deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

ttoubleshooting updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-07 11:29:24 -05:00
parent 26d4a584e1
commit 0da2f3496f
3 changed files with 37 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
education/windows/tutorial-deploy-apps-winse/deploy-policies.md
View File

@ -76,11 +76,11 @@ For an AppLocker policy:
>
> - Policy created in Intune and assigned to the correct groups
Advance to the next article to learn about important considerations for your tenant when deploying apps and policies to Windows SE devices.
Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices.
> [!div class="nextstepaction"]
>
> [Considerations for your tenant](considerations.md)
> [Next: important deployment considerations >](considerations.md)
[MEM-1]: /mem/intune/apps/intune-management-extension
[WIN-4]: /windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune

54
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -13,56 +13,54 @@ The following table lists common problems and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP and Store apps require writing an additional supplemental policy</li></ul></li><li>Check that the managed installer policies are deployed correctly</li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary. <br> Check the *AppLocker* and *CodeIntegrity* logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy was correctly applied.|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps require writing an additional supplemental policy</li><li>Microsoft Sore apps aren't supported</li></ul></li><li>Check that the managed installer policies are deployed correctly</li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
## WDAC Supplemental policy validation
Use the Event Viewer to see if a supplemental policy is deployed correctly. These rules apply to both the policy that allows managed installers and any supplemental policies that you deploy.
1. Open the *Event viewer* on a target device
1. Expand **Applications and Services** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
1. Open the **Event viewer** on a target device
1. Expand **Applications and Services > Microsoft > Windows > CodeIntegrity > **Operational**
1. Check for **event ID 3099**: *the policy was Refreshed and activated*
- For example: `Refreshed and activated Code Integrity policy {GUID} . id . Status 0x0`
- The policy that allows managed installers is **`C0DB889B-59C5-453C-B297-399C851934E4`**. Checking that this policy is applied correctly, indicates that a device is setup to allow managed installers (and therefore, can allow installation of Win32 apps via the Intune Management Extension).\
You can check that the *Managed Installer policy* rule was set in the policy, by checking the *Options* field in the *details* pane.\
For more information, see: [Understanding Application Control event IDs][WIN-1]
You can check that the **Managed Installer policy** rule was set in the policy, by checking the **Options** field in the **details** pane. For more information, see: [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="CodeIntegrity operational log":::
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="CodeIntegrity operational log" lightbox="images/troubleshoot-managed-installer-policy.png":::
You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command):
You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command):
```
citool.exe -lp
```
- For the policy which allows managed installers to run, a policy with the ID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have *Is Currently Enforced* showing as *true*
- For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the *Is Currently Enforced* and *Is Authorized* properties are both showing as *true*
:::image type="content" source="images/troubleshoot-citool.png" alt-text="Output of citool.exe with the Win-EDU supplemental policy.":::
- For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true**
- For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true**
:image type="content" source="images/troubleshoot-citool.png" alt-text="Output of citool.exe with the Win-EDU supplemental policy.":::
1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
When checking an error event, you can observe that the information in the *General* tab may show something like the following:
When checking an error event, you can observe that the information in the *General* tab may show something like the following:
```
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load **\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe** that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:**{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}**).
```
```
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load **\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe** that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:**{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}**).
```
The important things to parse here are:
The important things to parse are:
- **Failing application**: the path and executable here inform you which application failed. It's important to check that this executable is expected for the application you're validating. (e.g. You would expect zoom.exe to fail for Zoom as opposed to cmd.exe.)
- **Error reason**: indicates why this the application was unable to run. `...did not meet the Enterprise signing level requirements or violated code integrity policy` is what should be seen
- **Policy ID**: is the policy that is being violated, meaning that a rule in this policy is preventing the application from running
- **Failing application**: the path and executable here inform you which application failed. It's important to check that this executable is expected for the application you're validating. (for example. You would expect zoom.exe to fail for Zoom as opposed to cmd.exe.)
- **Error reason**: indicates why the application was unable to run. `...did not meet the Enterprise signing level requirements or violated code integrity policy` is what should be seen
- **Policy ID**: is the policy that is being violated, meaning that a rule in the policy is preventing the application from running
> [!NOTE]
> **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}** is the base policy, which is what restricts most third-party apps from running. If you see another policy ID, it's worth taking note of that.
> [!NOTE]
> **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}** is the base policy, which is what restricts most third-party apps from running. If you see another policy ID, it's worth taking note of that.
Alternatively you can use `cidiag.exe /stop`, which parses and copies all the relevant events to a text file.
Alternatively you can use `cidiag.exe /stop`, which parses and copies all the relevant events to a text file.
## AppLocker policy validation
@ -76,8 +74,8 @@ get-applockerpolicy -xml -effective
```
- For the policy that sets the Intune Management Extension as a Managed installer, *MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE* should be nested under a RuleCollection section of Type *ManagedInstaller*
:::image type="content" source="images/applocker-policy-validation.png" alt-text="This is a placeholder.":::
- For any policies you added to set additional executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller*
:::image type="content" source="images/applocker-policy-validation.png" alt-text="Xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
- For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller*
You can check the AppLocker service status with the following commands:
@ -88,7 +86,7 @@ sc.exe query applockerfltr
When executing the `sc.exe query` commands, the **STATE** property should show a state of **4 RUNNING** for both services:
:::image type="content" source="images/sc-commands.png" alt-text="Output of the command sc.exe query.":::
:::image type="content" source="images/sc-commands.png" alt-text="Output of the command sc.exe query." lightbox="images/sc-commands.png":::
### AppLocker event log validation

4
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -143,11 +143,11 @@ Before moving on to the next section, ensure that you've completed the following
Select one of the following options to learn the next steps:
- If the apps don't work as expected, you must create and deploy WDAC or AppLocker policies to allow the apps to run
- If the applications you are deploying don't have any issues, you can skip to considerations for your tenant
- If the applications you are deploying don't have any issues, you can skip to important considerations when deploying apps and policies
> [!div class="op_single_selector"]
> - [Create policies](create-policies.md)
> - [Considerations for your tenant](considerations.md)
> - [Important deployment considerations](considerations.md)
[M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education