Signing an audit App Control for Business (WDAC) Policy Doesn't Log Events?

Cyber Person Man 10 Reputation points
2024-11-07T21:48:44.5366667+00:00

Hello,
We have several App Control for Business policies deployed on our fleet of machines, several of them are signed and enforced.

We had one policy in audit mode (unsigned), and the Code Integrity logs for this policy came in just fine. No issues for months.
We decided to sign it and leave it in audit mode -- however, signing the audit policy caused events to not be logged anymore.

We've verified that the policy is "signed","authorized", and "enforced" using the CiTool.

Can someone confirm that signed, audit, app control policies should be logging things?
Thanks!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,954 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,146 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
442 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,301 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Cyber Person Man 10 Reputation points
    2024-11-15T20:44:16.0033333+00:00

    I retract this question, the cause of the problem was user error, somehow UMCI got unchecked on the policy.

    1 person found this answer helpful.
    0 comments No comments

  2. Cyber Person Man 10 Reputation points
    2024-11-15T20:43:24.0166667+00:00

    [Deleted ]

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.