How to Deploy Microsoft Defender Application Control (Previously WDAC)

Windows 10 and Windows 11 Application Control

Previously known as Windows Defender Application Control (WDAC), Microsoft Defender Application Control (MDAC) is now even more accessible to organizations through the removal of the Windows 10 Enterprise / Education requirement. Now, organizations using Windows 10 and Windows 11 Professional are able to leverage the feature to gain greater insight and control of their Windows device estate.

What is Microsoft Defender Application Control?

Microsoft Defender Application Control, and previously WDAC, is an application whitelisting technology that builds upon the foundations set in AppLocker, which was initially introduced in Windows 7 to allow organizations to control exactly which applications can run on their Windows devices.

However, whilst AppLocker helps control application usage and prevent users from running non-approved apps, it is not as feature-rich or security-focused as Microsoft Defender Application Control.

Whilst Microsoft Defender Application Control should be chosen over AppLocker where given a choice; it’s also possible to configure both features to work in parallel. This might be useful for an organization with specific requirements around legacy operating systems or those who need to control the use of specific drivers.

Deploying Microsoft Defender Application Control

There are a few ways to enable and manage Microsoft Defender Application Control, and each method should be explored to ensure the right one is chosen for the use case.

In this article, I will walk through each method for deploying Microsoft Defender Application Control so that you can make an informed decision. Here are the four methods for deploying MDAC:

  1. Microsoft Endpoint Manager (Intune) Endpoint Security Profile configuration
  2. Microsoft Endpoint Manager (Intune) Endpoint Protection Policy configuration
  3. Microsoft Endpoint Manager (Intune) Custom Profile
  4. Microsoft Endpoint Configuration Manager (ConfigMgr)

1. Deploy Microsoft Defender Application Control using an Intune Endpoint Security Profile configuration

Microsoft makes it easy to get started with MDAC – for organizations using Microsoft Endpoint Manager (MEM), Application Control can be enabled from within an Endpoint Security > Attack Surface Reduction > Application Control policy.

Create Attack Surface Reduction Policy, Application control profile
Image: Create Attack Surface Reduction Policy, Application control profile

With this approach, administrators can choose to enable or disable “App locker application control” with the following options:

  • App locker application control:

    • Not configured
    • Enforce Components and Store Apps
    • Audit Components and Store Apps
    • Enforce Components, Store Apps, and Smartlocker
    • Audit Components, Store Apps, and Smartlocker
Defender Configuration Settings options
Image: Application Control Configuration Settings options

Table 1: Microsoft Defender Application Control settings in Intune Endpoint Security Profile configuration

Microsoft Defender Application Control setting

Result

Not configured

MDAC is not enabled or audited. All apps are allowed to run.

Enforce Components and Store Apps

Windows core components, 3rd party hardware, and storage kernel drivers, as well as all apps installed through the Microsoft Store, will be allowed to run. All others will be prevented from running.

Audit Components and Store Apps

All apps will be allowed to run; however, Windows core components, 3rd party hardware and storage kernel drivers, as well as all apps installed through the Microsoft Store will be audited and their usage information made available through the event log.

Enforce Components, Store Apps, and Smartlocker

Windows core components, 3rd party hardware, and storage kernel drivers, all apps installed through the Microsoft Store and any application with a good reputation within the “Intelligent Security Graph” will be allowed to run. All others will be prevented from running.

Audit Components, Store Apps, and Smartlocker

All apps will be allowed to run. Windows core components, 3rd party hardware and storage kernel drivers, all apps installed through the Microsoft Store, and any application with a good reputation within the “Intelligent Security Graph” will be permitted and the usage information of any applications not within the policy made available through the event log.

Audit vs. Enforce
When choosing between Audit and Enforce within a policy configuration, it’s important to understand how each choice will affect the end-user.
When set to Audit, Windows will not prevent users from running any application but will log the use of any application that is not within the policy.

By creating and testing new policies in this way, administrators are able to get specific insights into how the policy would have affected their end-users without actually having any effect at all.

2. Deploy Microsoft Defender Application Control using Intune Endpoint Protection Policy configuration

Prior to Endpoint Security baselines being introduced, Endpoint Protection Policy templates were the most simple way to enable and configure Microsoft Defender Application Control for Windows 10 endpoints.

