question

@DaveB-0831 Thanks for posting in our Q&A.

To clarify this issue, we appreciate your help to collect some information:
1.Did you deploy the new WDAC policy following this official article?
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune
Get the new xml file only has these two rules and convert the policy XML to binary format.
2. Is the target device Windows 10 1903+?
3.If possible, please check if there is any detailed error information about this policy in Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

If there is anything update, feel free to let us know.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Hi,
Thanks for replying. Upon further investigation it's not deleting rules that breaks the policy, it's merging them.
Steps to reproduce:

I have a working policy deployed using https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune. My test machine has accepted the policy and it's working correctly.

I create a policy from the event viewer using https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies
I've left the default variables for testing. It creates the eventspolicy.xml on my desktop with the correct hash/publisher rules.

![199488-image.png][1]

I merge the policy with the original working base policy using either the WDAC wizard OR Merge-CIPolicy -PolicyPaths OptimiseBaseAUDIT_v3W.xml,EventsPolicy.xml -OutputFilePath MergedTest.xml. I can confirm MergedTest.xml has the correct policy ID as the base.

I create a .bin file using the MergedTest.xml file and deployed via InTune and it worked. I was also able to succesfully repeat the merging process 3 times (the base policy is getting larger).

After the 4th merge I'm getting an error in InTune

![199469-image.png][2]

The error under DeviceManagement-Enterprise-Diagnostic-Provider > Admin is:

MDM ConfigurationManager: Command failure status. Configuration Source ID: (474ADBF5-E567-4EBE-ADF5-8F7DC6ECA799), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (ApplicationControl), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/ApplicationControl/Policies/E89E0DE6-A7C7-4BE4-9E7A-57FD8CD4AC86/Policy), Result: (Your organization used Device Guard to block this app. Contact your support person for more info.).

If anyone else is having an issue deploying a WDAC policy in InTune after several merges, the only fix I've found is to reset the version number and ID. This will assign a new ID to the .xml file.

$PolicyName= "Lamna_FullyManagedClients_Audit"
$LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
$MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"

Make sure to update the policy ID in the InTune policy itself before deployment also.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune