-
-
Notifications
You must be signed in to change notification settings - Fork 317
Compare Policies
Use AppControl Manager to compare two App Control policies side by side. This page builds an inventory of important policy elements, shows the number of items found in each policy, highlights count differences, lets you preview the exact items in each section, and exports the full comparison result to a JSON file.
This page is useful when you want to validate policy changes, compare a new policy against a known baseline, inspect what was added or removed, or review the structure of two policies before deployment.
- Select the first App Control policy, either from a file or from the Sidebar's policies library.
- Select the second App Control policy the same way.
- Press Compare to build a policy inventory for both files.
- Select any section in the Policy inventory pane to preview the items in that section.
- Use the First and Second number chips on each inventory card to show or hide that policy's items in the preview.
- Optionally sort the preview or export the results to JSON.
After running a comparison, the left side of the page displays a Policy inventory list. Each inventory card represents a policy element group and includes:
- Section name: The policy element group being compared.
- Description: A short explanation of what the section contains.
- Delta: Shows whether both policies have the same number of items or whether one policy has more items than the other.
- First count: The number of items from the first policy in that section.
- Second count: The number of items from the second policy in that section.
Selecting a section automatically enables both policy chips for that section and loads its items into the preview pane.
The page compares the following policy element groups:
- EKUs: Unique EKU definitions available for signers.
- All file rules: All Allow, Deny, FileAttrib, and generic FileRule elements.
- Allow rules: Direct allow file rules in the FileRules section.
- Deny rules: Direct deny file rules in the FileRules section.
- File attributes: File publisher attributes referenced by signers.
- Generic FileRule elements: Schema FileRule elements with Match, Exclude, or Attribute type.
- Signers: Signer definitions in the Signers section.
- CI signers: Signers trusted for CI policy signing semantics.
- Update policy signers: Signers authorized to update the policy.
- Supplemental policy signers: Signers authorized for supplemental policies.
- Signing scenarios: Total signing scenarios in the policy.
-
User mode allowed signers: Allowed signer references in signing scenario value
12. -
User mode denied signers: Denied signer references in signing scenario value
12. -
User mode file rule refs: File rule references in signing scenario value
12. -
Kernel mode allowed signers: Allowed signer references in signing scenario value
131. -
Kernel mode denied signers: Denied signer references in signing scenario value
131. -
Kernel mode file rule refs: File rule references in signing scenario value
131. - Settings: All settings in the Settings section.
- Macros: Macro definitions used by file rules and settings.
- App settings: Application settings under AppSettings.
- AppID tags: AppID tags across signing scenarios.
The right side of the page displays a preview of the selected inventory section. Each preview item can show:
- First policy label: Indicates the item exists in the first policy.
- Second policy label: Indicates the item exists in the second policy.
- Title: A readable name for the item, such as a signer name, file rule name, setting name, or AppID tag.
- Shared details: Properties that exist in both policies and have the same values.
- Different details: Properties that exist in both policies but have different values.
- Raw details: Used when an item does not have shared or different property summaries available.
When an item exists in both policies, both policy labels are displayed. When it only exists in one policy, only that policy's label is displayed.
Each inventory card includes two number chips:
- First: Shows or hides items from the first policy for that section.
- Second: Shows or hides items from the second policy for that section.
This lets you quickly inspect:
- Items that are present in both policies.
- Items that only exist in the first policy.
- Items that only exist in the second policy.
- The full combined inventory for a section.
If both chips are disabled, the preview will show that no policy source is enabled for the selected section.
Use the preview sort drop down and the Sort button to change how preview items are ordered.
Available sort modes:
- Both: Items that exist in both policies are shown first, followed by items only in the first policy, then items only in the second policy.
- First Policy: Items unique to the first policy are prioritized first, followed by items also in the first policy, then the remaining items.
- Second Policy: Items unique to the second policy are prioritized first, followed by items also in the second policy, then the remaining items.
Within each sort group, items are sorted alphabetically by title.
After running a comparison, you can use Export to JSON to save the full comparison result. The export includes:
- SchemaVersion: The export schema version.
- ExportedAtUtc: The UTC time when the export was created.
- FirstPolicyName: The identifier of the first selected policy.
- SecondPolicyName: The identifier of the second selected policy.
- FirstPolicyPath: The file path of the first selected policy (if available).
