Wireless Display (Casting) issues for Windows 10 and 11 devices using Microsoft Intune MDM
MDM Managed Devices that aren't specifically blocked from casting, but encounter the abyss of the black screen.
Introduction and background
I’ve recently been working with a sleuth of security tools that are hosted and managed by Microsoft (I know, many have, for many years) but with Microsoft’s rapidly evolving cloud based security management tools things aren’t always what they seem.
Let’s start with the basics — if you’re NOT using Microsoft Intune, Defender or MDM and you’re just having issues with your personal device please check your network discovery options and defender / firewall options to ensure that Wireless Displays are allowed. Now if you’re working with already professionally managed / enrolled devices on a tenant / domain, this is where this article will help.
By default, everything seemed fine, our firewall reported that Wireless Display was enabled within our firewall both inbound and outbound, also that our network discovery for private networks was allowed. Yet even with these settings when someone would attempt to connect to a wireless display the connection would inevitably time out.
Before we give the answer of how to overcome it, let’s have review briefly what WUDFHost is…
What is WUDFHost.exe?
WUDFHost.exe is related to the Windows User-Mode Driver Framework Host.
The driver host process (Wudfhost.exe) is a child process of the driver manager service. Wudfhost.exe usually runs in the LocalService account, which has minimum privileges on the local computer. An instance of Wudfhost.exe loads one or more UMDF driver DLLs, in addition to the framework DLLs. The driver host process provides a runtime environment that handles interprocess communication (IPC) between the driver manager and the reflector, as well as I/O dispatching, driver loading, driver layering, and thread pool management.
The WUDFHost.exe is very critical for the Windows system to communicate with hardware devices and is designed to automatically load drivers. You can find the WUDFHost.exe file typically in the C:\Windows\System32 or (if you like environment variables) %systemroot%\system32 folder on your computer.
As a set of tools and libraries, the Windows User-Mode Driver Framework Host helps write Windows drivers and pushes them into user mode. It is essential to the overall stability of the system.
I know what you’re thinking if you’ve made it here…enough already, how do we use this and Microsoft Intune MDM to remedy the issue? for us it was this…
Allow WUDFHost using Microsoft Intune Endpoint Security via Endpoint Protection, Firewall Rules
You’re going to want to log into the Microsoft Endpoint Manager via https://endpoint.microsoft.com and click on Devices → Windows
from here you’ll want to click on Configuration Profiles
Once in the configuration profiles, click on “Create Profile”
This is where you can get lost if you’re uncertain what you’re doing, so we’ll try to simplify it using the most recent screenshots we have taken at time of writing, you’ll want to select the following options:
Platform: "Windows 10 and later”
Profile type: “Templates”
Template name: “Endpoint protection”
see screenshot below.
Give your profile a identifable name and description, and click next
Once you’re in the Configuration Settings, expand the “Microsoft Defender Firewall” subsection, we won’t do anything with these settings here (your configuration may be different) we’re simply adding an override for WUDFHost. From here we’re going to scroll down to the Firewall Rules section and click “Add”
Once you click “Add” this will be what the UI looks at (again, at the time of writing), in this screen we’re going to give our rule a name, a description and use the following settings (your settings may vary dependent on your organization and baseline):
General Settings:
Name: «a descriptive name»
Description: «something that helps identify why this rule exists»
Direction: Inbound
Action: Allow
Network Type: (yours may vary) “Domain, Private”
Application Settings:
Application(s): “File Path”
File Path: “%systemroot%\system32\WUDFHost.exe”
IP Address Settings:
Local Addresses: Any
Remote Addresses: Any
Port and Protocol Settings:
Protocol: Any
Advanced Configuration
Interface Types: (again, yours may vary) “Remote Access, Wireless, Local area network”
Authorized Users: (we left this may blank, but if you wan to do limitations outside of assignment, you can do so here)
After that you’ll hit “Save” and then you’ll still be on the Configuration Settings screen, but you’ll now see your firewall rule applied. You can edit or delete this rule at any time.
Click “Next” and you’ll be taken to the assignments tab where you can assign this profile to specific users or devices, for us, we applied it to all devices by clicking the “Add all devices” button.
You’ll then hit next and be taken to your ‘Applicability Rules’, this if you want to apply conditional logic within applying the profile, target a specific OS, etc. If not, you can just click next.
From here you’re ready to go and have this profile synchronized to your devices, just click “Create”
TIP: it’s worth mentioning that default check-in time for InTune policy and profile management is 8 hours for existing enrolled devices, so if you’d like to push this sooner than the next scheduled check-in time you can force sync through your endpoint manager within Microsoft InTune, or have users Sync via the Company Portal app provided by Microsoft.
Summary
Microsoft Intune, Defender, Endpoint, Purview, Compliance, Entra are all amazing cloud based device managemet, governance and tracking tools, but they can get wild — we hope this helps.