Application Install Error 0x80070005 – EnforceApp Failed
Today I came across an issue I had not seen before so I thought it would be a good idea to write down some ideas of how to resolve the issue, for when I forget what I did next time it happens!
I was deploying a routine application for our organisation, one I have deployed and updated 10+ times before so I was surprised to see this error when testing the deployment today.
While the error code is quite a general one, it turns out the cause and resolution is anything but generic.
As this application was deployed via ConfigMgr. The first logical step is to check the AppEnforce.log file (located C:\Windows\CCM\Logs) – this is where we pickup the error details shown in the image above.
Diagnose
Now we need to find the cause…and this is what took me a bit of time to work out. Then it clicked, the obvious recent changes relate to Exploit Guard, specifically, its introduction into the test environment.
Now we fire up trusty Event Viewer and navigate to
Applications and Services Logs | Microsoft | Windows | Windows Defender | Operational
In there we find two Warnings with the event ID 1121
Here are the details from the event
Here we have an answer as to why the install is being blocked, its Attack Surface Reduction (ASR).
Fix
I have deployed a Co-Managed environment so this setting is being pulled down from Intune.
You have two choices on how to fix this. You either revert ASR to Audit Only or you create an exception that allows this application to be installed. Your decision here will depend on your internal conversations with you security team.
For the purposes of testing, I switched to Audit Mode. After that, the application installed successfully. This will give you some useful data on possible exceptions for ASR so it can be reapplied and not prevent application updates.
Remember
One thing you need to remember, once you have made a change in Intune, you need to sync your device settings.
You can hurry the process up by going to Settings | Accounts | Access Work or School | Click the connected Domain | Info | Sync
You may experience a delay for your settings to sync, I have seen this take 30 minutes plus, even with hitting the sync button.