Hi All

Client of ours has asked to implement WDAC for all thier devices company wide. The plan is to deploy this via Intune

WDAC Has been in audit mode the past month and we have collected the relevant events from event viewer that state which executables/msi's/dll's have been picked up by WDAC and would have bene blocked but were audited instead. These events were pulled from developer devices over the course of a week or so.

Looking into the documentation, the WDAC Wizard creates a base policy then additions need to be made to this policy based on the log file entries that state execution was blocked but allowed as the policy was in audit mode.

For context, Client is needing two different policies.

• One for developers who need a more leniant policy as they run debuggers/programming scripts that are not installed with intune
• One for general staff who dont use fancy software and just whatever is deployed to thier device via Intune.

This seems like way to much tedious manual work.. For one user for example theres' something like 500 logs with different MSI's/DLLs and executables bieng run in the background as part of thier day to day work.

I mean I could just slog away and create exceptions for all the individual files the got audited on, but this seems very ridiculous. Is there any easier way to do this? Surely there is?

How has everyone else done this?

Any push in the right direction would be greatly appreciated

Thanks