Windows Server 2022 WDAC Dynamic Code Security

Question

It appears that when Dynamic Code Security is enabled in your CI Policies, there are no indications that an application was blocked due to this. The CodeIntegrity/Operational log has no errors indicating that this block took place.

You can test this out with NordVPN with its nordvpn-service and NordSec Update Service. Neither of these services start with WDAC in Enforcement mode with Dynamic Code security enabled. And there are no indications anywhere that they're not starting due to that issue.

Answer 1

SQL serverارتباط مسؤل مخصصDAC

Answer 2

Hi there,

I suppose these events can be captured by using audit events to create WDAC policy rules.

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies

A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:

Events about Application Control policy activation and the control of executables, dlls, and drivers appear in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational

Events about the control of MSI installers, scripts, and COM objects appear in Applications and Services logs > Microsoft > Windows > AppLocker > MSI and Script

--------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–