WDAC and HSM

[thekimpc]

How can I create a WDAC whitelist policy, sign it and store it in a HSM? Which HSM would you recommend and why?

[HotCakeX]

Use the AppControl Manager to sign policies => https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-App-Control-Policy

I recommend Azure Key Vault because it's affordable and very safe => https://azure.microsoft.com/en-us/products/key-vault/

[thekimpc]

AppControl Manager is new to me, hence all the questions.

Thanks for pointing me in the right direction on how to sign WDAC policies and the Azure suggestion! Which physical HSM would you use as an alternative to Azure?

"WDAC in nature blocks everything unless it's allowed by a policy." Yet I can't see how to create a WDAC whitelist. Can you clarify?
I've looked at Create App Control Policy and the three options "Create Allow Microsoft Policy", "Create Default Windows Policy", and "Create Signed And Reputable Policy". It seems I have to use one of the first two options.