IT Diary (Sept 2022)

Intune deployment fails with message that points to C:\Windows\system32\Wldp.dll

I have seen some Intune deployments that use PowerShell failing after the installation of KB5017022 (Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2, Windows 10 Version 21H1, and Windows 10 Version 21H2). In the Event Log, you find the error below under Application.

Faulting application name: powershell.exe, version: 10.0.19041.546, time stamp: 0x30f12f73
Faulting module name: Wldp.dll, version: 10.0.19041.1949, time stamp: 0xc0574ffa
Exception code: 0xc0000409
Fault offset: 0x0000bad4
Faulting process id: 0x3988
Faulting application start time: 0x01d8d1f29b479918
Faulting application path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Faulting module path: C:\Windows\system32\Wldp.dll
Report Id: 6d65fe8e-4512-4a78-81e0-b4aaf883a3ef
Faulting package full name:
Faulting package-relative application ID:

My program call was powershell.exe -executionpolicy bypass install.ps1. The PowerShell script didn’t start.

I changed the program call to C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy Bypass-file .\install.ps1 and the deployments completed successfully again.

I haven’t spent any time on investigating the issue in more detail but it seems that WDAC uses the wlpd.dll, thus I wonder if the PowerShell execution has been blocked. 

Links:

COM XSL Transformation: Bypassing Microsoft Application Control Solutions (CVE-2018-8492)

https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/