none
Windows 10 S-Mode supplement policy is failing (Not Authorized?) RRS feed

  • Question

  • Hey

    Hey

    I am messing around with the windows 10 s-mode and the feature to deploy win32 apps to them. So far I created a very basic policy from the example:

    <?xml version="1.0" encoding="utf-8"?>
    <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Supplemental Policy">
      <VersionEx>10.0.0.1</VersionEx>
      <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
      <Rules />
      <!--EKUS-->
      <EKUs />
      <!--File Rules-->
      <FileRules>
        <Allow ID="ID_ALLOW_CBD_0_0" FriendlyName="cdb.exe" FileName="CDB.Exe" />
        <Allow ID="ID_ALLOW_KD_0_0" FriendlyName="kd.exe" FileName="kd.Exe" />
        <Allow ID="ID_ALLOW_WINDBG_0_0" FriendlyName="windbg.exe" FileName="windbg.Exe" />
        <Allow ID="ID_ALLOW_MSBUILD_0_0" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" />
        <Allow ID="ID_ALLOW_NTSD_0_0" FriendlyName="ntsd.exe" FileName="ntsd.Exe" />
        <Allow ID="ID_ALLOW_POWERSHELLISE_0_0" FriendlyName="powershell_ise.exe" FileName="powershell_ise.exe" />
        <Allow ID="ID_ALLOW_REGEDIT_0_0" FriendlyName="regedit.exe" FileName="regedit.exe" />
      </FileRules>
      <!--Signers-->
      <Signers>
        <Signer ID="ID_SIGNER_S_5_1" Name="Jon Doe">
          <CertRoot Type="TBS" Value="A08E79C386083D875014C409C13D144E0004386132980DF11FF59737C8489EB1" />
        </Signer>
        <Signer ID="ID_SIGNER_S_6_1" Name="John Doe">
          <CertRoot Type="TBS" Value="A08E79C386083D875014C409C13D144E0004386132980DF11FF59737C8489EB1" />
        </Signer>
      </Signers>
      <!--Driver Signing Scenarios-->
      <SigningScenarios>
        <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 11-21-2019">
          <ProductSigners />
        </SigningScenario>
        <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 11-21-2019">
          <ProductSigners>
            <FileRulesRef>
              <FileRuleRef RuleID="ID_ALLOW_CBD_0_0" />
              <FileRuleRef RuleID="ID_ALLOW_KD_0_0" />
              <FileRuleRef RuleID="ID_ALLOW_WINDBG_0_0" />
              <FileRuleRef RuleID="ID_ALLOW_MSBUILD_0_0" />
              <FileRuleRef RuleID="ID_ALLOW_NTSD_0_0" />
              <FileRuleRef RuleID="ID_ALLOW_POWERSHELLISE_0_0" />
              <FileRuleRef RuleID="ID_ALLOW_REGEDIT_0_0" />
            </FileRulesRef>
            <AllowedSigners>
              <AllowedSigner SignerId="ID_SIGNER_S_5_1" />
            </AllowedSigners>
          </ProductSigners>
        </SigningScenario>
      </SigningScenarios>
      <UpdatePolicySigners>
        <UpdatePolicySigner SignerId="ID_SIGNER_S_6_1" />
      </UpdatePolicySigners>
      <CiSigners>
        <CiSigner SignerId="ID_SIGNER_S_5_1" />
      </CiSigners>
      <HvciOptions>0</HvciOptions>
      <BasePolicyID>{5951A96A-E0B5-4D3D-8FB8-3E5B61030784}</BasePolicyID>
      <PolicyID>{52123093-0000-0000-0000-096DC123A345}</PolicyID>
      <Settings>
        <Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
          <Value>
            <String>Default-S-Mode-Policy</String>
          </Value>
        </Setting>
        <Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
          <Value>
            <String>Default-S-Mode-Policy-10.0.0.1</String>
          </Value>
        </Setting>
      </Settings>
    </SiPolicy>

    I signed the policy with a PKI-Certificate with signtool after converting them to the bin format and deployed it to a single device using intune.

