24H2 blocking in audit mode

[iainfm]

Hi,

We've got the "Microsoft Windows Recommended User Mode BlockList" policy deployed to our estate in audit mode, which is mostly Windows 11 23H2. We have upgraded some pilot devices to 24H2 and noticed some peculiar behaviour.

For example, a commercial piece of software refuses to install any more. If I remove the blocklist policy with citool and try again it works fine.

I can see various things happening in the Defender logs, but everything is still showing as 'audited' and not 'blocked'. The MSI kicks off a script that calls fsutil.exe and writes a registry value if required. I can see the script starting, fsutil.exe being spawned, but the registry entry never gets written and the script exits reporting a 1603 status. If I run the script manually it works though, so I don't think it's a registry permission or other script issue.

I have a support ticket open with Microsoft, but I'm not convinced it's got to the right team yet.

Just wondering if anyone else has noticed anything odd with App Control and 24H2.

Best wishes,
Iain

[iainfm]

Found another MSI install that App Control is blocking even in Audit Mode. It's also an Installshield Wizard installer, which may just be coincidence.

[iainfm]

Forgot to update this post, but we eventually got the answer to the problem.

The issue was/is that the Dynamic Code Security option is enabled in the sample policy, which has a note in the documentation: "NOTE: This option is always enforced if any App Control UMCI policy enables it. There's no audit mode for .NET dynamic code security hardening."

So the problem was really that Windows 11 prior to 24H2 was not enforcing DCS, rather than 24H2 failing to honour audit mode.

The logs should probable make this clearer, but hey.