Windows Defender - Application Control (WDAC)

I may be wrong, but in reviewing and testing this is what I'm seeing as the pragmatic steps forward with WDAC. Has anyone else deployed in Anger anywhere that can provide other feedback?

Ideally this could be as simple as letting the ISG decide what is allowed to run + simply apply this via Intune Config Policy (CSP) - Although it seems a bit non-intuitive to force a reboot for this to take effect? :(

However, this represents some issues:

• The ISG policy probably needs to be combined with an exception for a "Managed Installer"
• Take it as read that trusting another executable reduces the security, but Application Whitelisting will still provide a higher security posture an resilience against Ransomware, etc…
• This is "clunky" as it means WDAC is effectively delegating this work to AppLocker - not ideal?
• Once using ISG you will in all likelihood need to set some additional exceptions for locally built or "In House" developed Applications via a catalog
• We now have three elements in play:
• ISG - Automatic via Signal Graph
• Managed Installer - somewhat Automatic
• Catalog of LoB - Manual
• *BUT* to be able to create a policy like this we would need to merge all three elements, this will be a manual process and it does not appear to be possible to deploy this via Intune as it is today - as there is no "import" mechanism to upload a *.bin file
• Deploying WDAC via GPO is via *.bin https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy
• Deploying via Intune is a "Setting" only https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune
• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work

Further considerations:

• Clearly Hash is generally for Orgs with a very high & mature Security Posture, so most Orgs will likely only need some form of File Name or Publisher Cert
• You can roll this out in limited Audit function to gather Auditing details, but this is potentially *noisy* in the Event Viewer and bringing the details needed back in a simple format will take some tweaking…
• There is *NO* process for allowing users to continue working past Blocking Prompt with audited work around?
• Currently the Error Message is fixed and cannot be modified to assist users to "understand" that this new process originates from the IT HelpDesk - this would be really good to address
• Is it possible to combine three functions: (this would allow Productivity? And could be determined by Security Group membership)
• Specify a Path/Location where Users can install an Application that will be unrestricted
• Create an immediate Alert to IT HelpDesk everytime a User enables this
• Back this up with an Automated email to the User + Manager + IT Security 

Any and all feedback welcome