Another post about WDAC, this time about the deployment of Teams Add-In for Microsoft Office. You can find the other post here.
The Problem
This also has a problem installing with the default WDAC configuration. You can see this in the Application event log:
Product: Microsoft Teams Meeting Add-in for Microsoft Office — Error 1723. There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor. Action DIRCA_CheckFX, entry: CheckFX, library: C:\Windows\Installer\MSI***.tmp
And then the same temp file in the code integrity log:
The Fixing
Luckily I found this post:
https://techcommunity.microsoft.com/t5/microsoft-teams/teams-standalone-outlook-addin/m-p/1291844
It shows how to get the installer for the Teams Add-In. You probably, just like me, use the MSIX installer for Teams. The Add-In, an MSI application, is perhaps signed with another code signing certificate.
It turns out a DLL within the Add-In is not signed and must be added to the WDACConfig.
So, this time I grabbed the PowerShell module WDACConfig. It’s more thorough than the WDAC Wizard. The WDAC wizard can only show you one exclude type at a time. So, to have all the options you need to run it more than once. The PowerShell module just grabs everything all together and you can filter what you don’t want to exclude. This is my preferred method.
I extracted the MSI and put it together with the original file in C:\temp:
After that, I ran this command:
New-SupplementalWDACConfig -SuppPolicyName SupplementalPolicy-Teams -PolicyPath "C:\Users\User\Documents\WDACBasepolicyv1.1.xml" -ScanLocation "C:\Temp" -Normal
I was not completely happy with the output. I don’t want to exclude files without the hash. So, I removed these lines:
I uploaded the file on Github. This is one I am using that is working now. This whitelists the DLL and the MSI via File Hash:
There is a BIG caveat though. If you use file hashes in your WDAC configuration, you need to update these file hashes when the file gets updated. I don’t know what the update cadence of this DLL is but it’s currently the only file that needs excluding. (Knocks on wood)
If you have many of these files this is a tedious process. I can keep up with 1 file, let’s hope it doesn’t get more.