Adding Exception to Exploit Protection Control Flow Guard in Windows 2019

This topic describes how to add exception to the Control flow guard (CFG) to prevent the BigFix Compliance and Inventory services from crashing.

About this task

By default, the CFG for BigFix Compliance and Inventory javaw.exe file is set to Use default (On) when you update BigFix servers to Windows 2019. When CFG is explicitly set to On by default, the Security Assertion Markup Language (SAML) is enabled, and the first authentication to ADFS or SSO causes the BigFix Compliance and Inventory services to crash. Also, there are no error logs recorded in the tema.log file related to the crash. To prevent this, you must add custom setting for javaw.exe.

Note: CFG set to On by default, which results in crashing BigFix Compliance and Inventory services.

Procedure

Perform the following steps to turn off the CFG:
  1. Go to Settings > Update & security > Windows security > App & browser control and click Exploit protection settings.
  2. Click Program settings.
  3. In the Program settings tab, navigate to javaw.exe and from the drop-down click Edit.
    Note: By default, the javaw.exe file is located in the <SCA>\jre\bin\ folder.


  4. In Control flow guard (CFG) settings, check Override system settings and set the toggle switch to Off.
  5. Click Apply.
    Important: Restart the BigFix Compliance service to implement the changes.