Create a Microsoft Intune Endpoint Protection Policy

The second most common method for deploying Microsoft Defender Application Control is via an Endpoint Protection Policy within Microsoft Endpoint Manager (Intune). From the Endpoint Manager Portal, choose Devices > Configuration Profiles > Create Profile > Profile: Windows 10 or later > Profile Type: Templates > Template Name: Endpoint Protection.

Configure Microsoft Defender Application Control

When configuring “Application control code integrity” administrators can choose between:

  • Not Configured
  • Enforce
  • Audit Only

Table 2: Microsoft Defender Application Control settings in Intune Endpoint Security Policy configuration

Microsoft Defender Application Control setting

Result

Not configured

MDAC is not enabled or audited. All apps are allowed to run.

Enforce

Will prevent all applications that are not covered by the policy from running.

Audit Only

Will allow all applications to run, but create a log entry for all applications that run which are not covered by the policy.

Choosing which apps can run

To allow administrators to configure which apps can run on their endpoints, the “Trust apps with good reputation” setting can be configured as:

  • Not configured
  • Enabled

Not configured
When set to Not configured, only Windows components and Microsoft store apps will be allowed to run.

Enable
When set to Enable, only Windows components, Microsoft store apps, and reputable apps as defined by the Intelligent Security Graph will be allowed to run.

What is a “reputable app”?

Within the Endpoint Security – Attack Surface Reduction method, the ability to trust “reputable apps” as defined by the Intelligent Security Graph was referred to as Smartlocker. In this Endpoint Protection Profile method, it is referred to as the Intelligent Security Graph, with no reference to Smartlocker.

The two terms appear to be used interchangeably within the Microsoft Endpoint Manager console, and the documentation.

How does the Microsoft Intelligent Security Graph work?

The Microsoft Intelligent Security Graph uses machine learning and security intelligence and it is used by platforms such as Microsoft Defender SmartScreen and Microsoft Defender for Endpoint.

This real-time intelligence allows Microsoft Defender Application Control to dynamically allow or deny applications based on their reputation or prevalence across other Windows 10 computers in the world.

If an application is not covered by a specific allow or deny policy, Microsoft Defender Application Control will reach out to the Intelligent Security Graph to determine its reputation.

If it’s “known good”, the application (and any files created by the application) will be tagged with an extended attributed ($KERNEL.SMARTLOCKER.ORIGINCLAIM). If it’s unknown, or “known bad”, the application will be prevented from running.

3. Deploy Microsoft Defender Application Control using an Intune Custom Profile

With the previous methods (Endpoint Security configuration and Endpoint Protection Policy configuration), Microsoft Intune leverages the AppLocker CSP and it is restricted to the pre-1909 policy format of AppLocker rules when delivering Microsoft Defender Application Control.

This results in there being a restricted set of configurations that can be applied using the built-in methods. The built-in methods also require a reboot to apply policy, something which the custom profile method does not.

ApplicationControl CSP

Since Windows 10 1903, the AppLocker CSP is no longer required for MDAC implementations that use the OMA-URI (Custom Profile) method. Instead, the ApplicationControl CSP is leveraged to support multiple policies deployed to a single machine, and rebootless application of policy.

Support for multiple policies

The ApplicationControl CSP introduced support for multiple policies deployed to a single machine. This is the recommended method for managing Microsoft Defender Application Control on Windows 10 1903+ computers.

Microsoft Defender Application Control Base and Supplemental Policy

The approach is based on the concept of “base” and “supplemental” policies. “Base” policies contain the broad set of applications, components and scripts that can be run on a Windows device. Organizations would use this to apply a good starting point for protection, and ensure any applications that aren’t covered the base policy are blocked.

“Supplemental” policies are typically more specific policies that can be targeted to expand a base policy by allowing additional applications, components or scripts.

When a Supplemental policy is applied alongside a Base policy, they are applied in “union”; any application, component or script allowed by either the Base or Supplemental policy(or policies) will be permitted to run.

It is also possible to apply multiple base policies, however these will be applied differently to base+supplemental. When multiple base policies are applied, an application component or script must be allowed in both base policies to be permitted to run.

Creating Microsoft Defender Application Control policies in Multiple Policy format

The Microsoft docs site provides guidance on creating policies in the new Multiple Policy format via the “New-CIPolicy” cmdlet.

The WDAC Wizard

In order to simplify the creation of Base and Supplemental policies, Microsoft has developed an open source “Windows Defender Application Control Wizard”. As the wizard is based on PowerShell cmdlets, it requires either Windows 10 1909+, or an Enterprise SKU of Windows 1903.

