Sophos Application Control and Installing Intune Management Extension

Hi,

We've recently moved to a hybrid setup for our Windows devices (local active and Intune). Many devices have successfully fully setup but most have not. They are registered with Intune and show compliance, however we have found that those not working have not installed the Intune Management Extension (IME). This means they cannot run scripts or deploy software from Intune.

I have come to the conclusion that application control is to blame even although it doesn't complain about Intune directly.

Trying to manually run the IME installer would bring up an error and it would fail, there were no pop-up alerts from Sophos about software being blocked. When I did temporary disabling of Sophos application control and manually re-ran the IME installer again on the test machine it succeeded.

We have 3 different Application Control policies in place for Sophos with varying levels of lock down. As part of troublshooting I have unblocked "Microsoft Intune" and today I realised all the problem devices were showing application control alerts for "Eventing Command Line" which was blocked. I'm testing a few problem machines with "Eventing Command Line" unblocked.

Can anyone confirm what should be unblocked for IME to install and run correctly?

Thanks!

Stephen



Edit tAgs
[edited by: GlennSen at 1:26 PM (GMT -7) on 3 Sep 2024]
Parents
  • Hi Monkster,

    Thanks for reaching out to the Sophos Community Forum. 

    Could you let me know if your Application Control policies are configured to block everything by default and only allow applications if explicitly listed? 

    If you would like to be certain that all applications you need allowed are on the allow list, I'd suggest searching for the term "Microsoft" in the "Add/Edit Application List. Another option would be to first set up a test-device as desired, then deploy Sophos with the policy specified to "Detect controlled applications during scheduled and on-demand scans". 
    In doing so, the device will begin at the desired state and by installing and running a full system scan you will be alerted to all applications which need to be explicitly allowed. 

    If adding "Microsoft Intune" and "Eventing Command Line Utility" to the allow list have not resolved your issues, I'd suggest adding a "Process Exclusion" to the Global Exclusions section, so the installer is able to run without being scanned/detected. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Monkster,

    Thanks for reaching out to the Sophos Community Forum. 

    Could you let me know if your Application Control policies are configured to block everything by default and only allow applications if explicitly listed? 

    If you would like to be certain that all applications you need allowed are on the allow list, I'd suggest searching for the term "Microsoft" in the "Add/Edit Application List. Another option would be to first set up a test-device as desired, then deploy Sophos with the policy specified to "Detect controlled applications during scheduled and on-demand scans". 
    In doing so, the device will begin at the desired state and by installing and running a full system scan you will be alerted to all applications which need to be explicitly allowed. 

    If adding "Microsoft Intune" and "Eventing Command Line Utility" to the allow list have not resolved your issues, I'd suggest adding a "Process Exclusion" to the Global Exclusions section, so the installer is able to run without being scanned/detected. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data