[German]Today, another short post for administrators who are using Microsoft Defender Application Control (WDAC) in a Windows 10 Enterprise environment or on Windows 11 Enterprise or Windows Server counterparts from 2016 to 2022 and are annoyed by unwanted restarts. These unwanted restarts are caused by a policy setting, as one MVP found out. I'll post the information here on the blog, maybe it will help.
Advertising
Windows Defender Application Control, or WDAC for short, is only available in some versions of Windows for enterprise environments. WDAC application control, according to Microsoft, can help mitigate these types of security threats by limiting the applications users are allowed to run and the code that runs in the system core (kernel).
On February 20, 2022, I came across the above tweet from MVP Gerry Hampson. This came to the attention of a customer again with the problem that Windows 10 machines there were rebooting without warning. There was a warning to the user that they would be logged off and the system would restart in 10 minutes.
When analyzing what could be the cause of this unwanted behavior, the problem could be narrowed down to Microsoft Defender Application Control in Microsoft Endpoint Manager. According to this Microsoft documentation on AppLocker CSP, a restart is scheduled when a policy is applied or a wipe is performed using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
Gerry Hampson was able to verify that it was exactly the application of a policy that caused this unwanted restart of Windows systems. This was also the case when the policy was removed. In the blog post here, various solutions were suggested by colleagues.
Advertising
Hampson writes that, interestingly, he was able to solve the restart problem by using ConfigMgr for configuration. There is an option there called Enforce a restart … which can be unticked.
Advertising