Home

Unable to deploy Windows Defender Application Guard via Intune

%3CLINGO-SUB%20id%3D%22lingo-sub-264555%22%20slang%3D%22en-US%22%3EUnable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264555%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%20and%20running%20into%20the%20same%20issue%20on%20multiple%20Windows%2010%20Enterprise%20(1803)%20devices.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55008i9598C54EB2A2C6D0%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22WDAGError.PNG%22%20title%3D%22WDAGError.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAfter%20the%20device%20syncs%20with%20Intune%2C%20I%20restart%20the%20devices.%26nbsp%3B%20Application%20Guard%20is%20enabled%2C%20but%20the%20settings%20defined%20in%20the%20Intune%20policy%20are%20not%20applied%20and%20result%20in%20the%20errors%20in%20the%20screenshot.%26nbsp%3B%20I%20looked%20up%20the%20error%20on%20the%20Intune%20error%20page%2C%20but%20has%20no%20description%20or%20recommended%20action.%26nbsp%3B%20The%20Hyper-V%20feature%20is%20installed%20on%20all%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%2C%20ideas...%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMuch%20appreciated.%26nbsp%3B%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-264555%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-275219%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-275219%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20sure%20to%20enable%20Audit%20for%20WDAG%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fwindowsdefenderapplicationguard-csp%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ewith%20AuditApplicationGuard%3C%2FA%3E)%20and%20check%20event%20logs.%20If%20you%20can%20share%20the%20log%20it%20will%20be%20useful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EEli.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-272178%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272178%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Any%20news%20would%20be%20good%20news.%20I%20am%20having%20exact%20issue%20but%20I%20am%20using%20Windows%2010%20Insider%20Preview%2018252%20-%20all%20on%20Microsoft%20SurfaceBook%20and%20Surface%205.%26nbsp%3B%20I%20have%20noticed%20that%20if%20you%20just%20enable%20application%20Guard%20and%20leave%20all%20other%20settings%20not%20configured%20then%20I%20still%20get%26nbsp%3B%3CSPAN%3E-2016281112%20(Remediation%20failed)%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F56587i72ACB45B2439F216%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation.png%22%20title%3D%22Annotation.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264926%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264926%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20local%20policy%20is%20my%20next%20option%20to%20try.%26nbsp%3B%20These%20are%20brand%20new%20Microsoft%20Surface%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264925%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264925%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20running%20version%201803%20build%2017134.285.%26nbsp%3B%20Update%20to%2017134.320%20has%20not%20pushed%20to%20these%20devices%20yet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264805%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264805%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20don't%20have%20any%20warning%20or%20errors%20on%20debug%20log%20please%20check%20the%20following%20points%3A%3C%2FP%3E%3CUL%3E%3CLI%3EMake%20sure%20your%20system%20requirement%20is%20ok%20against%20WDAG%20system%20requirements%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-guard%2Fconfigure-wd-app-guard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20WDAG%20with%20a%20local%20policy%3C%2FA%3E%20to%20make%20sure%20that%20you%20don't%20have%20any%20other%20issues%3C%2FLI%3E%3CLI%3EEnable%20Audit%20for%20WDAG%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fwindowsdefenderapplicationguard-csp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ewith%20AuditApplicationGuard%3C%2FA%3E)%20and%20check%20event%20logs%3C%2FLI%3E%3CLI%3EOptional%3A%20If%20you%20can%20check%20the%20WDAG%20on%20Windows%2010%201709%20to%20with%20same%20settings%20and%20compare%20findings%3C%2FLI%3E%3C%2FUL%3E%3CP%3EEli.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264741%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264741%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20the%201803%20build%20fully%20patched%3F%26nbsp%3BOne%20of%20the%20CU's%20have%20a%20fix.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264721%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264721%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Eli%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20a%20policy%20for%20endpoint%20protection%20from%20Intune%20and%20defined%20the%20settings%20there.%26nbsp%3B%20Like%20I%20mentioned%20the%20devices%20did%20NOT%20have%20WDAG%20enabled%20until%20I%20deployed%20this%20policy%20to%20a%20group%20of%20devices.%20It%20does%20enable%20WDAG%20on%20them%2C%20but%20result%20in%20the%20failed%20remediation%20in%20the%20screenshot%20in%20the%20original%20post.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55069i20222E71CBA2BB7F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22WDAGSettings.PNG%22%20title%3D%22WDAGSettings.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264719%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264719%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Arnab%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20checked%20the%20event%20logs%20and%20only%20have%20errors%20for%20trying%20to%20install%20an%20older%20version%20of%20software%20that%20is%20already%20installed%20with%20newer%20version.%26nbsp%3B%20I%20have%20no%20other%20errors.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264643%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264643%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20did%20you%20deploy%20the%20configuration%20policy%20via%20device%20configuration%20or%20with%20specific%20settings%20with%20OMA-URI's%20(for%20example%20like%20settings%20in%20device%20guard)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERemediation%20failed%20error%20message%20returned%20by%20the%20client%20when%20the%20SET%20command%20on%20the%20OMA-URI%E2%80%99s%20required%20to%20configure%20the%20target%20setting.%20In%20your%20case%2C%20the%20OMA-URI's%20didn't%20succeed.%3C%2FP%3E%3CP%3EThe%20remediation%20error%20code%20201***%20is%20very%20general%20therefore%20you%20can%20do%20the%20following%20actions%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.eshlomo.us%2Ftroubleshooting-intune-policy-with-windows-10%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETroubleshoot%20%3C%2FA%3Eerror%20from%20Windows%2010%20device%3C%2FLI%3E%3CLI%3EOnce%20you've%20some%20information%20change%20your%20settings%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CP%3EEli.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264562%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20deploy%20Windows%20Defender%20Application%20Guard%20via%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264562%22%20slang%3D%22en-US%22%3E%3CP%3EAlex%2C%20on%20one%20of%20the%20devices%2C%20check%20the%20event%20logs%20for%20more%20details%3A%20Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%3C%2FP%3E%3C%2FLINGO-BODY%3E
Alex Melching
Contributor

