WDAC Managed Installer and Applocker Audit logs

Copper Contributor

Hello,  I am looking to deploy WDAC to Intune managed Windows 11 devices.

In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule:

Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn

 

In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution:

 

dllevents.JPG

pce_0-1682701468778.png

 

Does anyone know if this is expected?

Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this:

 

pce_1-1682701526993.png

 

Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)?

 

I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something?

 

Does anyone else have this configured and if so, do you see the same?

 

Many thanks,

Phil

 

0 Replies