    However I am not able to run any of the tools I whitelisted in this policy. From the IntuneManagementExtension.log-file I extracted the following piece:

    <![LOG[[UnlockWin10S] ----------------------------------------------------- Lock DoWorkInternal ----------------------------------------------------- ]LOG]!><time="10:15:34.0931590" date="11-21-2019" component="IntuneManagementExtension" context="" type="2" thread="29" file="">
    <![LOG[[UnlockWin10S] DoWorkInternal starts...]LOG]!><time="10:15:34.0931590" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Get 1 active user sessions]LOG]!><time="10:15:34.0931590" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[starting impersonation, session id = 3]LOG]!><time="10:15:34.1087840" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[After impersonation: DOMAIN\jdoe]LOG]!><time="10:15:34.1087840" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[get provider, provider name = Geschäfts- oder Schulkonto]LOG]!><time="10:15:34.1244073" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Successfully get the token]LOG]!><time="10:15:35.6503635" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[[UnlockWin10S] valid AAD user session id : 3]LOG]!><time="10:15:35.6659864" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Total valid AAD User session count is 1]LOG]!><time="10:15:35.6659864" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Processing user session 3, user id = -159115138]LOG]!><time="10:15:35.6659864" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Set MdmDeviceCertificate : FINGERPRINTOFTHECERTIFICATE]LOG]!><time="10:15:35.6659864" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S:ProcessUnlockPolicyAsync: GetDeviceIdAndTenantId] Getting GetDeviceIdAndTenantId]LOG]!><time="10:15:35.6972410" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S:ProcessUnlockPolicyAsync: GetDeviceIdAndTenantId] Got instanceID: ApplicationControl, DeviceId: SOMEID1, TenantId: SOMEGUID2]LOG]!><time="10:15:35.8847374" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetDeviceIdAndTenantId] Getting GetDeviceIdAndTenantId]LOG]!><time="10:15:35.9003630" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetDeviceIdAndTenantId] Got instanceID: ApplicationControl, DeviceId: SOMEID1, TenantId: SOMEGUID2]LOG]!><time="10:15:35.9941103" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Getting existing unlock tokens and policies with session id 736b62f9-d3ea-436a-a095-312271f692a9 ...]LOG]!><time="10:15:35.9941103" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetTokenIds] Getting TokenIds]LOG]!><time="10:15:35.9941103" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetTokenIds] Got InstanceID: IDOFTHETOKEN]LOG]!><time="10:15:36.1347382" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetPolicyIds] Getting PolicyIds]LOG]!><time="10:15:36.1347382" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetPolicyIds] Got InstanceID: 5951a96a-e0b5-4d3d-8fb8-3e5b61030784]LOG]!><time="10:15:36.3548568" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetPolicyIds] policyId '5951a96a-e0b5-4d3d-8fb8-3e5b61030784' matched with one of the base policies, ignoring..]LOG]!><time="10:15:36.3548568" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetPolicyIds] Got InstanceID: d2bda982-ccf6-4344-ac5b-0b44427b6816]LOG]!><time="10:15:36.3548568" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetPolicyIds] policyId 'd2bda982-ccf6-4344-ac5b-0b44427b6816' matched with one of the base policies, ignoring..]LOG]!><time="10:15:36.3548568" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetPolicyIds] Got InstanceID: {52123093-0000-0000-0000-096DC123A345}]LOG]!><time="10:15:36.3548568" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting all PolicyInfos]LOG]!><time="10:15:36.3548568" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/5951a96a-e0b5-4d3d-8fb8-3e5b61030784, version: 2814750752702464, status: 0, isEffective: True, isDeployed: False, IsAuthorized: True]LOG]!><time="10:15:36.6048519" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] policyId './Vendor/MSFT/ApplicationControl/Policies/5951a96a-e0b5-4d3d-8fb8-3e5b61030784' matched with one of the base policies, ignoring..]LOG]!><time="10:15:36.6048519" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/d2bda982-ccf6-4344-ac5b-0b44427b6816, version: 2814750926372864, status: 0, isEffective: True, isDeployed: False, IsAuthorized: True]LOG]!><time="10:15:36.6048519" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] policyId './Vendor/MSFT/ApplicationControl/Policies/d2bda982-ccf6-4344-ac5b-0b44427b6816' matched with one of the base policies, ignoring..]LOG]!><time="10:15:36.6048519" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/{52123093-0000-0000-0000-096DC123A345}, version: 2814749767106560, status: 0, isEffective: False, isDeployed: True, IsAuthorized: False]LOG]!