WDAC Managed Installer and Applocker Audit logs
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices. In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule: Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution: Does anyone know if this is expected? Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this: Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)? I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something? Does anyone else have this configured and if so, do you see the same? Many thanks, Phil
WDAC not applying via Group Policy
Hello and greetings from Portugal! I'm trying to implement WDAC via group policy. I've used WDAC Wizard and if I copy the *.cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" I see that WDAC get enabled, for example using the MSInfo32. But, I cannot enable WDAC via GPO. I've converted the *.xml to *.bin and enable the "Deploy Windows Defender Application Control". I see the event id 7010 "Device Guard successfully processed the Group Policy: Configurable Code Integrity Policy = Enabled" but the thing is MSInfo still doesn't show that WDAC is activated. Can someone please help?
WDAC How to allow .tmp.node file by Electron app?
Hi all, I'm facing an issue with .tmp.node file that executed by an application called Ledger Live and written by Electron. This application generated a temporary file with random filename in user's Temp folder and then executed. I tried to allow the application's folder (C:\Program Files\Ledger Live\*) and even whitelist *.tmp.node in the WDAC policy XML. But the WDAC was still blocked this .temp.node file execute as the below screenshot. Is there a way to allow it to run or skip the Enterprise signing level check? Thanks.WDAC deployment guidance and questions.
Hi I am currently working with a client who currently use AppLocker and will soon be mandated to use WDAC. I am currently setting it up in audit mode in the short term however I will be configuring it with the intention of enabling. I am looking for some deployment of WDAC assistance. A few questions I had were: Does WDAC use 'allow' and 'deny' rules or is it just a whitelist or blacklist control? AppLocker has rules based on multiple conditions (path, publisher, hash etc), how would these transfer to WDAC? When merging WDAC policies, is there and order of precedence or are they just grouped together (in block /allow)? Can AppLocker and WDAC co-exist on the same machine at the same time? If so, can AppLocker allow something WDAC doesn't? Or can AppLocker only block what WDAC has allowed? Some of the scenarios the client does with AppLocker Using certain IT tools are only allowed for an IT AD group. C:\Program Files\* is allowed, with expectations for applications that require users to have modify rights on the directory. C:\Windows\* is allowed, with expectations for dir/applications that we don’t want to run by a std user. (exclusion example C:\windows\temp) App1.exe is hashed and allowed for all users. App2.exe is signed and allowed for all users.
