Can't get rid of WDAC Block

Iron Contributor

Hi All

 

We rolled out an Endpoint Protection policy with WDAC on, but it has had a negative effect on some users.

 

Now we have unassigned the Endpoint Protection policy with WDAC, yet apps are still being blocked.

 

Is there a way to fix this?

 

Info appreciated

6 Replies
The only thing you have to do is assign the WDAC policy again and edit the policy to disable or not configured. This will turn off the WDAC role on the endpoint.
I'm pretty certain that we tried this but can retest and post the outcome here.

Regards

@Stuart King Hello Stuart,

 

I was curious did you find a solution to this problem?

 

Thanks

@dj675414 

 

Hi Buddy

 

I think we had some National Cyber Security Centre (NCSC) Endpoint Protection policies deployed that had a WDAC payload.

 

Check what configs are being deployed to your devices.

 

Regards

You can apply another policy with WDAC set to audit and that will remove the enforcement.
That’s exactly what I did last night, keep in mind this does cause a force reboot on all client machines this policy deploys to.

The problem for us, I use a 3rd party packager when Win32app doesn’t fit the bill. Some of those apps looked foreign to defender and it blocked used access to them after a change in the policy.