Unable to deploy Windows Defender Application Guard via Intune

Iron Contributor

Hello,

 

Trying to deploy Windows Defender Application Guard via Intune and running into the same issue on multiple Windows 10 Enterprise (1803) devices.

WDAGError.PNG

After the device syncs with Intune, I restart the devices.  Application Guard is enabled, but the settings defined in the Intune policy are not applied and result in the errors in the screenshot.  I looked up the error on the Intune error page, but has no description or recommended action.  The Hyper-V feature is installed on all devices.

 

Any thoughts, ideas...?

 

Much appreciated.  Thanks!

19 Replies

Alex, on one of the devices, check the event logs for more details: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

Hi,

 

How did you deploy the configuration policy via device configuration or with specific settings with OMA-URI's (for example like settings in device guard)?

 

Remediation failed error message returned by the client when the SET command on the OMA-URI’s required to configure the target setting. In your case, the OMA-URI's didn't succeed.

The remediation error code 201*** is very general therefore you can do the following actions:

  • Troubleshoot error from Windows 10 device
  • Once you've some information change your settings 

Eli.

Hi Arnab,

 

I checked the event logs and only have errors for trying to install an older version of software that is already installed with newer version.  I have no other errors.

Hello Eli,

 

I created a policy for endpoint protection from Intune and defined the settings there.  Like I mentioned the devices did NOT have WDAG enabled until I deployed this policy to a group of devices. It does enable WDAG on them, but result in the failed remediation in the screenshot in the original post.

WDAGSettings.PNG

Is the 1803 build fully patched? One of the CU's have a fix.

Hi Alex,

 

If you don't have any warning or errors on debug log please check the following points:

  • Make sure your system requirement is ok against WDAG system requirements
  • Configure WDAG with a local policy to make sure that you don't have any other issues
  • Enable Audit for WDAG (with AuditApplicationGuard) and check event logs
  • Optional: If you can check the WDAG on Windows 10 1709 to with same settings and compare findings

Eli.

 

Yes, running version 1803 build 17134.285.  Update to 17134.320 has not pushed to these devices yet.

Yes, local policy is my next option to try.  These are brand new Microsoft Surface devices.

Hello Any news would be good news. I am having exact issue but I am using Windows 10 Insider Preview 18252 - all on Microsoft SurfaceBook and Surface 5.  I have noticed that if you just enable application Guard and leave all other settings not configured then I still get -2016281112 (Remediation failed) Annotation.png

Hi,

 

Make sure to enable Audit for WDAG (with AuditApplicationGuard) and check event logs. If you can share the log it will be useful.

 

Thanks,

Eli.

Hi,

 

we have the same problem which exists since the release of application Guard (1803). We are now using 1909 and the problem is still not solved (remediation failed). Is there any new information?

Regards,

Joel

Hi Joel,
I still have this problem as well. But I did work with another Microsoft Support engineer recently and still working with after reviewing some of the event log info, it appears that the devices are not meeting the hardware requirements for AG. The device must have available 4 cores and 8GB of RAM free.
I have several devices that are just at 8GB and have the 4 cores and are failing, but I have larger devices, 16GB of RAM and 4+ cores that are also failing with the same error. And since 1803 we are running 1909 now as well.
When I get more info, I'll update the thread.
If audit is enabled for AG check your event log here:
Applications and Services Logs / Microsoft / Windows / WDAG-PolicyEvaluator-CSP

Hey @Alex Melching,

 

thanks for your information. Its quite funny because I had the same conversation with another Microsoft Support engineer who told me the same (the device is not meeting the hardware requirements). It also wasn't working when we bought new devices which met the requierements. At the moment we set the AG policies via Powershell script which is changing some registry keys. I don't like this workaround because we still have these remediation errors in our device overview and if we want to change one of the policies regarding AG we have to edit the whole powershell script and reupload it. But atleast now I know that we are not the only ones regarding this problem. 

Hi @Alex Melching et al

 

I don't know if anyone is still interested but here goes ....

My organisation had this problem too and pretty much we did everything mentioned so far but it did not fix it.....

 

In any case, after many weeks working with a MS engineer we got to a solution that I still cannot explain and I have asked for more information so I don't feel like such a "goose".

 

To make the errors disappear:

  • As an admin, go to the Intune portal and navigate to the "App Protection Policies" blade.
  • Create a new App Protection Policy (Windows 10)
  • After name and description choose whether you wish to apply the policy to devices that are enrolled or not enrolled.
  • Click Next
  • Select "Add" a Protected App
  • Do not select an App, just make the following property changes:

Under "Required Settings"

  • Corporate Identity : <your_organisation>@onmicrosoft.com>

Under Advanced Settings (Network Perimeter):

  • Add a network boundary of type 'Cloud Resource' (using a name that makes sense to you) and
  • Adding the *Value* "/*AppCompat*/"
  • Click OK
  • Add a network boundary of type 'Neutral' (using a name that makes sense to you) and
  • Adding the *Value* "login.windows.net,login.microsoftonline.com"
  • Click on Review and save and
  • Assign it to a test group (devices in my case) and let me know if it fixes the problem?

It worked almost instantly on our system, we didn't need to sync or re-boot or anything.

Please don't ask me how it works - I am still trying to figure that out.

If you figure it out, please let me know.

 

 

 

 

 

 

@herman_munster 

Thanks for the definitely unique work around, but does it resolve the remediation errors in the configuration policy in Intune?  

I don't see how APP is associated with MDAG deployment.

 

 

@Alex Melching

Thanks.  But it was all MS Engineer. 

I kept asking the same question.  In answer to your question - Yes, it does solve the remediation errors showing in the configuration profile of the device. 

As for the “why”, I as yet have no idea. Something to do with network boundaries I suspect.

I will keep researching - wish me luck.  :)

 

 

 

 

@herman_munster 

 

Thanks!  Too funny, but going to give it a try in our dev environment.

@Alex Melching I gave this a try in my lab and found everything was opening in App Guard rather than just enabling it.

There's an issue with configuring Application Guard via Intune's prebuilt CSP. You can't actually define network boundaries, so you can't tell it what counts as your local/trusted/enterprise network which would open natively in the browser, and what's untrusted and therefore will open in Application Guard.

 

If you review the event viewer on the endpoint and look at Applications and Services Logs -> Microsoft -> Windows -> WDAG Policy Evaluator CSP Provider you should see some events with EventID 352 saying:

 

"At least one mandatory network isolation policy must be set, please configure: EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"

 

As far as I can see there isn't an Intune CSP to set these specifically for Application Guard. It would explain why configuring these in a policy for a non-existent App would work as it will set these options. I guess this is because Application Guard is meant to supplement this policy definition of network boundaries rather than be configured standalone.