cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

WDAC Policies not applying!

jfdoyon
Copper Contributor

‎Aug 31 2022 08:08 AM

‎Aug 31 2022 08:08 AM

WDAC Policies not applying!

Hello,

 

Trying out WDAC for the first time.

 

I have:

 

- Downloaded the WDAC Wizard

- Created a base "Windows Works" policy

- Created a supplemantal policy that allows the 2 Program Files folders

- All of this in Audit Mode Only

- I have created a custom profile in MEM and used 2 OMA-URIs, one fo each policy, using the ApplicationControl CSP, as per the docs.

- I have verified that these 2 policies appear on the workstation, looking in C:\Windows\System32\CodeIntegrity\CiPolicies\Active, where they appear.

- The MEM reports for the device show that the profile is applied correctly.

 

And yet, when I look at the CodeIntegrity event log, all the events I see refer to the default audit policy that comes with windows. I see (Policy ID:{a244370e-44c9-4c06-b551-f6016e563076}) instead of *my* policy IDs, no matter what I do. I've rebooted a couple of times for good measure.

 

I left the endpoint control profile setting for WDAC to "Not Configured", since Deploy WDAC policies using Mobile Device Management (MDM) (Windows) - Windows security | Microsoft D... says the built-in policies use the AppLocker CSP and pre-1903 settings. (I did have it set to Audit Only" previously though).

 

Any one have any idea what might be going on here? What am I missing?

 

Thanks,

J.F.

3,117 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by jfdoyon (Copper Contributor)
jfdoyon

‎Aug 31 2022 08:56 AM - edited ‎Sep 08 2022 04:18 AM

‎Aug 31 2022 08:56 AM - edited ‎Sep 08 2022 04:18 AM

Solution

Re: WDAC Policies not applying!

Figured it out.

I used wbemtest to browse the WMI Bridge to see whether I could find instances of the CI policies.

I found 4, two of which were mine. A third was related to driver integrity, and the 4th was the policy that was getting my way.

I deleted the offtending instance direclty from wbemtest, and now everything works as expected, or at least the CI event log is showing things I expected.

This is somewhat documented here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

Where it mentions that pre-1903 policies must be deleted by script or overridden. Because I had used the intune builtin policy, I fell under this category, even though I was using a 21H2 machine.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by jfdoyon (Copper Contributor)
jfdoyon

‎Aug 31 2022 08:56 AM - edited ‎Sep 08 2022 04:18 AM

‎Aug 31 2022 08:56 AM - edited ‎Sep 08 2022 04:18 AM

Solution

Re: WDAC Policies not applying!

Figured it out.

I used wbemtest to browse the WMI Bridge to see whether I could find instances of the CI policies.

I found 4, two of which were mine. A third was related to driver integrity, and the 4th was the policy that was getting my way.

I deleted the offtending instance direclty from wbemtest, and now everything works as expected, or at least the CI event log is showing things I expected.

This is somewhat documented here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

Where it mentions that pre-1903 policies must be deleted by script or overridden. Because I had used the intune builtin policy, I fell under this category, even though I was using a 21H2 machine.

View solution in original post

1 Like
Reply