![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 49%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Other
Other Intune-related topics, including unsupported scenarios and platform-specific behaviors
The behavior is consistent with application control or security policies blocking bash.exe/wsl.exe and similar tools when they run from user-writable locations such as C:\Users\<user>\scoop\apps\git\current\....
App Control for Business and related controls often treat these binaries as high-risk “living off the land” tools because attackers can use them to bypass allow policies. bash.exe, wsl.exe, wslconfig.exe, and wslhost.exe are explicitly called out as binaries that should be blocked unless there is a specific business need.
To allow Git Bash from Scoop while keeping protection in place, use one of these approaches (depending on how application control is configured in Intune):
- Identify which control is blocking execution
- Check the device’s security logs (Microsoft Defender, App Control, or other endpoint protection) for events around the time the
permission denied/ exit code 126 occurs. - Look specifically for blocks on:
-
bash.exe -
wsl.exe -
wslhost.exe -
wslconfig.exe
-
- Confirm whether the block is coming from:
- App Control for Business / WDAC policy
- Another application control product
- Check the device’s security logs (Microsoft Defender, App Control, or other endpoint protection) for events around the time the
- Adjust App Control / WDAC policy
If App Control for Business (or WDAC) is in use:
- Review the policy for explicit blocks on the following executables:
-
bash.exe -
wsl.exe -
wslconfig.exe -
wslhost.exe
-
- These are on Microsoft’s recommended block list for bypassing App Control. To allow Git Bash:
- Create a separate, tightly scoped allow rule for the specific Git Bash binaries under the Scoop path (for example, by file hash or signer), rather than globally unblocking all
bash.exe/wsl.exeinstances. - Ensure the policy still blocks other high-risk tools that are not required in the environment.
- Create a separate, tightly scoped allow rule for the specific Git Bash binaries under the Scoop path (for example, by file hash or signer), rather than globally unblocking all
- Review the policy for explicit blocks on the following executables:
- Prefer installing Git Bash in a trusted path
- Since Git Bash works from
C:\Program Files, consider standardizing on that installation path for managed devices, as it is typically treated as a trusted, admin-only location. - User-writable locations (like Scoop under the profile) are more likely to be restricted by application control policies.
- Since Git Bash works from
- Validate after policy change
- After updating the policy and syncing via Intune, test launching Git Bash from the Scoop path again.
- Re-check security logs to confirm that the previous block events no longer occur and that only the intended binaries are allowed.
If the environment uses WSL-based Git Bash or WSL tools, also ensure that any group policy or Store-based WSL restrictions are aligned with the need to run bash.exe/wsl.exe from the chosen locations.
References: