Share via

AppControlCodeIntegrityPolicyBlocked blocking svhost.exe when trying to open Explorer, system settings

Hernandez, Ruben 0 Reputation points
2023-10-18T14:47:18.0133333+00:00

I have been trying get support on this issue we are seeing on a few systems across our campuses. When users log into their computers all icons disappear then they try to launch the start menu or explorer or settings and they see a Application Control window. We have deployed Defender ATP and manage security policies in Intune. When I search security.microsoft.com portal device logs I see this "svchost.exe was prevented from executing by App Control code integrity policy". We have never setup any code integrity policy. There seems to be a default policy am I correct on assuming this? Do I disable Application control? Any suggestions?

Here are the logs that I downloaded. Also, this happens on a newly imaged system and on a few out in the field. We have hundreds of computers it is not happening on.

Action Type File Name Folder Path Initiating Process File Name Initiating Process Folder Path Initiating Process Command Line Initiating Process Parent File Name Initiating Process Account Domain Initiating Process Account Name Report Id Additional Fields App Guard Container Id AppControlCodeIntegrityPolicyBlocked WMIADAP.exe \Device\HarddiskVolume2\Windows\System32\wbem svchost.exe \device\vmsmb\vsmb-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\windows\system32\svchost.exe svchost.exe -k netsvcs -p services.exe nt authority system 4244 {"PolicyID":"SIPolicyEnfWDAG.10.0.3.14","PolicyName":"SIPolicyEnfWDAG","Requested Signing Level":"Trusted by WDAC policy","Validated Signing Level":"Unsigned"} 28f371e2-ad41-4a26-8fcb-5e15f0b40d81

Microsoft Security Intune Security
Windows for business Windows Client for IT Pros User experience Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
    2023-10-19T03:15:06.02+00:00

    @Hernandez, Ruben,Thanks for posting in Q&A.

    From your description, I know that you encountered and issue that when users log into computers all icons disappear, they see an Application Control window when launched start menu or explorer or settings.

    For the error message you provided, I found that there may be one WDAC policy named SIPolicyEnfWDAG blocking launch start menu or explorer or settings.

    We suggest that you check whether exists the policy in Intune and refer the link below to remove it:

    https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune#remove-wdac-policies-on-windows-10-1903

    Hope this can be helpful. If there is any update, please let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.