
  Oct 17, 2020
  You can apply another policy with WDAC set to audit and that will remove the enforcement.
  - dj675414
    Copper Contributor
    Oct 17, 2020
    That’s exactly what I did last night, keep in mind this does cause a force reboot on all client machines this policy deploys to.
    
    The problem for us, I use a 3rd party packager when Win32app doesn’t fit the bill. Some of those apps looked foreign to defender and it blocked used access to them after a change in the policy.