Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Windows 10 defender Application control

MVP

I have been doing some experiments with intune (doing some lab exercises) and I enrolled my PC to the Azure Active Directory with the M365 login. Then after that, I am getting the following error message when I try to open any applications or try to install any exe. I am the admin of the account and this is just a user account I enrolled to the device. I cannot figure out where the problem is, I deleted all the policies, etc. but I'm still finding it difficult to know how to disable this to the enduser. Can anybody give me a tip?

 

Screenshot 2021-09-05 at 2.22.52 PM.png

13 Replies
It looks like mdac is enabled in your office 365 tenant with the default settings... The default settings will block this file . I can give a long talk about how mdac works... Or could point you to a blog of mine with all the stuff in it you will need

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/
Thanks, Rudy, where can I disable this setting? I looked into your blog but it doesn't have any specifics on how to delete/diable this policy :(
It depends on your configuration... Did you created a security baseline?

@Rudy_Ooms_MVP - no device config filesScreenshot 2021-09-05 at 2.48.18 PM.png

Did you also looked under the endpoint security plane?

@Rudy_Ooms_MVP  Under which section form bellow?

Screenshot 2021-09-05 at 2.56.43 PM.png

I would expect i under attack surface reduction...

@Rudy_Ooms_MVP That is also empty, there are no profiles

Screenshot 2021-09-05 at 3.01.30 PM.png

Are you aadj or haadj joined? so if there any onpremise gpos active ?
No, this is purely on the cloud with Azure Active Directory with E5 license no on-prem or VMs connected.
There must be a policy somehwere in intune which was configured to enabled mdac. Maybe the policy was deleted after the device was enrolled? maybe its a tattoeing issue... Did you also tested it by enrolling a new additional device?

Did you also used the mdmdiagnostic tool to export the existing policies on the device? And are there any files left in the code intigrity folder I also mentioned in the fblog?
I think I created something (as mentioned in your blog) but deleted it. But why isn't removed from the user or device? I have also initiated sync. I didn't use the mdmdiag tool where can I download it? What is code integrity folder?
the mdmdiagnostic tool is on the device itself... Like I was mentioning in the blog... that sometimes it could be a tattoeing problem/issue.. I recommend to read the blog again... part 10 describes your issue pretty well...

Try to push a allowallxml or remove the contents of the folder I mentioned

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/#part10