TL;DR: Azure Local runs Application Control (WDAC) in enforced mode by default, which blocks non-Microsoft-signed third-party software (RMM, monitoring, backup, and similar agents). Install the software in audit mode, then create and deploy a supplemental policy so it runs under enforcement.
Recommended action:
Check the current policy mode on a node:
Get-AsWdacPolicyMode
Switch the cluster to audit mode (allow 2–3 minutes for the Orchestrator to apply):
Enable-AsWdacPolicy -Mode Audit
Install the software into its own directory on each host (for example,
C:\software\codetoscan) and confirm it runs correctly.Build a supplemental policy scoped to that directory:
New-CIPolicy -MultiplePolicyFormat -Level Publisher -FilePath C:\wdac\Supplemental-policy.xml -UserPEs -Fallback Hash -ScanPath C:\software\codetoscan
Set the policy metadata (name, version, ID):
$policyPath = "C:\wdac\Supplemental-policy.xml" $policyVersion = "1.0.0.1" Set-CIPolicyVersion -FilePath $policyPath -Version $policyVersion Set-CIPolicyIdInfo -FilePath $policyPath -PolicyID "Supplemental-Policy_$policyVersion" -PolicyName "Supplemental-Policy"
Deploy the supplemental policy across the cluster:
Add-ASWDACSupplementalPolicy -Path C:\wdac\Supplemental-policy.xml
Switch back to enforced mode:
Enable-AsWdacPolicy -Mode Enforced
Verify the policy is applied and the software still runs. The new policy appears with
MicrosoftProvided : False:Get-ASLocalWDACPolicyInfo
Why:
Application Control uses an allow-list to block any binary that isn't explicitly trusted, so non-Microsoft-signed software is denied under enforcement. Audit mode lets the software install and run for validation, and a supplemental policy adds it to the trusted set so it keeps running once enforcement is restored — without weakening the secure-by-default baseline.
Going forward:
If the software vendor publishes a tested supplemental policy XML, deploy that instead of hand-building one — it is the vendor-supported path. Only the binaries present in the scanned directory at creation time are trusted, so updating or adding files later may require a new supplemental policy version. Re-validate after major OS or solution updates, since policy changes can re-block the software.
Optional details:
Enable-AsWdacPolicy changes all cluster nodes, while Enable-ASLocalWDACPolicy changes only the node on which it is run. When a binary is blocked, Application Control writes a corresponding event you can review to identify exactly what was denied. Leaving WDAC in audit mode is not an acceptable long-term workaround for production, because it removes enforced protection against untrusted code — the supplemental policy is the durable fix.
More information:
For Microsoft's full procedure and cmdlet reference, see Manage Application Control for Azure Local.