Windows Defender Application Control - Intune Management DLL's

Iron Contributor

Hi,

 

I'm busy deploying WDAC via Intune, and I was curious about the options and settings in the "Endpoint Security - Attack Surface Reduction - Application Control"-profile. This to check if it would offer some basic protection without having to implement additional profiles using xml files and to keep management simple.

 

Off course I started in Audit mode to see the results:

Screenshot 2021-06-24 123649.png

After applying and using my machine, I notice some logs which don't seem to be normal... You would expect the Intune Management Components would be trusted. Since, if you put in block mode you would still want to be able to manage your machine. Apparently, this isn't the case. For example, the OSExtentions.dll would be blocked because the file is not correctly signed. (Same for the GAC...)

Screenshot 2021-06-24 124917.png

When checking the signature of the dll, it seems to be correctly signed....

Screenshot 2021-06-24 125037.png

 

So I don't know if this is by design or not...

 

(This was tested on Windows 10 Enterprise v21H1 - OS Build 19043.1052)

 

1 Reply

After some further investigation, it seems the "Default Windows" policy is applied and is causing this block... Still don't know why since it is signed by Microsoft....

Screenshot 2021-06-24 132433.png