Skip to content

Introduction

Violet Hansen edited this page Jun 16, 2024 · 34 revisions

What is Windows Defender Application Control?

Application Control For Business introduction and WDACConfig Module

Application control is a crucial line of defense for protecting computer systems given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run.

Devices where Windows Defender Application control (WDAC) policies are deployed on can either be centrally managed via MDM, Intune etc. or they can be home devices, devices that are private and don't belong to any organization, the computer of someone that you want to keep very much safe and secure so that even the device's owner can't willingly or forcefully compromise themselves, the possibilities are endless.


Important

The WDACConfig module is a one-stop shop for all your Application Control (WDAC) needs. It is scalable, easy to use, enterprise-ready, Azure VM ready and more importantly, it is free and always will be. Check it out here


Windows Defender Application Control (WDAC) wiki posts


WDACConfig Module

WDACConfig is an advanced PowerShell module designed with the aim of automating Application and File whitelisting in Windows using Windows Defender Application Control. It is available in PowerShell gallery.


Application Control Usage Levels

There are many ways you can utilize Application Control features and here they are sorted by the level of restriction and protection they provide; From top (having the least restriction and protection) to bottom (having the most restriction and protection).

  1. Use Microsoft recommended driver block rules.

  2. Update Microsoft recommended driver block rules outside of the twice a year schedule.

  3. Use Microsoft recommended block rules + Recommended driver block rules

    • Use the WDACConfig Module to easily deploy the User-Mode Microsoft recommended block rules on your system.
  4. Create WDAC policy for Lightly managed devices

  5. Use Smart App Control

    • It's just a toggle in Windows Security under App & Browser control. It uses a special kind of WDAC policy that provides more protection than a lightly managed workstation but less protection than a fully managed workstation.
    • It uses both of Microsoft's recommended block rules.
  6. Use Smart App Control + Strict Kernel-Mode WDAC Policy

  7. Create WDAC policy for Fully managed devices


Methods we can use to create an Application Control policy (WDAC)


Plan for Windows Defender Application Control lifecycle policy management

Microsoft provides the following official document to understand the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. The rest of them are mentioned below at the Resources section.


Resources

There are a lot more WDAC resources and cmdlets available on Microsoft's websites.

Cmdlets

Documents








Clone this wiki locally