Av Defender Failed To Download File Catalog
Edmond Peralto
Hello guys, I'm experiencing a very weird issue with some config profiles. We are currently migrating most our settings Group Policy to Config Profiles so I created about 10 of them and 3 out the 10 applied successfully but the other 7 are giving me a headache. The profiles applied on some devices successfully but others failed and gave the 65000 error. All these devices have the latest updates. The error I saw in the event log is (The system cannot find file specified). I will greatly appreciate any help cos I'm stuck and Microsoft Support is yet to contact me. Thank you in advance
Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned.
Apply a policy in audit mode to the computer where you run Package Inspector. Package Inspector uses audit events to include hashes in the catalog file for any temporary installation files that are added and then removed from the computer during the installation process. The audit mode policy should not allow the app's binaries or you may miss some critical files that are needed in the catalog file.
Every file that is written to the drive you are watching with Package Inspector will be included in the catalog that is created. Be aware of any other processes that may be running and creating files on the drive.
Copy the installation media to the drive you're watching with Package Inspector, so that the actual installer is included in the final catalog file. If you skip this step, you may allow the app to run, but not actually be able to install it.
Use the app as you would normally, so that files created during normal use are included in your catalog file. For example, some apps may download more files on first use of a feature within the app. Be sure to also check for app updates if the app has that capability.
When you've confirmed that the previous steps are complete, use the following commands to stop Package Inspector. It creates a catalog file and catalog definition file in the specified location. Use a naming convention for your catalog files to make it easier to manage your deployed catalog files over time. The filenames used in this example are LOBApp-Contoso.cat (catalog file) and LOBApp.cdf (definition file).
For the code signing certificate that you use to sign the catalog file, import it into the signing user's personal store. Then, sign the existing catalog file by copying each of the following commands into an elevated Windows PowerShell session.
The variable should be the full path to the Signtool.exe utility. ContosoSigningCert represents the subject name of the certificate that you use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
Verify the catalog file's digital signature. Right-click the catalog file, and then select Properties. On the Digital Signatures tab, verify that your signing certificate exists with a sha256 algorithm, as shown in Figure 1.
For testing purposes, you can manually copy signed catalog files to this folder. For large-scale deployment of signed catalog files, use group policy file preferences or an enterprise systems management product such as Microsoft Configuration Manager.
The following process walks you through the deployment of a signed catalog file called LOBApp-Contoso.cat to a test OU called WDAC Enabled PCs with a GPO called Contoso Catalog File GPO Test.
To use this setting to provide consistent deployment of your catalog file (in this example, LOBApp-Contoso.cat), the source file should be on a share that is accessible to the computer account of every deployed computer. This example uses a share on a computer running Windows 10 called \\Contoso-Win10\Share. The catalog file being deployed is copied to this share.
On the Common tab of the New File Properties dialog box, select the Remove this item when it is no longer applied option. Enabling this option ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application.
Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10 or Windows 11, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\Windows\System32\catroot\F750E6C3-38EE-11D1-85E5-00C04FC295EE on the computer running Windows 10.
As an alternative to group policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes.
The following example uses a network share named \\Shares\CatalogShare as a source for the catalog files. If you have collection-specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
When catalog files have been deployed to the computers within your environment, whether by using group policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager.
Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the Windows Defender Application Control design guide.
On a computer where the signed catalog file has been deployed, you can use New-CiPolicyRule to create a signer rule from any file included in that catalog. Then use Merge-CiPolicy to add the rule to your policy XML. Be sure to replace the path values in the following sample:
Settings catalog lists all the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings. More settings are continually being added. For a list of the settings in the settings catalog, go to the IntunePMFiles / DeviceConfig GitHub repository.
When you create the policy, you start from scratch. You add only the settings you want to control and manage. For example, you can use the settings catalog to create a BitLocker policy with all BitLocker settings, and all in one place in Intune.
Apple's declarative device management (DDM) is built into the settings catalog. When you configure settings from the settings catalog on iOS/iPadOS 15+ devices enrolled using User Enrollment, you're automatically using DDM. If DDM doesn't work for any reason, then these devices use Apple's standard MDM protocol. All other iOS/iPadOS devices continue to use Apple's standard MDM protocol.
When you create a settings catalog policy, you can export the policy to a .json file. You can then import this file to create a new policy. This feature is useful if you want to create a policy that's similar to an existing policy. For example, you export a policy, import it to create a new policy, and then make changes to the new policy.
In the admin center, select Devices > Monitor > Assignment failures. If your Settings Catalog policy failed to deploy because of an error or conflict, it shows in this list. You can also Export to a .csv file.
The Settings catalog lists all the available settings. If you want to see all the available Firewall settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for specific settings.
Knowing how to troubleshoot is necessary so you can come up with a good answer in no time. But then again, a lot of settings inside the settings catalog are telling us you need to have the insider preview installed so why not give us a little hint about this one?
hmm, gotcha... well I'd review this -us/microsoft-365/security/defender-endpoint/microsoft-defender-antivi... Opens a new window and maybe it will help you put Defender in passive mode as a workaround. Sophos also mentions passive mode -000042286?language=en_US Opens a new window
I have a list of 18 Virtual machines (Windows Server) where I have Crowdstrike and Windows Defender. So I was requested by the servers owner to remove Defender since he couldn't and received the same error (Removal of one or more roles, role services, or features failed. The referenced assembly could not be found. Error: 0x80073701)
I searched and found a possible solution:
Need to "turn off Windows Defender" on the Local Group Policy Editor, then do a server restart, then the Windows feature would be successfully removed.
Source: -US/502d1617-cbee-44c9-9f20-c8947240fd87/unable-to-uninstall-windows-defender-from-2016-server-error-0x80073701 Opens a new window
Did the following only on 1 server:
1. Set "Turn off Windows Defender" on the Local Group Policy Editor to "ENABLED" (Run "gpedit.msc" > Local Computer Policy > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender > Enabled).
2. Asked the server owner to schedule the reboot for the server (I'm not authorized to reboot it as it is a production server).
3. I just checked today if the feature can be removed with 'Remove Roles and Features', but it didn't work.