Event banner
Event details
Community ManagerWelcome to Balancing security and flexibility when implementing Windows Defender Application Control (WDAC) at the Microsoft Technical Takeoff. Let's get started! Have a question? Post it here in the Comments. Subject matter experts will be answering during the session and throughout the week. We're looking forward to the conversation.
- Jeffrey_Sutherland
Microsoft
ISG has always worked on Pro. Managed installer has historically been restricted to Pro (due to AppLocker restriction), but that Edition restriction is being removed with servicing updates coming out later this month as a preview update and with the December patch Tuesday updates.- Hi Jeffrey - Did the MI only on Enterprise restriction removal make the cut for the December updates just released?
- Jordan_GeurtenHi Ben, it was updated in the optional October C and November B security release - KB #5018482 and #5018483
Thanks Jeffrey. I'll look out for the updates. I have re-tested ISG on Pro mode devices, and it works provided the Application Identity service is running, even then post reboot. Manual intervention was required to make sure the service was running. Now that I recall, I may have found this on previous tests with Pro Mode, and Intune didn't start this as the documentation suggested. And last edit, I do not see the expected EA $KERNEL.SMARTLOCKER.ORIGINCLAIM as the documentation suggests.
- Jeffrey_SutherlandWe recently updated the managed installer and ISG technical reference article to clarify when and where to expect the SMARTLOCKER EA. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer. Briefly, for ISG, the EA will only be created when a file's trust is based on being installed by a trusted installer. Singleton binaries that are allowed by ISG won't have that EA set, which also means they are re-validated more aggressively.
