Closed Kofl closed 2 months ago
Do you have more than 1 non-system base policy deployed on the system that is in charge of blocking files?
You can check them via this command
Confirm-WDACConfig -ListActivePolicies -OnlyBasePolicies
You can enter this command
ConvertTo-WDACPolicy
or this for full details
ConvertTo-WDACPolicy -ExtremeVisibility
or check the event logs, that will show you which policy is blocking the files. The behavior you're describing usually originates from having more than 1 base policy. The module turns on audit mode in the policy you select, but if there are more than 1 (which isn't necessary), then the other one will still be enforcing and blocking files. If this is the case, we can convert this issue into a discussion to come up with a solution for your case.
Thanks for the feedback, so far its only one base policy visible via
Confirm-WDACConfig -ListActivePolicies -OnlyBasePolicies
and seems to be blocked by that one?
Base Policy xml content:
Interesting, when you run this command in a new terminal tab, after the audit mode has been turned on
Confirm-WDACConfig -VerifyWDACStatus
do you see number 2 for both of the items?
yes
Is Smart App control enabled on your system? Have you used Intune to deploy one of the App control presets? You can run this for system policies:
Confirm-WDACConfig -ListActivePolicies -OnlySystemPolicies
I'm not sure if this is a bug in the module, I haven't been able to reproduce it so far. If you can try a clean VM, deploy a base policy, then use the Edit-WDACConfig
command to turn on audit mode in it to install an app, that's what I did just now in a Hyper-V VM and it works fine like before.
Smart App Control is set to Evaluation
Not aware of any App control presets set via Intune, WDAC policies are deployed via Intune.
Would that look okay and should not cause the issue?
Could I use WDACConfig to deploy our/the same base policy on the clean VM as now via Intune?
You don't need the WDACConfig module for deploying a XML file you have on the local system, you can use these commands
ConvertFrom-CIPolicy -XmlFilePath basepolicy.xml -BinaryFilePath basepolicy.cip
CiTool.exe --update-policy basepolicy.cip
But now that you mentioned you deployed them originally from the Intune, i'm thinking maybe Intune agent (running as SYSTEM) is preventing the module (running as Admin) to modify the deployed policy, or maybe Intune is actively restoring the system back to the state you set in Intune portal via config refresh or something similar.
I haven't done many tests to modify policies deployed via Intune locally using the Edit-WDACConfig
cmdlets, for Intune scenario I've developed and considered other ways, and all of them involve creating the policy locally and then deploying them via Intune itself, because the Intune managed systems are usually too many to be managed locally and individually.
If you want i can include logic to manage Intune deployed policies as well, but it will be through the Microsoft Graph and not locally.
Due to the idempotency nature of the Intune, it reapplies the same WDAC policies you deploy through the portal over and over again on the system, there is no way to override it locally.
I will add the Intune management through the MS Graph in a future update, for now you can create the policies locally and deploy them through the same Intune portal.
Closing this issue because it's not a bug in WDACConfig that i can fix, just how Intune deployed policies operate.
Tools category
WDACConfig Module
Does Your System Meet The Requirements?
Is your Windows Installation Genuine?
Did You Read The Frequently Asked Questions?
Please Explain The Bug
Starting the application => blocked by WDAC
Windows 11 24H2, en-gb
Happy to provide further requested information
Error Details
No response