Impossible to open .hta file after activating the Control Application (ARS / Intunes)

Question

question

David-B asked May 6, '22 LuDaiMSFT-0289 commented May 11, '22

Impossible to open .hta file after activating the Control Application (ARS / Intunes)

Hi,

After activating the "Application Control" of ARS in Intunes, I can no longer run files with the .hta extension. I have no error messages or alerts in Defender.

I deleted the strategy to go back, the blockage persists.

mem-intune-general mem-intune-device-configurations

capture.png (67.6 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-05-10T01:41:42.113Z

LuDaiMSFT-0289 answered May 10, '22

@David-B Thanks for your update.

If you want to configure this setting to "Not configured", it seems a workaround that try to find the registry key of this setting and then change the registry key to remove the setting.

If you want to make it via intune, it is needed to do the following actions:
1.Please remove the group in assignment of the Control Application policy.
2.Create a Powershell Script that can change the registry key of the target setting.
3.Deploy this script via intune.
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension

Hope it will give you some ideas.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-05-09T01:37:05.62Z

LuDaiMSFT-0289 answered May 9, '22

@David-B Thanks for posting in our Q&A. From your description, did you mean that you have removed the group in assignment, but this policy still worked? If there is anything unclear, please correct me.

For this issue, it seems that this policy is tattooed. Intune deploys policies based on the windows CSPs. The tattoo is an issue or limitation from Windows CSPs. For more details, please refer to the following link:
https://www.anoopcnair.com/intune-policy-tattooed-not-tattooed-windows-csp/
Note: Non-Microsoft link, just for the reference.

Thanks for your understanding.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2022-05-09T09:58:41.087Z

David-B answered May 9, '22

Hi,

thank you for your feedback

Yes, we have removed the group in assignment

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2022-05-10T12:55:01.89Z

David-B answered May 10, '22 LuDaiMSFT-0289 commented May 11, '22

Hi @LuDaiMSFT-0289 ,

Thank you for these tips

I had other suggestions in parallel :
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-wizard
https://www.csoonline.com/article/3653316/using-windows-defender-application-control-to-block-malicious-applications-and-drivers.html (no Microsoft link)

1.png (36.7 KiB)

2.png (37.6 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 · May 11 at 02:41 AM

@David-B Thanks for your kindess to share other suggestions. It will give someone else who has the similar issue more choice.

Thanks again and have a nice day. : )

0 ·

question