I haven't yet, I am just a little confused how would the policy would look like.

Should I include the full path with the driver letter as well or just:

\Windows\ADDMRemQuery_x86_64_v2.exe 

or \ADDMRemQuery_x86_64_v2.exe 

Skip path components from write protection to remove write protection applied to all files in that path. Also, write denied event is not observed for such paths.

User mode paths and paths with volume name do not work with this command. Text added with this command is treated as complete component. For example, text can start with a forward slash (/) and end with a backward slash (\), dot (.), or null character.

Thanks, will try.

About example number 2?

Hi @thegoodguy 

'Skiplist -d' rules remove file write protection from the designated file so that any process can write to the file, even if they are solidified.  Use this sparingly as needed though; as they are usually not the first choice of applicable config changes.

• If a solidified file is getting "file-write denied", first review the process doing the write to determine if it can be an updater.  In your Example#2, that process is cmd.exe, which would not be a good Updater rule. 
  • If this were through another process, one that could be trusted (according to your own security needs), then add an update rule for that process.  That way the next time that process goes to write to the file, it will be allowed.
    • Giving a process Updater permissions allows it to change any solidified files on the system.  Be aware and careful of which processes you give Updater permissions to.
• If an updater rule is not applicable/recommended, then you can remove write protection from the file, hence the 'skiplist -d' rule.  This will allow any process to write to that specific file, but it will still retain its solidification status.
  • The alternative would be to 'skiplist -s' the file which removes solidification, but that also removes execution permissions from being solidified/whitelisted.  You'd then have to add execution permission back in via another rule, if it does need to execute, which is why the 'skiplist -d' rule might be a better config change.

Hi all, thank you so much for the information and education. I truly appreciate it! 

Let's forget about command line for a second and think about ePO policy (client/extension 8.2.6), how would those 2 examples I gave look like? Should I include the full path including the driver letter, part of the path or just the file starting with a "\"?

\Windows\ADDMRemQuery_x86_64_v2.exe

\OneDriveSetup.exe

Full pathPart of the pathfile only

Hi all,

Any suggestions regarding my last reply? Any help is greatly appreciated.

Thanks!

You would do a partial path. just like the example.