Forum Discussion
Unable to deploy Windows Defender Application Guard via Intune
Hello,
Trying to deploy Windows Defender Application Guard via Intune and running into the same issue on multiple Windows 10 Enterprise (1803) devices.
After the device syncs with Intune, I restart the devices. Application Guard is enabled, but the settings defined in the Intune policy are not applied and result in the errors in the screenshot. I looked up the error on the Intune error page, but has no description or recommended action. The Hyper-V feature is installed on all devices.
Any thoughts, ideas...?
Much appreciated. Thanks!
19 Replies
Hi,
we have the same problem which exists since the release of application Guard (1803). We are now using 1909 and the problem is still not solved (remediation failed). Is there any new information?
Regards,
Joel- Hi Joel,
I still have this problem as well. But I did work with another Microsoft Support engineer recently and still working with after reviewing some of the event log info, it appears that the devices are not meeting the hardware requirements for AG. The device must have available 4 cores and 8GB of RAM free.
I have several devices that are just at 8GB and have the 4 cores and are failing, but I have larger devices, 16GB of RAM and 4+ cores that are also failing with the same error. And since 1803 we are running 1909 now as well.
When I get more info, I'll update the thread.
If audit is enabled for AG check your event log here:
Applications and Services Logs / Microsoft / Windows / WDAG-PolicyEvaluator-CSPHey Alex Melching,
thanks for your information. Its quite funny because I had the same conversation with another Microsoft Support engineer who told me the same (the device is not meeting the hardware requirements). It also wasn't working when we bought new devices which met the requierements. At the moment we set the AG policies via Powershell script which is changing some registry keys. I don't like this workaround because we still have these remediation errors in our device overview and if we want to change one of the policies regarding AG we have to edit the whole powershell script and reupload it. But atleast now I know that we are not the only ones regarding this problem.
Hi,
How did you deploy the configuration policy via device configuration or with specific settings with OMA-URI's (for example like settings in device guard)?
Remediation failed error message returned by the client when the SET command on the OMA-URI’s required to configure the target setting. In your case, the OMA-URI's didn't succeed.
The remediation error code 201*** is very general therefore you can do the following actions:
- Troubleshoot error from Windows 10 device
- Once you've some information change your settings
Eli.
Hello Eli,
I created a policy for endpoint protection from Intune and defined the settings there. Like I mentioned the devices did NOT have WDAG enabled until I deployed this policy to a group of devices. It does enable WDAG on them, but result in the failed remediation in the screenshot in the original post.
Hi Alex,
If you don't have any warning or errors on debug log please check the following points:
- Make sure your system requirement is ok against WDAG system requirements
- Configure WDAG with a local policy to make sure that you don't have any other issues
- Enable Audit for WDAG (with AuditApplicationGuard) and check event logs
- Optional: If you can check the WDAG on Windows 10 1709 to with same settings and compare findings
Eli.
- arnabmitra
Microsoft
Alex, on one of the devices, check the event logs for more details: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Hi Arnab,
I checked the event logs and only have errors for trying to install an older version of software that is already installed with newer version. I have no other errors.
- arnabmitra
Is the 1803 build fully patched? One of the CU's have a fix.
