Forum Discussion
WDAC Managed Installer and Applocker Audit logs
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices.
In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule:
Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn
In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution:
Does anyone know if this is expected?
Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this:
Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)?
I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something?
Does anyone else have this configured and if so, do you see the same?
Many thanks,
Phil
Just stumbled across this while searching for some WDAC details.
Yes, this is to be expected.
You can safely ignore the Warnings in Applocker Exe And DLL if you only use WDAC and do not have any actual Applocker Exe rules in place.
Figured I'd still respond for anyone visiting this page later.
Kim
