Forum Discussion

flychrome's avatar
flychrome
Copper Contributor
Jun 06, 2023

WDAC DLL-Blocking

Hi everyone, I am currently trying to implement WDAC with Intune as a managed installer and have followed the documentation (Allow apps deployed with a WDAC managed installer - Windows Security | Microsoft Learn) for this.

 

This works pretty well so far, most applications that are packaged and deployed via Intune are allowed to run.

 

What surprises me, though:

In the WDAC policy, I left out policy rule option 19 (Enabled: Dynamic Code Security) because we don't want to block DLLs.

 

Nevertheless, it happens from time to time that DLLs are blocked. Nevertheless, it happens from time to time that DLLs are blocked. The errors then look like this:

 

Code Integrity determined that a process (\Device\HarddiskVolume3\Users\xxxxx\AppData\Roaming\Autodesk\ADPSDK\bin\AdpSDKUtil.exe) attempted to load \Device\HarddiskVolume3\Users\xxxxxx\AppData\Roaming\Autodesk\ADPSDK\bin\AdpSDKIdentityWrapper.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{xxxxxxxx).

 

Is there any way to disable this behavior or have I overlooked something here?

Is it at all possible to disable blocking of DLLs completely?

 

 

The AppLocker configuration for the managed installer:

 

The Rule Options selected in the WDAC Wizard:

 

  • AJParker's avatar
    AJParker
    Copper Contributor
    Did you ever find a solution to this issue? I am encountering the same issue, Dynamic Code Security is not enabled, but having DLL files blocked.
    • flychrome's avatar
      flychrome
      Copper Contributor

      Sorry for the late reply, I had completely forgotten about this post.
      The only way we got it to work was to explicitly allow *.dll

      Not necessarily nice, but it worked without any further problems.

      • AJParker's avatar
        AJParker
        Copper Contributor

        So something like this?

        <Allow ID="ID_ALLOW_PATH_231321321323" FriendlyName="Allow by path: *.dll" FilePath="*.dll" />

    • daonechris's avatar
      daonechris
      Copper Contributor

      I am having the same issues, a lot of the DLLs when doing patching are getting blocked though I have the Dynamic Code Security disabled. This drives me nuts....

Resources