How to Resolve New WDAC Policy Issues in Azure Stack
This post discusses how to resolve new WDAC Policy issues in Azure Stack Local by walking you through the problem, its root causes, and practical solutions to ensure a smoother policy deployment experience. Managing security policies in a hybrid Azure-Windows environment can be challenging, especially when dealing with Windows Defender Application Control (WDAC). Please, see how to fix WDAC vulnerabilities by updating PowerShell, and how to Disable Driver Signature Enforcement in Windows 11.
We explore a common issue encountered when adding a new WDAC policy via an XML file using Windows Admin Center (WAC) Cluster Manager.
Specifically, users may encounter permissions errors when the cluster is accessed through Azure integration.
Also, see how to Configure Azure Monitor for VMs on Azure Stack Hub, How To Configure VM Update Management on Azure Stack Hub, and “Windows 10 and Windows 11 updates will now expire for better performance“.
Observations from Case Notes
You are able to connect to the Windows Server cluster via WAC using Azure. The error arises during the XML policy upload process, despite using a domain admin or cluster admin account.
Investigation to resolve WDAC Policy Issues
1: Verify Cluster Role Assignment: Confirm that the domain user is explicitly added to the Cluster Administrators group:
- Get-ClusterGroup | Get-ClusterAccess
- If missing, add the user:
- Add-ClusterAccess -UserName “DOMAIN\\UserName” -AccessLevel Full
2: Run Windows Admin Center with Elevated Privileges: Close WAC and relaunch it using “Run as administrator”.
3: Check Azure Arc Integration: If the cluster is Azure Arc-enabled:
- Navigate to Azure Portal → Azure Arc → Servers → [Your Cluster]
- Ensure the user has Contributor or Owner role on the associated resource group.
4: Validate WDAC Policy Signing: Confirm the XML policy:
- Is signed with a trusted certificate.
- Matches the current WDAC enforcement mode (Audit or Enforced).
- Use the following command:
- Get-CIPolicy -PolicyPath “path\to\policy.xml”
5: Check Cluster Shared Storage Permissions: Ensure the XML file is accessible by all cluster nodes
icacls "\\ClusterStorage\SharedVolume\PolicyFolder\policy.xml"Please, see Hardening Active Directory – GPO MSCT 1.0 CIS Benchmark – Poicy Analyser, “How to Resource Lock on Delete on Azure”, and how to install WSL on Windows.
Reupload the XML Policy
Try uploading the XML policy again, or alternatively, connect via RDP and import it using a PowerShell command.
Run PowerShell as Administrator on the cluster node. If the cluster is accessed via Azure. Ensure you have proper permissions and remote execution enabled.
ConvertFrom-CIPolicy is necessary if your XML policy needs to be in binary format for enforcement.
Path to your WDAC XML policy
$PolicyXml = "C:\Path\To\Your\Policy.xml"Convert XML policy to a binary policy file (required for enforcement)
$PolicyBin = "C:\Path\To\Your\Policy.bin"
ConvertFrom-CIPolicy -XmlFilePath $PolicyXml -BinaryFilePath $PolicyBinApply the policy in enforcement mode
Set-CIPolicy -FilePath $PolicyBin -MergeAlternatively, apply the policy in audit mode
Set-CIPolicy -FilePath $PolicyBin -AuditConfirm the policy has been added by running the command below
Get-CIPolicyI hope you found this guide very useful on “How to Resolve New WDAC Policy Issues in Azure Stack Local”. Please, feel free to leave a comment below.
