In implementing a Windows Defender Application Control (WDAC) audit policy we discovered an interesting quirk with the information logged in the Windows Event Logs on Server 2016, that can make investigating and troubleshooting somewhat more troublesome.
WDAC Policy load events
WDAC logs all its diagnostic information to the Code Integrity log within Windows, and this information is also made available in Sentinel (provided you have Defender and Sentinel correctly configured). One of the useful event log entries is the AppControlCodeIntegrityPolicyLoaded (or Event ID 3099) event, which indicates that a policy has been loaded onto a device. This event when monitored via Sentinel, can be very useful in monitoring the rollout of a WDAC policy within the environment.
A policy load event contains two key pieces of information:
- PolicyName – which indicates what policy has been loaded (e.g. WindowsDefaultAudit)
- PolicyID – an identifier that you can update to track the version of a policy, such as a date stamp.
Server 2016
Unfortunately it appears that Windows Server 2016 doesn’t honour the Policy Name and Policy ID once the policy is loaded onto the device, in the 3099 event entry both fields are just populated with the word Default. Given Windows Server 2016 doesn’t support the WDAC multi-policy format, its only possible to have one policy on the device, however it can make tracking policy versions more challenging particularly if its being monitored from Sentinel.