Share via

WDAC Managed Installer and AppLocker

Phil 96 Reputation points
2023-04-28T10:25:31.8433333+00:00

Hello,

Hoping someone can help clarify something for me.

I am looking to setup WDAC for cloud (AAD/Intune) managed Windows 11 devices and would like to use the 'managed installer' feature to automatically allow applications which are deployed via Intune.

I have been following the MS guidance as set out in the link below to create the required supporting AppLocker policy:

https://free.blessedness.top/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls

Whilst this appears to work (I can for example install and run a given app from Intune, but not manually), I notice that it results in pretty much every DLL execution being logged with event ID 8003 in the Microsoft-Windows-AppLocker/EXE and DLL log.

This is creating an excessive amount of logging activity and whilst I can kind of see why, given the auditonly setting in the applocker policy I am not convinced it is correct/expected.

dllevents

Please could someone clarify?

Is this expected?

Does anyone have WDAC working with the managed installer option and do they see the same?

Put simply, I guess my question is, would using the WDAC with the managed installer option be expected to create excessive logging of DLL audit events in the log?

Many thanks,

Phil

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 45,016 Reputation points
    2023-05-02T11:37:54.7866667+00:00

    Hello there,

    This is default behaviour.

    WDAC logs events when a policy is loaded, when a file is blocked, or when a file would be blocked if in audit mode. These block events include information that identifies the policy and gives more details about the block. WDAC doesn't generate events when a binary is allowed.

    However, you can turn on allow audit events for files authorized by a managed installer or the Intelligent Security Graph (ISG) as described later in this article.

    https://free.blessedness.top/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

  2. Phil 96 Reputation points
    2023-05-02T18:25:07.5133333+00:00

    @Limitless Technology

    Hi,

    Thank you for your response, no problem with the WDAC logging, however, my query is regarding the Applocker logs rather than WDAC.

    When I have the managed installer option set in the WDAC policy, with the required AppLocker rule in place (as detailed here) I am seeing every DLL execution logged in the Microsoft-Windows-AppLocker/EXE and DLL log. It is this behaviour which I am seeking clarification on as to whether this is expected?

    Many thanks.

    0 comments
  3. TCG 21 Reputation points
    2023-12-23T06:49:18.53+00:00

    Interested to know if you are still getting these audit logs. I am seeing same behaviour.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.