Forum Discussion
WDAC Policies not applying!
Hello,
Trying out WDAC for the first time.
I have:
- Downloaded the WDAC Wizard
- Created a base "Windows Works" policy
- Created a supplemantal policy that allows the 2 Program Files folders
- All of this in Audit Mode Only
- I have created a custom profile in MEM and used 2 OMA-URIs, one fo each policy, using the ApplicationControl CSP, as per the docs.
- I have verified that these 2 policies appear on the workstation, looking in C:\Windows\System32\CodeIntegrity\CiPolicies\Active, where they appear.
- The MEM reports for the device show that the profile is applied correctly.
And yet, when I look at the CodeIntegrity event log, all the events I see refer to the default audit policy that comes with windows. I see (Policy ID:{a244370e-44c9-4c06-b551-f6016e563076}) instead of *my* policy IDs, no matter what I do. I've rebooted a couple of times for good measure.
I left the endpoint control profile setting for WDAC to "Not Configured", since https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune says the built-in policies use the AppLocker CSP and pre-1903 settings. (I did have it set to Audit Only" previously though).
Any one have any idea what might be going on here? What am I missing?
Thanks,
J.F.
Figured it out.
I used wbemtest to browse the WMI Bridge to see whether I could find instances of the CI policies.
I found 4, two of which were mine. A third was related to driver integrity, and the 4th was the policy that was getting my way.
I deleted the offtending instance direclty from wbemtest, and now everything works as expected, or at least the CI event log is showing things I expected.
This is somewhat documented here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune
Where it mentions that pre-1903 policies must be deleted by script or overridden. Because I had used the intune builtin policy, I fell under this category, even though I was using a 21H2 machine.
1 Reply
Figured it out.
I used wbemtest to browse the WMI Bridge to see whether I could find instances of the CI policies.
I found 4, two of which were mine. A third was related to driver integrity, and the 4th was the policy that was getting my way.
I deleted the offtending instance direclty from wbemtest, and now everything works as expected, or at least the CI event log is showing things I expected.
This is somewhat documented here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune
Where it mentions that pre-1903 policies must be deleted by script or overridden. Because I had used the intune builtin policy, I fell under this category, even though I was using a 21H2 machine.