Intune, WDAC and Managed Installer

WDAC has an option (Option 13) to allow apps installed by a Managed Installer. This sounds great! Everything you install using your preferred installer would be allowed, without going to the trouble of creating rules. But there’s a snag. There is no Configuration Service Provider (CSP) to deliver this policy in Intune.

The Managed Installer option actually uses the same method to allow executables to run as the Intelligent Security Graph option (Option 14). When a file is authorised by one of these methods, an extended attribute is written to the file. You can see this attribute with the fsutil utility. The method is documented here: Automatically allow apps deployed by a managed installer with Windows Defender Application Control.

The documentation on Managed Installer is a little confusing. The main documentation shows a policy that allows the Intune Management Extension, as well as the SCCM extension.

<FilePublisherRule Id="55932f09-04b8-44ec-8e2d-3fc736500c56" Name="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE version 1.39.200.2 or greater in MICROSOFT® INTUNE™ from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE"> <BinaryVersionRange LowSection="1.39.200.2" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule>

So, looking at that, we would obviously be able to allow Intune apps in Intune, right? But we cannot. The reason is that the documentation also describes implementing this policy in a GPO. But in Intune we cannot use GPO’s and, instead, we use Configuration Service Providers (CSP). The Managed Installer option is implemented as an AppLocker policy, and the AppLocker CSP does not contain a section for the Managed Installer rule collection type.

Although we cannot implement this as an Intune policy (because there is no CSP), we could theoretically implement it another way. With a registry key, for example, even if there were no CSP to configure the registry key, we could simply add, change or delete it in script. With AppLocker policies, we can use PowerShell to create a policy from an XML file, using Set-AppLockerPolicy. So the solution is to deliver a custom AppLocker policy with PowerShell, to enable the Intune agent as a Managed Installer in WDAC.

WDAC FilePath Rules and Drivers

The new File Path rules in Windows Defender Application Control (WDAC) allow EXE and DLL files in the path, but not SYS, or MSI or script files. This is curious and, as far as I know, undocumented. And it means that we cannot simply allow all files in C:\Windows. If we do that, the system will not boot because the drivers will still be blocked. We will need to use another method to add drivers to a WDAC policy.

Continue reading

MDAC or WDAC

The Application Control feature in Windows 10 was originally called Device Guard Code Integrity. This was brought under the Defender umbrella of security technologies as Windows Defender Application Control (WDAC). Microsoft earlier this year announced that Windows Defender would become cross-platform (with a version of Defender antivirus for macOS) and be renamed Microsoft Defender.

In my blog posts I originally called it Microsoft Defender Application Control (MDAC). You can see in the screenshot below that all the Defender technologies for Windows 10 Endpoint Protection, in Intune, are now Microsoft Defender.

Intune Endpoint Protection Policies

However, Microsoft now seems to have standardised on WDAC, so I have reverted to that (2021).