Share via

WDAC - InTune Error after merging policies

Dave B 6 Reputation points
2022-05-05T18:58:20.907+00:00

If I create a test policy with a number of rules it seems to work ok

<Allow ID="ID_ALLOW_A_1" FriendlyName="REDACTED\test.ps1 Hash Sha1" Hash="1D4AB09114CBF105243ACD4D3CECB2DF057CF966" />
<Allow ID="ID_ALLOW_A_2" FriendlyName="REDACTED\test.ps1 Hash Sha256" Hash="8ACC4FB7D23260FB6EA664F27CD0758F1268055CCBB5F5B84C5EFC0956DE2807" />
<Allow ID="ID_ALLOW_A_3" FriendlyName="REDACTED\test.ps1 Hash Authenticode SIP Sha256" Hash="E79154BF60617C605E872DF952DAB77B7C04FCC63A6D7E81BBD799AFB44ADAF4" />
<Allow ID="ID_ALLOW_A_4" FriendlyName="REDACTED" Hash="9CD9973C218BD61281D2786DBB87E89876CF7520" />
<Allow ID="ID_ALLOW_A_5" FriendlyName="REDACTED" Hash="2FD3F9A78F8269AC4ECEBC67C800F2D9B0A7899AA79DF2CE11DAB2BA11D756A7" />

However after removing some rules with the WDAC wizard, it creates a new policy which 'errors' after deploying via InTune.
The only issue I can see is the ID_ALLOW fields no longer start at 1

<Allow ID="ID_ALLOW_A_4_0" FriendlyName="REDACTED Hash Sha1" Hash="9CD9973C218BD61281D2786DBB87E89876CF7520" />
<Allow ID="ID_ALLOW_A_5_0" FriendlyName="REDACTED Hash Sha256" Hash="2FD3F9A78F8269AC4ECEBC67C800F2D9B0A7899AA79DF2CE11DAB2BA11D756A7" />

Is this a glitch in the software?
It becomes really problematic when merging policies with multiple rules as I want to remove rules that aren't required.

Microsoft Security | Intune | Configuration
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave B 6 Reputation points
    2022-05-09T07:49:05.12+00:00

    If anyone else is having an issue deploying a WDAC policy in InTune after several merges, the only fix I've found is to reset the version number and ID. This will assign a new ID to the .xml file.

    $PolicyName= "Lamna_FullyManagedClients_Audit"
    $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
    $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
    Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
    Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"

    Make sure to update the policy ID in the InTune policy itself before deployment also.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune

    1 person found this answer helpful.
  2. Lu Dai-MSFT 28,501 Reputation points
    2022-05-06T03:40:41.387+00:00

    @Dave B Thanks for posting in our Q&A.

    To clarify this issue, we appreciate your help to collect some information:

    1. Did you deploy the new WDAC policy following this official article?
      https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune
      Get the new xml file only has these two rules and convert the policy XML to binary format.
    2. Is the target device Windows 10 1903+?
    3. If possible, please check if there is any detailed error information about this policy in Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

    If there is anything update, feel free to let us know.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Dave B 6 Reputation points
    2022-05-06T08:52:03.567+00:00

    Hi,
    Thanks for replying. Upon further investigation it's not deleting rules that breaks the policy, it's merging them.
    Steps to reproduce:

    I have a working policy deployed using https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune. My test machine has accepted the policy and it's working correctly.

    I create a policy from the event viewer using https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies
    I've left the default variables for testing. It creates the eventspolicy.xml on my desktop with the correct hash/publisher rules.

    ![199488-image.png][1]

    I merge the policy with the original working base policy using either the WDAC wizard OR Merge-CIPolicy -PolicyPaths OptimiseBaseAUDIT_v3W.xml,EventsPolicy.xml -OutputFilePath MergedTest.xml. I can confirm MergedTest.xml has the correct policy ID as the base.

    I create a .bin file using the MergedTest.xml file and deployed via InTune and it worked. I was also able to succesfully repeat the merging process 3 times (the base policy is getting larger).

    After the 4th merge I'm getting an error in InTune

    ![199469-image.png][2]

    The error under DeviceManagement-Enterprise-Diagnostic-Provider > Admin is:

    MDM ConfigurationManager: Command failure status. Configuration Source ID: (474ADBF5-E567-4EBE-ADF5-8F7DC6ECA799), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (ApplicationControl), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/ApplicationControl/Policies/E89E0DE6-A7C7-4BE4-9E7A-57FD8CD4AC86/Policy), Result: (Your organization used Device Guard to block this app. Contact your support person for more info.).

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.