Score:0

Intune managed installer blocked by WDAC

sa flag

I'm trying to install applications via intune, but WDAC blocks the installers. For example:

Code Integrity determined that a process ((\Device\HarddiskVolume3\Windows\System32\msiexec.exe) attempted to load Device\HarddiskVolume1\Windows\Installer\MSIE65D.tmp that did not meet the Enterprise signing level requirements or violated code integrity policy

Is there a way to allow intune installers to run besides manually whitelisting the installer files?

cn flag
No. That's the crux of using a feature like this. If you need applications that don't have signed code, don't use the feature.
sa flag
@GregAskew What should I do in cases where the application is signed? For example I'm trying to install Adobe Reader DC, and the installer seems to have a certificate of some kind.
cn flag
`the installer seems to have a certificate`. Nearly all vendors sign their code with certificates. Some don't, and some inadvertently include code that is not signed, or there is a problem with the certificate (expired/untrusted). You must either temporary disable WDAC Code Signing policies, or install a different application. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies
sa flag
Does a signer for the certificate need to be explicitly added to the policy to be recognised by WDAC? I'm thinking maybe I need to add a new <Signer/> element to the policy XML, but not sure if it's needed or what information should go in there.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.