Signing an audit App Control for Business (WDAC) Policy Doesn't Log Events?

Question

Edit: Somehow UMCI got unchecked, it was always checked on that policy until recently. That was the cause of the problem.

Hello,

We have several App Control for Business policies deployed on our fleet of machines, several of them are signed and enforced.

We had one policy in audit mode (unsigned), and the Code Integrity logs for this policy came in just fine. No issues for months.

We decided to sign it and leave it in audit mode -- however, signing the audit policy caused events to not be logged anymore.

We've verified that the policy is "signed","authorized", and "enforced" using the CiTool.

Can someone confirm that signed, audit, app control policies should be logging things?

Thanks!

***Move from Windows / Windows 11 / Security and privacy ***

Answer 1

Somehow, UMCI got unchecked within the last month or so.

That was the cause of the problem.

Sorry @Daisy Zhou123 for wasting your time.

Answer 2

Hello The Cyber Warden,

Thank you for posting in Microsoft Community forum.

From the description above, I understand your question is related to Microsoft Intune.

Since there are no engineers dedicated to Intune in this forum. in order to be able to get a quick and effective handling of your issue, I recommend that you repost your question in the Q&A forum, where there will be a dedicated engineer to give you a professional and effective reply.

Here is the link for Q&A forum.
Questions - Microsoft Q&A

Click the "Ask a Question" button in the upper right corner to post your question and type "Intune" tag and select any tags related to your productions.

Manage approved apps for Windows devices with App Control for Business policy and Managed Installers in Microsoft Intune | Microsoft Learn

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 3

@Daisy Zhou123 we're not actually using Intune to deploy our WDAC policies, does that make a difference?

Answer 4

Hello

Good day!

I am sorry, how and where did you deploy WDAC policies?

Did you deploy WDAC policies on domain controller in the domain? If so, how did you deploy it?

Best Regards,
Daisy Zhou

Answer 5

We are deploying WDAC policies via script on each individual workstation.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-scripthttps://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-scriptFor

For Windows 11 workstations 22H2 and up, we are using the CiTool to deploy them, but for older versions (most of our Windows 10 workstations), we are mounting the EFI partition and copying the signed policy into the EFI partition.

We have an extra step to verify that the signature of the signed policy is valid. We also exported the certificate from a signed policy to check that the certificate is valid.

The policy options in our signed, base policy are:

• <Option>Enabled:Advanced Boot Options Menu</Option>
• <Option>Enabled:Update Policy No Reboot</Option>
• <Option>Disabled:Script Enforcement</Option>
• <Option>Enabled:Audit Mode</Option>
• <Option>Enabled:Boot Audit On Failure</Option>
• <Option>Required:Enforce Store Applications</Option>
• <Option>Enabled:Allow Supplemental Policies</Option>

We also have a signed supplemental policy of this base policy in the EFI partition on our workstations.

We set up a syslog server to receive forwarded events, and can verify that:

1. We are receiving events for our signed, enforced policies just fine.
2. Audit, unsigned policies are also reporting code integrity events just fine.