Creating Microsoft Defender Application Control Policies with the Windows Defender Application Control Wizard tool

Microsoft’s doc site contains step-by-step instructions to create both base and supplemental policies with the Windows Defender Application Control Wizard.

Create a Microsoft Defender Application Control Custom Profile

Once the base policies have been created, these can be deployed via Intune to target devices.

From the Microsoft Endpoint Manager console, choose Devices > Device Configuration > Create Profile > Platform: Windows 10 and later > Profile Type: Templates > Template Name: Custom

Create a Custom Profile
Create a Custom Profile

In Configuration Settings, choose Add, then provide the required details in Name and Description.

  • OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy
    • Policy GUID can be found from the “PolicyID” property in the XML, or from the name of the binary (CIP) file that was generated from the Wizard tool.
  • Data type: Base64
  • Certificate file: upload your binary format policy (you’ll need to change the format of the CIP file to BIN for Intune to permit the upload)

4. Deploy Microsoft Defender Application Control using Endpoint Configuration Manager (ConfigMgr) built-in policy

The final method for deploying Microsoft Defender Application Control is through Microsoft Endpoint Configuration Manager (MEMCM or ConfigMgr). ConfigMgr includes basic native support for Microsoft Defender Application Control, allowing administrators to configure policies on both Windows 10 and Windows 11 computers.

The categories of policy that can be applied are:

  • Core Windows components
  • Apps from the Microsoft Store
  • Apps installed by ConfigMgr (ConfigMgr automatically configures itself as a Managed Installer)
  • Apps with “known good” reputation from the Intelligent Security Graph
  • Apps already installed in pre-defined locations scanned during policy deployment

Policy Configuration

Microsoft Defender Application Control (known as Windows Defender Application Control in documentation and ConfigMgr) can be configured from the ConfigMgr console. Head to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Application Control to begin.

Windows Defender Application Control ConfigMgr console
WDAC ConfigMgr Console
General

From here, choose Create Application Control Policy, and the define a Name and Description as required. At this stage, it’s also required to choose if the policy will be Enforced or set to Audit Only.

When Enforced, only those apps that are trusted by the policy will be permitted to run, whereas within Audit Only mode, all applications will be permitted to run, but untrusted executable usage will be logged to the event log.

Inclusions

From the Inclusions pane, administrators are able to choose whether applications trusted as “known good” by the Intelligent Security Graph can run within the environment. Additionally, administrators can specify trusted files and folders that can be run added to the trusted list.

It should be noted that these folders will be given a special attribute during policy application, so must exist prior to the policy being created.

Managed Installer

In order to ensure all applications installed by ConfigMgr are able to run, ConfigMgr will automatically configure itself as a Managed Installer, ensuring applications and executables deployed via Software Center are tagged with the required extended attribute to allow the software to be permitted through Microsoft Defender Application Control.

Policy Removal via ConfigMgr

One of the shortcomings of using ConfigMgr for Microsoft Defender Application Control deployment is that policies cannot be removed natively via ConfigMgr. Where a policy is no longer required, it can be switched to Audit Mode from within ConfigMgr, which will stop enforcement of the ruleset.

If Audit Mode cannot be used, for example when the intention is to completely switch off Microsoft Defender Application Control, administrators would need to deploy a script to remove the Microsoft Defender Application Control policy file from disk, before triggering a reboot.

Limitations in ConfigMgr approach

Whilst the process for deploying Microsoft Defender Application Control policies through ConfigMgr is quite simple, some organizations may find that the available options are limiting, or do not provide the level of flexibility they require.

Where this is the case, Microsoft recommends that Script-based deployment is leveraged instead.

Microsoft Defender Application Control script based deployment

The script based deployment approach allows Microsoft Defender Application Control to be enabled via the Code Integrity Policy (CIP) file that was created via the Wizard tool from Method 3. Be aware, though, that you’ll need to manually enable the required services.

This can be done by running the following in an administrative command prompt:

Appidtel.exe start

Summary

In Windows 10 1903 onwards, Microsoft Defender Application Control is a significant improvement from AppLocker. And with the ability to leverage the Intelligent Security Graph (or Smartlocker as it’s referred to in the Endpoint Security policy), organizations can get started right away.

By starting out with Audit mode, organizations can quickly identify where blockers and issues would arise before enforcement takes place, giving a risk free method of getting started.

Related articles