Apr 28 2023 07:54 AM - edited Apr 28 2023 10:09 AM
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices.
In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule:
Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn
In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution:
Does anyone know if this is expected?
Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this:
Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)?
I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something?
Does anyone else have this configured and if so, do you see the same?
Many thanks,
Phil