Event banner
Event details
I can't seem to post in the comments, so will reply here. Re: the use of Managed Installer and the Intelligent Security Graph, contrary to the video and the WDAC documentation, MI and ISG only work on Enterprise, not Pro. Is this a bug, or documentation oversight?
Jeffrey_Sutherland
Microsoft
MicrosoftISG has always worked on Pro. Managed installer has historically been restricted to Pro (due to AppLocker restriction), but that Edition restriction is being removed with servicing updates coming out later this month as a preview update and with the December patch Tuesday updates.
- Hi Jeffrey - Did the MI only on Enterprise restriction removal make the cut for the December updates just released?
- Jordan_GeurtenHi Ben, it was updated in the optional October C and November B security release - KB #5018482 and #5018483
Thanks Jeffrey. I'll look out for the updates. I have re-tested ISG on Pro mode devices, and it works provided the Application Identity service is running, even then post reboot. Manual intervention was required to make sure the service was running. Now that I recall, I may have found this on previous tests with Pro Mode, and Intune didn't start this as the documentation suggested. And last edit, I do not see the expected EA $KERNEL.SMARTLOCKER.ORIGINCLAIM as the documentation suggests.
- Jeffrey_SutherlandWe recently updated the managed installer and ISG technical reference article to clarify when and where to expect the SMARTLOCKER EA. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer. Briefly, for ISG, the EA will only be created when a file's trust is based on being installed by a trusted installer. Singleton binaries that are allowed by ISG won't have that EA set, which also means they are re-validated more aggressively.
