Forum Discussion

J0hn_J0hnson's avatar
J0hn_J0hnson
Copper Contributor
Jul 02, 2025

WDAC + App Control For Business + App Control Wizard

Hello All,

We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant.

We have a general base policy derived from a slightly modified 'Allow Microsoft Mode' template, along with a couple of supplemental policies that explicitly allow certain apps by publisher.(Such as PaloAlto, Omnissa/VMware etc).

Enabled rules on base policy are as follows:

Enabled:Unsigned System Integrity Policy

Enabled:Advanced Boot Options Menu

Enabled:UMCI

Enabled:Inherit Default Policy

Enabled:Update Policy No Reboot

Enabled:Allow Supplemental Policies

Enabled:Managed Installer

Basically, we are allowing only those applications that are installed via a managed installer—in our case, the Company Portal.

For example, if Palo Alto's GlobalProtect is installed through the Company Portal, it is not blocked by the WDAC policy.

However, on some devices where GlobalProtect was installed manually, we have a supplemental policy that allows it by publisher. Despite this, the manually installed version of GlobalProtect is still being blocked by WDAC, which suggests the policy isn't working as expected.

Example of such Supplemental policy is below:

I'm curious—are there any people or organizations using a similar setup?

If so, are you experiencing similar issues?

What has the general feedback been regarding this setup?

App Control
wdac
WDAC Wizard

1 Reply

  • Bogdan_Guinea's avatar
    Bogdan_Guinea
    Iron Contributor
    Jul 19, 2025

    J0hn_J0hnson​ 

    Hy

    the key problem is that the Supplemental Policy with publisher allow: These are considered, but cannot bypass Managed Installer rules for non-managed-installed apps. If an app is installed outside of your managed channel, it remains blocked.

    • Managed Installer is a strict mode: Once this rule is enabled, WDAC limits allowed executables to those deployed by the registered managed installer. Even if your supplemental policy permits the app by publisher, it is overridden by the Managed Installer requirement unless the app was actually installed via that channel.
    • This is why manually installed GlobalProtect is still blocked, even with a publisher-allow supplemental policy. Only apps delivered through the Company Portal (the registered managed installer) are permitted to run outside the scope.

    What to do 😀

    • Option 1: Remove the Managed Installer rule from your base policy, which allows supplemental publisher-based allowance to work on all endpoints.
    • Option 2: Ensure all approved apps (e.g., GlobalProtect) are only installed via the Company Portal.
    • Option 3: Temporarily disable “Managed Installer” while rolling out exceptions, then re-enable and ensure all future deployments use the managed install path, only to see if it work or not.

    Good luck!

Resources