WDAC + App Control For Business + App Control Wizard
Hello All, We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant. We have a general base policy derived from a slightly modified 'Allow Microsoft Mode' template, along with a couple of supplemental policies that explicitly allow certain apps by publisher.(Such as PaloAlto, Omnissa/VMware etc). Enabled rules on base policy are as follows: Enabled:Unsigned System Integrity Policy Enabled:Advanced Boot Options Menu Enabled:UMCI Enabled:Inherit Default Policy Enabled:Update Policy No Reboot Enabled:Allow Supplemental Policies Enabled:Managed Installer Basically, we are allowing only those applications that are installed via a managed installer—in our case, the Company Portal. For example, if Palo Alto's GlobalProtect is installed through the Company Portal, it is not blocked by the WDAC policy. However, on some devices where GlobalProtect was installed manually, we have a supplemental policy that allows it by publisher. Despite this, the manually installed version of GlobalProtect is still being blocked by WDAC, which suggests the policy isn't working as expected. Example of such Supplemental policy is below: I'm curious—are there any people or organizations using a similar setup? If so, are you experiencing similar issues? What has the general feedback been regarding this setup?
WDAC Managed Installer: Company Portal
Hello, I've successfully created and pushed our WDAC policy using Intunes & OMA-URI. In the WDAC policy I've enabled installations through a "Managed Installer" and want to add Intunes\Company Portal as the managed installer, but I have not been able to. The only instructions I have found to accomplish this is this link (https://www.msworkplace.blog/en-us/entry/windows-defender-application-control-part-2), The script offered on the page executes, but errors out (even locally with an admin/elevated powershell). It fails with this error: Does any know why it is failing, or have a better solution to "whitelist" Intunes/Company Portal as a Managed Installer? Thanks, Brandon