Hello,

 

Trying to deploy Windows Defender Application Guard via Intune and running into the same issue on multiple Windows 10 Enterprise (1803) devices.

WDAGError.PNG

After the device syncs with Intune, I restart the devices.  Application Guard is enabled, but the settings defined in the Intune policy are not applied and result in the errors in the screenshot.  I looked up the error on the Intune error page, but has no description or recommended action.  The Hyper-V feature is installed on all devices.

 

Any thoughts, ideas...?

 

Much appreciated.  Thanks!

10 Replies

Alex, on one of the devices, check the event logs for more details: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

Hi,

 

How did you deploy the configuration policy via device configuration or with specific settings with OMA-URI's (for example like settings in device guard)?

 

Remediation failed error message returned by the client when the SET command on the OMA-URI’s required to configure the target setting. In your case, the OMA-URI's didn't succeed.

The remediation error code 201*** is very general therefore you can do the following actions:

  • Troubleshoot error from Windows 10 device
  • Once you've some information change your settings 

Eli.

Hi Arnab,

 

I checked the event logs and only have errors for trying to install an older version of software that is already installed with newer version.  I have no other errors.

Hello Eli,

 

I created a policy for endpoint protection from Intune and defined the settings there.  Like I mentioned the devices did NOT have WDAG enabled until I deployed this policy to a group of devices. It does enable WDAG on them, but result in the failed remediation in the screenshot in the original post.

WDAGSettings.PNG

Is the 1803 build fully patched? One of the CU's have a fix.

Hi Alex,

 

If you don't have any warning or errors on debug log please check the following points:

  • Make sure your system requirement is ok against WDAG system requirements
  • Configure WDAG with a local policy to make sure that you don't have any other issues
  • Enable Audit for WDAG (with AuditApplicationGuard) and check event logs
  • Optional: If you can check the WDAG on Windows 10 1709 to with same settings and compare findings

Eli.

 

Yes, running version 1803 build 17134.285.  Update to 17134.320 has not pushed to these devices yet.

Yes, local policy is my next option to try.  These are brand new Microsoft Surface devices.

Hello Any news would be good news. I am having exact issue but I am using Windows 10 Insider Preview 18252 - all on Microsoft SurfaceBook and Surface 5.  I have noticed that if you just enable application Guard and leave all other settings not configured then I still get -2016281112 (Remediation failed) Annotation.png

Hi,

 

Make sure to enable Audit for WDAG (with AuditApplicationGuard) and check event logs. If you can share the log it will be useful.

 

Thanks,

Eli.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies