Windows Defender Application Control (WDAC) is a security feature that ensures only trusted applications can run on a system. When WDAC is enabled and set to enforced mode, it restricts the execution of applications based on predefined policies. This can affect Commvault software operations, like installation and backups.
By default, Azure Local OS 23H2 and newer versions have WDAC enabled and running in enforced mode on the Stack HCI node. To allow third-party, non-Microsoft signed software to run on these nodes, the WDAC policy generated by Commvault must be implemented on these nodes.
Before You Begin
To ensure that Commvault software runs successfully on Azure Local OS 23H2 and newer versions with WDAC enabled, you must install the WDAC Supplemental Policy Deployment.
Procedure
-
Copy the WDAC supplemental policy XML file to a location on the node.
-
Deploy the policy XML file from its location using the appropriate cmdlet:
- Add-ASWDACSupplementalPolicy -Path "Cvlt_AzureLocal_WDAC.xml"
-
Switch the policy mode to Enforced, if it was in audit mode already.
- Enable-AsWdacPolicy -Mode Enforced
For more information see, MSFT article for WDAC management.