KB5079473 has a note that this is resolved.
KB5077181 COM Object Registration failure (WDAC)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Aiden King
10
Reputation points
KB5077181 adds a new in-built WDAC policy, which is not documented: {60FD87F8-4593-44A0-91B0-2E0DA022F248}.cip
Policy:
Policy ID: 60fd87f8-4593-44a0-91b0-2e0da022f248
Base Policy ID: 60fd87f8-4593-44a0-91b0-2e0da022f248
Friendly Name: Microsoft Windows Endpoint Security Policy
Version: 10.0.29482.0
Platform Policy: true
Policy is Signed: true
Has File on Disk: true
Is Currently Enforced: true
Is Authorized: true
Status: 0
If another base policy is defined, with Script Enforcement left enabled (default) it prevents the registration of COM objects, despite allow rules.
Example allow rule:
<Setting Provider="AllHostIds" Key="{7a9863e-1a59-56d1-8e7a-00a45671383c}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
These allow rules worked previously to allow the COM object to register, with script enforcement enabled.
Uninstalling KB5077181 (which removes the new WDAC policy {60FD87F8-4593-44A0-91B0-2E0DA022F248}.cip allows the COM objects to register.
Please advise new behaviour of WDAC policy and why COM registration allow rules no longer function.
Windows for business | Windows 365 Enterprise
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Chen Tran 8,220 Reputation points Independent Advisor2026-02-25T06:52:00.5166667+00:00 Hello King,
Thank you for posting question on Microsoft Windows Forum!
Based on the issue description. I would like to share my thought with you about this behavior.
Well! What changed with KB5077181 is that the update installs a new in‑built WDAC policy ({60FD87F8-4593-44A0-91B0-2E0DA022F248}.cip) called Microsoft Windows Endpoint Security Policy. This policy is a platform policy, meaning it is enforced at a lower level than enterprise‑defined base policies. It is signed, enforced, and authorized by Microsoft, so it takes precedence over custom rules. When Script Enforcement is enabled in another base policy, the new platform policy now blocks COM object registration. Eeven if you have explicit allow rules defined. Previously, those <Setting Provider="AllHostIds" …> rules were sufficient to permit COM registration.
The plausible explanation to the reason of why allow rules no longer function is that since the new platform policy enforces stricter script and COM registration controls as part of Microsoft’s endpoint hardening. Enterprise allow rules are being overridden because the platform policy treats COM registration attempts as script‑like behavior, which is denied under Script Enforcement. In effect, the “EnterpriseDefinedClsId” settings are ignored when the platform policy is active, since platform policies are evaluated before enterprise policies.
In short, KB5077181 introduced a signed platform WDAC policy that enforces stricter script/COM registration controls. Because platform policies override enterprise rules, your COM registration allow rules no longer apply when Script Enforcement is enabled.
Hope the above information is helpful! If it helps you getting more insight into this behavior, It is appreciated to consider clicking "Accept Answer". Should you have more questions, feel free to leave a message.
-
Aiden King 10 Reputation points
2026-02-25T22:17:34.27+00:00 This is just an AI summary of the information in my question, can I have an actual answer?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 80%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECP%3C/text%3E%3C/svg%3E)
Cyber Person Man 15 Reputation points2026-03-02T23:11:44.9233333+00:00 Would like more clarification from Microsoft about this policy. By default, if a COM object isn't allowed in every base policy, that COM object will be blocked.
Because this is a platform policy, we can't allow any COM objects since we don't have access to the XML that Microsoft used to create this policy.
And, since the policy is signed by Microsoft, we probably couldn't change it anyway.Therefore, if we have reason to suspect a COM object is breaking something (although, Windows Event logs are lackluster in that they don't show the process calling the COM object, only the fact that it is blocked; we just have to use timing to verify that something is breaking), then there's nothing we can do about it.
We have had one UI issue recently related to this that we couldn't do anything about, and one more serious issue where an app distributed by Microsoft is breaking.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment -