09-29-2018 02:12 PM
09-29-2018 02:12 PM
Trying to deploy Windows Defender Application Guard via Intune and running into the same issue on multiple Windows 10 Enterprise (1803) devices.
After the device syncs with Intune, I restart the devices. Application Guard is enabled, but the settings defined in the Intune policy are not applied and result in the errors in the screenshot. I looked up the error on the Intune error page, but has no description or recommended action. The Hyper-V feature is installed on all devices.
Any thoughts, ideas...?
Much appreciated. Thanks!
09-29-2018 04:01 PM
Alex, on one of the devices, check the event logs for more details: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
09-30-2018 08:50 AM - edited 09-30-2018 08:51 AM
How did you deploy the configuration policy via device configuration or with specific settings with OMA-URI's (for example like settings in device guard)?
Remediation failed error message returned by the client when the SET command on the OMA-URI’s required to configure the target setting. In your case, the OMA-URI's didn't succeed.
The remediation error code 201*** is very general therefore you can do the following actions:
09-30-2018 04:38 PM
I checked the event logs and only have errors for trying to install an older version of software that is already installed with newer version. I have no other errors.
09-30-2018 04:42 PM
I created a policy for endpoint protection from Intune and defined the settings there. Like I mentioned the devices did NOT have WDAG enabled until I deployed this policy to a group of devices. It does enable WDAG on them, but result in the failed remediation in the screenshot in the original post.
09-30-2018 11:51 PM - edited 09-30-2018 11:52 PM
If you don't have any warning or errors on debug log please check the following points:
10-01-2018 04:46 AM
Yes, running version 1803 build 17134.285. Update to 17134.320 has not pushed to these devices yet.
10-01-2018 04:48 AM
Yes, local policy is my next option to try. These are brand new Microsoft Surface devices.
10-16-2018 12:13 PM
Hello Any news would be good news. I am having exact issue but I am using Windows 10 Insider Preview 18252 - all on Microsoft SurfaceBook and Surface 5. I have noticed that if you just enable application Guard and leave all other settings not configured then I still get -2016281112 (Remediation failed)
10-18-2018 03:36 AM
Make sure to enable Audit for WDAG (with AuditApplicationGuard) and check event logs. If you can share the log it will be useful.
01-10-2020 02:25 AM
we have the same problem which exists since the release of application Guard (1803). We are now using 1909 and the problem is still not solved (remediation failed). Is there any new information?
01-10-2020 05:26 AM
01-10-2020 06:20 AM
Hey @Alex Melching,
thanks for your information. Its quite funny because I had the same conversation with another Microsoft Support engineer who told me the same (the device is not meeting the hardware requirements). It also wasn't working when we bought new devices which met the requierements. At the moment we set the AG policies via Powershell script which is changing some registry keys. I don't like this workaround because we still have these remediation errors in our device overview and if we want to change one of the policies regarding AG we have to edit the whole powershell script and reupload it. But atleast now I know that we are not the only ones regarding this problem.
06-10-2020 12:02 AM
Hi @Alex Melching et al
I don't know if anyone is still interested but here goes ....
My organisation had this problem too and pretty much we did everything mentioned so far but it did not fix it.....
In any case, after many weeks working with a MS engineer we got to a solution that I still cannot explain and I have asked for more information so I don't feel like such a "goose".
To make the errors disappear:
Under "Required Settings"
Under Advanced Settings (Network Perimeter):
It worked almost instantly on our system, we didn't need to sync or re-boot or anything.
Please don't ask me how it works - I am still trying to figure that out.
If you figure it out, please let me know.
06-10-2020 06:28 AM
Thanks for the definitely unique work around, but does it resolve the remediation errors in the configuration policy in Intune?
I don't see how APP is associated with MDAG deployment.
06-10-2020 07:16 AM
Thanks. But it was all MS Engineer.
I kept asking the same question. In answer to your question - Yes, it does solve the remediation errors showing in the configuration profile of the device.
As for the “why”, I as yet have no idea. Something to do with network boundaries I suspect.
I will keep researching - wish me luck. :)
06-10-2020 08:10 AM
Thanks! Too funny, but going to give it a try in our dev environment.
06-18-2020 08:06 AM
@Alex Melching I gave this a try in my lab and found everything was opening in App Guard rather than just enabling it.