WDAC on TFS build servers

Copper Contributor

Hi,

I have been trying to implement WDAC (Windows Defender Application Control) onto our on prem TFS (2017) build servers (win2019 1809) with build agents. We had some initial problems getting jobs to push correctly to a build server with WDAC enabled, but this part is now resolved.

 

However we are still seeing builds fail when they try to build due to WDAC.

For example when msbuild.exe tries to load a .dll file, the .dll is blocked by WDAC:

The errors we are seeing are: (<removed>=identifying data)

 

Event ID 3092: Code Integrity testing module \213\s\BuildTargets\Core\<removed>\<removed>Tasks.dll against policy DefaultWindowsAudit. Status System Integrity policy has been violated.

 

Event ID 3033: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\MSBuild.exe) attempted to load \Device\HarddiskVolume7\213\s\BuildTargets\Core\<removed>Tools\<removed>Tasks.dll that did not meet the Enterprise signing level requirements.

 

I configured a managed installer to try to get around this issue and added in “MSBuild” as a managed installer which should have allowed any Dlls used by the MSBuild task:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

 

However it’s not working as the errors still occur and it hasn't solved the issue with the Event ID 3033 above.

 

Any advice would be great.

Thanks.

 

 

0 Replies