WDAC Managed Installer and Applocker Audit logs

Copper Contributor

Hello,  I am looking to deploy WDAC to Intune managed Windows 11 devices.

In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule:

Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn


In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution:





Does anyone know if this is expected?

Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this:




Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)?


I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something?


Does anyone else have this configured and if so, do you see the same?


Many thanks,



0 Replies