><time="10:15:36.6048519" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: AllUnlockWin10SPolicies] Found Policy Info for policyId: {52123093-0000-0000-0000-096DC123A345}, policyInfos count: 1]LOG]!><time="10:15:36.6048519" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Request client info: {"DeviceName":"NAMEOFDEVICE","OperatingSystemVersion":"10.0.19013","SideCarAgentVersion":"1.24.114.0","Win10SMode":true,"UnlockWin10SModeTenantId":"SOMEGUID2","UnlockWin10SModeDeviceId":"SOMEID1"}]LOG]!><time="10:15:36.6204826" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Request payload: {"Id":"551a4e0e-3879-4222-ab25-89d395adf38e","Tokens":[{"Id":"IDOFTHETOKEN","Version":0,"Content":null,"Operation":0}],"Policies":[{"Hash":null,"PolicyId":"{52123093-0000-0000-0000-096DC123A345}","PolicyVersion":"2814749767106560","Id":null,"Version":0,"Content":null,"Operation":0}]}]LOG]!><time="10:15:36.6204826" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S] Requesting unlock tokens and policies with session id 736b62f9-d3ea-436a-a095-312271f692a9 ...]LOG]!><time="10:15:36.6204826" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[Getting UserToken For Web Request...]LOG]!><time="10:15:36.6204826" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[starting impersonation, session id = 3]LOG]!><time="10:15:36.6204826" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[After impersonation: DOMAIN\jdoe]LOG]!><time="10:15:36.6204826" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[get provider, provider name = Geschäfts- oder Schulkonto]LOG]!><time="10:15:36.6361079" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Successfully get the token]LOG]!><time="10:15:37.7390009" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Add Token with length 1752 into WebRequest]LOG]!><time="10:15:37.7390009" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Add MdmDeviceCertificate FINGERPRINTOFTHECERTIFICATE into WebRequest]LOG]!><time="10:15:37.7390009" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[SendWebRequest, client-request-id: SOMEGUID2, Method: PUT]LOG]!><time="10:15:37.7390009" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Current proxy is https://fef.msub03.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/SideCarGatewaySessions('736b62f9-d3ea-436a-a095-312271f692a9')%3Fapi-version=1.1]LOG]!><time="10:15:37.7702333" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Sending network request...]LOG]!><time="10:15:37.7702333" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[[UnlockWin10S] response from svc is {"Id":"SOMEGUID3","Tokens":[],"Policies":[{"Id":"{52123093-0000-0000-0000-096DC123A345}","Hash":"lWB2dA2PdaHbwl7LKSjz1DbpIhoDtNQOtBDgXxMGlVA=","PolicyId":"{52123093-0000-0000-0000-096DC123A345}","PolicyVersion":"2814749767106561","Version":0,"Content":"MIIT_CERTIFICATE","Operation":2}]}]LOG]!><time="10:15:38.8940836" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: ProcessUnlockTokensAsync] No valid tokens to process, returning..]LOG]!><time="10:15:38.9095551" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: ProcessUnlockPoliciesAsync] Processing policy uninstalls..]LOG]!><time="10:15:38.9095551" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: ProcessUnlockPoliciesAsync] Processing policy install, updates..]LOG]!><time="10:15:38.9095551" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: SetPolicy] Setting policy with Id: {52123093-0000-0000-0000-096DC123A345}, putOptions: UpdateOnly]LOG]!><time="10:15:38.9251809" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: ProcessUnlockPoliciesAsync] Completed policy processing..]LOG]!><time="10:15:39.1596087" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: ReportUnlockDataStatus] Starting...]LOG]!><time="10:15:39.1596087" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetTokenIds] Getting TokenIds]LOG]!><time="10:15:39.1751715" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetTokenIds] Got InstanceID: IDOFTHETOKEN]LOG]!><time="10:15:39.2533559" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllTokenInfos] Getting all TokenInfos]LOG]!><time="10:15:39.2533559" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllTokenInfos] Getting TokenInfo InstanceID: TokenInfo, parentId: ./Vendor/MSFT/ApplicationControl/Tokens/IDOFTHETOKEN, Status: 0]LOG]!><time="10:15:39.3641337" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting all PolicyInfos]LOG]!><time="10:15:39.3641337" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/5951a96a-e0b5-4d3d-8fb8-3e5b61030784, version: 2814750752702464, status: 0, isEffective: True, isDeployed: False, IsAuthorized: True]LOG]!><time="10:15:39.5516356" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] policyId './Vendor/MSFT/ApplicationControl/Policies/5951a96a-e0b5-4d3d-8fb8-3e5b61030784' matched with one of the base policies, ignoring..]LOG]!