Windows 10 defender Application control

%3CLINGO-SUB%20id%3D%22lingo-sub-2721134%22%20slang%3D%22en-US%22%3EWindows%2010%20defender%20Application%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2721134%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20doing%20some%20experiments%20with%20intune%20(doing%20some%20lab%20exercises)%20and%20I%20enrolled%20my%20PC%20to%20the%20Azure%20Active%20Directory%20with%20the%20M365%20login.%20Then%20after%20that%2C%20I%20am%20getting%20the%20following%20error%20message%20when%20I%20try%20to%20open%20any%20applications%20or%20try%20to%20install%20any%20exe.%20I%20am%20the%20admin%20of%20the%20account%20and%20this%20is%20just%20a%20user%20account%20I%20enrolled%20to%20the%20device.%20I%20cannot%20figure%20out%20where%20the%20problem%20is%2C%20I%20deleted%20all%20the%20policies%2C%20etc.%20but%20I'm%20still%20finding%20it%20difficult%20to%20know%20how%20to%20disable%20this%20to%20the%20enduser.%20Can%20anybody%20give%20me%20a%20tip%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-09-05%20at%202.22.52%20PM.png%22%20style%3D%22width%3A%20644px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F308162i532A91F5D7B35F01%2Fimage-dimensions%2F644x272%3Fv%3Dv2%22%20width%3D%22644%22%20height%3D%22272%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-09-05%20at%202.22.52%20PM.png%22%20alt%3D%22Screenshot%202021-09-05%20at%202.22.52%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2721134%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESoftware%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2721152%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20defender%20Application%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2721152%22%20slang%3D%22en-US%22%3EIt%20looks%20like%20mdac%20is%20enabled%20in%20your%20office%20365%20tenant%20with%20the%20default%20settings...%20The%20default%20settings%20will%20block%20this%20file%20.%20I%20can%20give%20a%20long%20talk%20about%20how%20mdac%20works...%20Or%20could%20point%20you%20to%20a%20blog%20of%20mine%20with%20all%20the%20stuff%20in%20it%20you%20will%20need%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F06%2Fwdac-or-the-unexpected-virtue-of-ignorance%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F06%2Fwdac-or-the-unexpected-virtue-of-ignorance%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2721162%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20defender%20Application%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2721162%22%20slang%3D%22en-US%22%3EThanks%2C%20Rudy%2C%20where%20can%20I%20disable%20this%20setting%3F%20I%20looked%20into%20your%20blog%20but%20it%20doesn't%20have%20any%20specifics%20on%20how%20to%20delete%2Fdiable%20this%20policy%20%3A(%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2721165%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20defender%20Application%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2721165%22%20slang%3D%22en-US%22%3EIt%20depends%20on%20your%20configuration...%20Did%20you%20created%20a%20security%20baseline%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2721171%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20defender%20Application%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2721171%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F620702%22%20target%3D%22_blank%22%3E%40Rudy_Ooms%3C%2FA%3E%26nbsp%3B-%20no%20device%20config%20files%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-09-05%20at%202.48.18%20PM.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F308163iDCDD0670FD18961F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-09-05%20at%202.48.18%20PM.png%22%20alt%3D%22Screenshot%202021-09-05%20at%202.48.18%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2721179%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20defender%20Application%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2721179%22%20slang%3D%22en-US%22%3EDid%20you%20also%20looked%20under%20the%20endpoint%20security%20plane%3F%3C%2FLINGO-BODY%3E
MVP

I have been doing some experiments with intune (doing some lab exercises) and I enrolled my PC to the Azure Active Directory with the M365 login. Then after that, I am getting the following error message when I try to open any applications or try to install any exe. I am the admin of the account and this is just a user account I enrolled to the device. I cannot figure out where the problem is, I deleted all the policies, etc. but I'm still finding it difficult to know how to disable this to the enduser. Can anybody give me a tip?

 

Screenshot 2021-09-05 at 2.22.52 PM.png

13 Replies
It looks like mdac is enabled in your office 365 tenant with the default settings... The default settings will block this file . I can give a long talk about how mdac works... Or could point you to a blog of mine with all the stuff in it you will need

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/
Thanks, Rudy, where can I disable this setting? I looked into your blog but it doesn't have any specifics on how to delete/diable this policy :(
It depends on your configuration... Did you created a security baseline?

@Rudy_Ooms - no device config filesScreenshot 2021-09-05 at 2.48.18 PM.png

Did you also looked under the endpoint security plane?

@Rudy_Ooms  Under which section form bellow?

Screenshot 2021-09-05 at 2.56.43 PM.png

I would expect i under attack surface reduction...

@Rudy_Ooms That is also empty, there are no profiles

Screenshot 2021-09-05 at 3.01.30 PM.png

Are you aadj or haadj joined? so if there any onpremise gpos active ?
No, this is purely on the cloud with Azure Active Directory with E5 license no on-prem or VMs connected.
There must be a policy somehwere in intune which was configured to enabled mdac. Maybe the policy was deleted after the device was enrolled? maybe its a tattoeing issue... Did you also tested it by enrolling a new additional device?

Did you also used the mdmdiagnostic tool to export the existing policies on the device? And are there any files left in the code intigrity folder I also mentioned in the fblog?
I think I created something (as mentioned in your blog) but deleted it. But why isn't removed from the user or device? I have also initiated sync. I didn't use the mdmdiag tool where can I download it? What is code integrity folder?
the mdmdiagnostic tool is on the device itself... Like I was mentioning in the blog... that sometimes it could be a tattoeing problem/issue.. I recommend to read the blog again... part 10 describes your issue pretty well...

Try to push a allowallxml or remove the contents of the folder I mentioned

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/#part10