Dune is our resident expert on this, but he’s not on the list. I’ll proxy for him. 😊
First question: Windows client build and SCCM version Second question: did they have any applocker rules/policy set up before targeting WDAC? If yes to the second, they should try booting the machine from USB, decrypting the OS drive if necessary, deleting %WINDIR%\System32\Applocker\*.applocker and restart the machine. If machine restart is healthy then the problem is applocker, if not then the problem is code integrity. If that is the case I would want to see their %WINDIR%\CCM\logs\DeviceGuardHandler.log From: [email protected] <[email protected]> On Behalf Of John Aubrey Sent: Thursday, 1 February, 2018 10:17 To: [email protected] Subject: [mssms] RE: Defender Application Control Agreed. I was assuming that Microsoft’s Intelligent Security Graph would be smart enough to allow Microsoft’s EXE that are required to run windows to run by default. From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Thursday, February 1, 2018 11:21 AM To: [email protected] Subject: [mssms] RE: Defender Application Control Well, if it blocks notepad, it has no way to read the text file. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of John Aubrey Sent: Thursday, February 1, 2018 5:22 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Defender Application Control Has anyone used Defender Application Control policy in SCCM yet? I have a basic policy with the “Authorize software that is trusted by the Intelligent Security Graph” option enabled. Once my test PC checks in, notepad doesn’t work and if I reboot, the system is bricked and won’t boot. Says it can’t access a txt file that is used for event logs. I would have thought the Intelligent Security Graph option would at least let Windows boot….
