15: How to use Scripts Manager to workaround the “PPAppLockdr64.dll is either not designed to run on Windows or it contains an error” message when running Microsoft Remote Assistance (MSRA.exe) and the PolicyPak CSE is installed on Windows 10 1903

  1. First, we need to configure the custom Exploit Protection settings under Windows 10 Settings that resolves this issue.
    1. Use the Windows Search to find "Exploit protection" and open exploit protection settings
    2. Then click "Program settings"
    3. Then click "Add a program to customize", and choose "Add by program name"
    4. Enter "msra.exe" and click "Add"
    5. Scroll down the list of options until you find "Disable extension points"
    6. Check the "Override system settings" and set the slider to "On"

    1. Then click "Apply" to save your changes
  1. Once the custom Exploit Protection settings have been configured as desired, run the following command below from an elevated PowerShell session:

Get-ProcessMitigation -RegistryConfigFilePath \\server\share\CustomExploitMitigation.xml

And verify that the file has been created successfully on the share.

Note:  Replace \\server\share\  with the path to a network share in your environment that is accessible by all users who will need to receive these settings. Recommend granting the Everyone group Read permissions to this share.

  1. The next step is to setup the Scripts Manager policy items in PolicyPak.
    1. Run the Microsoft Group Policy Management Console (GPMC) as a user with the necessary rights (to create and link GPOs at that level) and then create a new GPO and link the GPO at the OU (User Level) or Domain level depending on who needs to receive these settings.

For example:

    1. Next Edit the newly created GPO and expand the User Configuration > PolicyPak > Scripts Manager section.
    2. Then click “ADD NEW COLLECTION” to add a new collection, give it any descriptive name you like, then click “OK”.

    1. Next, double click on the collection you just created to open the collection.
    2. Then right-click anywhere in the right pane and choose “Add > New Policy”, (or alternatively click on the “ADD NEW POLICY” button) to create a new policy item within the collection.

    1. The “PolicyPak Scripts Manager Wizard” will then open.
    2. At the “On apply action” screen choose “PowerShell script” from the drop down.
    3. Then paste the command below into the scripts body window after setting the share path to the relevant UNC path for your environment.

Set-ProcessMitigation -PolicyFilePath \\server\share\CustomExploitMitigation.xml

    1. Then check both the “Run script as user” and “With elevated rights” boxes at the bottom left hand of the window and click “Next”.
    1. Click “Next” to skip the “On revert action” screen.
    2. At the “Specify process mode” screen choose “Once or when forced” then click “Save”
  1. Lastly, test the policy.
    1. Log in as a domain user within the OU or Domain where the policy is applied and verify under Windows Settings that the custom Exploit Protection settings are present.

  • 843
  • 15-Oct-2019