><time="10:15:39.5516356" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/d2bda982-ccf6-4344-ac5b-0b44427b6816, version: 2814750926372864, status: 0, isEffective: True, isDeployed: False, IsAuthorized: True]LOG]!><time="10:15:39.5672047" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] policyId './Vendor/MSFT/ApplicationControl/Policies/d2bda982-ccf6-4344-ac5b-0b44427b6816' matched with one of the base policies, ignoring..]LOG]!><time="10:15:39.5672047" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/{52123093-0000-0000-0000-096DC123A345}, version: 2814749767106561, status: 0, isEffective: False, isDeployed: True, IsAuthorized: False]LOG]!><time="10:15:39.5672047" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[[UnlockWin10S: ReportUnlockDataStatus] Request payload: {"ReportType":0,"Id":"54455433-be94-4d32-9872-59bf51018532","UserId":"a9585230-23dc-4ada-af3e-7c12a8b04494","TokenStatus":[],"PolicyStatus":[{"PolicyId":"{52123093-0000-0000-0000-096DC123A345}","PolicyVersion":"2814749767106561","Id":null,"Version":0,"Status":1}]}]LOG]!><time="10:15:39.5778756" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[Getting UserToken For Web Request...]LOG]!><time="10:15:39.5778756" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[starting impersonation, session id = 3]LOG]!><time="10:15:39.5778756" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[After impersonation: DOMAIN\jdoe]LOG]!><time="10:15:39.5778756" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">
    <![LOG[get provider, provider name = Geschäfts- oder Schulkonto]LOG]!><time="10:15:39.5778756" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Successfully get the token]LOG]!><time="10:15:39.6092017" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Add Token with length 1752 into WebRequest]LOG]!><time="10:15:39.6092017" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Add MdmDeviceCertificate FINGERPRINTOFTHECERTIFICATE into WebRequest]LOG]!><time="10:15:39.6092017" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[SendWebRequest, client-request-id: SOMEGUID4, Method: PUT]LOG]!><time="10:15:39.6092017" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Current proxy is https://fef.msub03.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/SideCarGatewaySessions('829865f4-620f-444f-8cda-c76be91b5d95')%3Fapi-version=1.1]LOG]!><time="10:15:39.6247732" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Sending network request...]LOG]!><time="10:15:39.6247732" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="31" file="">
    <![LOG[Save UnlockWin10S 'LastSyncTimeUtc' to registry:result - True]LOG]!><time="10:15:39.7986476" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="14" file="">
    <![LOG[[UnlockWin10S] thread stopped.]LOG]!><time="10:15:39.7986476" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="14" file="">
    <![LOG[Checking throttle setting]LOG]!><time="10:15:39.8141651" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="14" file="">
    <![LOG[Successfully updated throttling info.]LOG]!><time="10:15:39.8297576" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="14" file="">
    <![LOG[Finish throttle checking.]LOG]!><time="10:15:39.8297576" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="14" file="">
    <![LOG[[UnlockWin10S] Saving throttle info in Unlock Win10 S flow]LOG]!><time="10:15:39.8297576" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="14" file="">
    <![LOG[[UnlockWin10S] ----------------------------------------------------- Unlock DoWorkInternal ----------------------------------------------------- ]LOG]!><time="10:15:39.8297576" date="11-21-2019" component="IntuneManagementExtension" context="" type="2" thread="14" file="">

    What striked out to me was the line:

    <![LOG[[UnlockWin10S: GetAllPolicyInfos] Getting PolicyInfo InstanceID: PolicyInfo, parentId: ./Vendor/MSFT/ApplicationControl/Policies/{52123093-0000-0000-0000-096DC123A345}, version: 2814749767106561, status: 0, isEffective: False, isDeployed: True, IsAuthorized: False]LOG]!><time="10:15:39.5672047" date="11-21-2019" component="IntuneManagementExtension" context="" type="1" thread="29" file="">

    The isAuthorized is 0 what according to the following article prevents the policy from getting effective. In the eventlog I see the following events:

    3105, CodeIntegrity: Trying to refresh Code Integrity policy with policy ID {52123093-0000-0000-0000-096DC123A345}.
    3105, CodeIntegrity: Ignoring refresh for Code Integrity policy ID {52123093-0000-0000-0000-096DC123A345}. Status 0x0.

    The machine runs Windows 10 1909 but also with the the latest update of the slow insider track it is not working.

    Does anyone has any idea why my policy is not authorized? Am i even on the right track here?

    *Note: Most GUIDs, Fingerprints etc. has been modified before I posted them here.


    Saturday, November 23, 2019 5:24 PM

All replies