Sep 29 2018 02:12 PM
Hello,
Trying to deploy Windows Defender Application Guard via Intune and running into the same issue on multiple Windows 10 Enterprise (1803) devices.
After the device syncs with Intune, I restart the devices. Application Guard is enabled, but the settings defined in the Intune policy are not applied and result in the errors in the screenshot. I looked up the error on the Intune error page, but has no description or recommended action. The Hyper-V feature is installed on all devices.
Any thoughts, ideas...?
Much appreciated. Thanks!
Sep 29 2018 04:01 PM
Alex, on one of the devices, check the event logs for more details: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Sep 30 2018 08:50 AM - edited Sep 30 2018 08:51 AM
Hi,
How did you deploy the configuration policy via device configuration or with specific settings with OMA-URI's (for example like settings in device guard)?
Remediation failed error message returned by the client when the SET command on the OMA-URI’s required to configure the target setting. In your case, the OMA-URI's didn't succeed.
The remediation error code 201*** is very general therefore you can do the following actions:
Eli.
Sep 30 2018 04:38 PM
Hi Arnab,
I checked the event logs and only have errors for trying to install an older version of software that is already installed with newer version. I have no other errors.
Sep 30 2018 04:42 PM
Hello Eli,
I created a policy for endpoint protection from Intune and defined the settings there. Like I mentioned the devices did NOT have WDAG enabled until I deployed this policy to a group of devices. It does enable WDAG on them, but result in the failed remediation in the screenshot in the original post.
Sep 30 2018 05:37 PM
Is the 1803 build fully patched? One of the CU's have a fix.
Sep 30 2018 11:51 PM - edited Sep 30 2018 11:52 PM
Hi Alex,
If you don't have any warning or errors on debug log please check the following points:
Eli.
Oct 01 2018 04:46 AM
Yes, running version 1803 build 17134.285. Update to 17134.320 has not pushed to these devices yet.
Oct 01 2018 04:48 AM
Yes, local policy is my next option to try. These are brand new Microsoft Surface devices.
Oct 16 2018 12:13 PM
Hello Any news would be good news. I am having exact issue but I am using Windows 10 Insider Preview 18252 - all on Microsoft SurfaceBook and Surface 5. I have noticed that if you just enable application Guard and leave all other settings not configured then I still get -2016281112 (Remediation failed)
Oct 18 2018 03:36 AM
Hi,
Make sure to enable Audit for WDAG (with AuditApplicationGuard) and check event logs. If you can share the log it will be useful.
Thanks,
Eli.
Jan 10 2020 02:25 AM
Hi,
we have the same problem which exists since the release of application Guard (1803). We are now using 1909 and the problem is still not solved (remediation failed). Is there any new information?
Regards,
Joel
Jan 10 2020 05:26 AM
Jan 10 2020 06:20 AM
Hey @Alex Melching,
thanks for your information. Its quite funny because I had the same conversation with another Microsoft Support engineer who told me the same (the device is not meeting the hardware requirements). It also wasn't working when we bought new devices which met the requierements. At the moment we set the AG policies via Powershell script which is changing some registry keys. I don't like this workaround because we still have these remediation errors in our device overview and if we want to change one of the policies regarding AG we have to edit the whole powershell script and reupload it. But atleast now I know that we are not the only ones regarding this problem.
Jun 10 2020 12:02 AM
Hi @Alex Melching et al
I don't know if anyone is still interested but here goes ....
My organisation had this problem too and pretty much we did everything mentioned so far but it did not fix it.....
In any case, after many weeks working with a MS engineer we got to a solution that I still cannot explain and I have asked for more information so I don't feel like such a "goose".
To make the errors disappear:
Under "Required Settings"
Under Advanced Settings (Network Perimeter):
It worked almost instantly on our system, we didn't need to sync or re-boot or anything.
Please don't ask me how it works - I am still trying to figure that out.
If you figure it out, please let me know.
Jun 10 2020 06:28 AM
Thanks for the definitely unique work around, but does it resolve the remediation errors in the configuration policy in Intune?
I don't see how APP is associated with MDAG deployment.
Jun 10 2020 07:16 AM
Thanks. But it was all MS Engineer.
I kept asking the same question. In answer to your question - Yes, it does solve the remediation errors showing in the configuration profile of the device.
As for the “why”, I as yet have no idea. Something to do with network boundaries I suspect.
I will keep researching - wish me luck. :)
Jun 10 2020 08:10 AM
Jun 18 2020 08:06 AM
@Alex Melching I gave this a try in my lab and found everything was opening in App Guard rather than just enabling it.
Aug 26 2020 02:14 AM
There's an issue with configuring Application Guard via Intune's prebuilt CSP. You can't actually define network boundaries, so you can't tell it what counts as your local/trusted/enterprise network which would open natively in the browser, and what's untrusted and therefore will open in Application Guard.
If you review the event viewer on the endpoint and look at Applications and Services Logs -> Microsoft -> Windows -> WDAG Policy Evaluator CSP Provider you should see some events with EventID 352 saying:
"At least one mandatory network isolation policy must be set, please configure: EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
As far as I can see there isn't an Intune CSP to set these specifically for Application Guard. It would explain why configuring these in a policy for a non-existent App would work as it will set these options. I guess this is because Application Guard is meant to supplement this policy definition of network boundaries rather than be configured standalone.