- SecondPolicyPath: The file path of the second selected policy (if available).
- Inventory: A summary of all compared sections, including counts and deltas.
- Sections: Detailed preview items for each compared section.
This makes the exported file suitable for reporting, auditing, troubleshooting, and reviewing policy changes.
- If you press Compare without selecting both policies, the page displays a warning asking you to select both policies.
- If you press Export to JSON before running a comparison, the page displays a warning asking you to run a comparison first.
- Create AppControl Policy
- Create Supplemental Policy
- System Information
- Configure Policy Rule Options
- Policy Editor
- Simulation
- Allow New Apps
- Build New Certificate
- Create Policy From Event Logs
- Create Policy From MDE Advanced Hunting
- Create Deny Policy
- Merge App Control Policies
- Deploy App Control Policy
- Get Code Integrity Hashes
- Get Secure Policy Settings
- Update
- Sidebar
- Validate Policies
- View File Certificates
- Microsoft Graph
- Firewall Sentinel
- Data Analysis in AppControl Manager
- Compare Policies
- Protect
- Microsoft Security Baselines
- Microsoft Security Baselines Overrides
- Microsoft 365 Apps Security Baseline
- Microsoft Defender
- Attack Surface Reduction
- Bitlocker
- Device Guard
- TLS Security
- Lock Screen
- User Account Control
- Windows Firewall
- Optional Windows Features
- Windows Networking
- Miscellaneous Configurations
- Windows Update
- Edge Browser
- Certificate Checking
- Country IP Blocking
- Non Admin Measures
- Group Policy Editor
- Manage Installed Apps
- File Reputation
- Audit Policies
- Cryptographic Bill of Materials
- Intune
- Configuration Service Provider (CSP)
- Service Manager
- Exploit Mitigations
- Sandbox Maker
- WinGet Management
- Duplicate Photos Finder
- EXIF Manager
- Download Manager
- Bootable Drive Maker
- Introduction
- How To Generate Audit Logs via App Control Policies
- How To Create an App Control Supplemental Policy
- The Strength of Signed App Control Policies
- How To Upload App Control Policies To Intune Using AppControl Manager
- How To Create and Maintain Strict Kernel‐Mode App Control Policy
- How to Create an App Control Deny Policy
- App Control Notes
- How to use Windows Server to Create App Control Code Signing Certificate
- Fast and Automatic Microsoft Recommended Driver Block Rules updates
- App Control policy for BYOVD Kernel mode only protection
- EKUs in App Control for Business Policies
- App Control Rule Levels Comparison and Guide
- Script Enforcement and PowerShell Constrained Language Mode in App Control Policies
- How to Use Microsoft Defender for Endpoint Advanced Hunting With App Control
- App Control Frequently Asked Questions (FAQs)
- System Integrity Policy Transformations | XML to CIP and Back
- About Code Integrity Policy Signing
- How To Install Microsoft Store Apps Completely Offline
- Create Bootable USB flash drive with no 3rd party tools
- Event Viewer
- Group Policy
- How to compact your OS and free up extra space
- Hyper V
- Git GitHub Desktop and Mandatory ASLR
- Signed and Verified commits with GitHub desktop
- About TLS, DNS, Encryption and OPSEC concepts
- Things to do when clean installing Windows
- Comparison of security benchmarks
- BitLocker, TPM and Pluton | What Are They and How Do They Work
- How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
- Cloning Personal and Enterprise Repositories Using GitHub Desktop
- Only a Small Portion of The Windows OS Security Apparatus
- Rethinking Trust: Advanced Security Measures for High‐Stakes Systems
- Clean Source principle, Azure and Privileged Access Workstations
- How to Securely Connect to Azure VMs and Use RDP
- Basic PowerShell tricks and notes
- Basic PowerShell tricks and notes Part 2
- Basic PowerShell tricks and notes Part 3
- Basic PowerShell tricks and notes Part 4
- Basic PowerShell tricks and notes Part 5
- How To Access All Stream Outputs From Thread Jobs In PowerShell In Real Time
- PowerShell Best Practices To Follow When Coding
- How To Asynchronously Access All Stream Outputs From Background Jobs In PowerShell
- Powershell Dynamic Parameters and How to Add Them to the Get‐Help Syntax
- RunSpaces In PowerShell
- How To Use Reflection And Prevent Using Internal & Private C# Methods in PowerShell