Event banner
Event details
How is WDAC different from this ASR rule:
Is it similar?
- Dona_Mukherjee
Microsoft
I think the best way to describe it, itβs layers of protection.
UEFI -> DEP -> Secure Boot -> Kernel (App Control for Business) -> ELAM -> Credential Guard -> Smartscreen / Network Protection -> ASR Rules -> Defender Antivirus -> Defender for Endpoint
Depending on App Control for Business design that the customer is using:
π Application Control Design Models (Ranked)
Here are typical WDAC design models, ranked from most secure (but possibly complex) to least secure (but simpler):
- Default Deny with Trusted Signers Only (Most Secure)
- π Security: Highest β only explicitly trusted code runs (e.g., Microsoft + IT-signed apps)
- π§° Overhead: High β every new app needs manual approval/signing
- βοΈ Ideal for: High-security environments (e.g., defense, critical infrastructure)
- Signed Apps Only + Microsoft Recommended Block Rules
- βοΈ Security: Very strong β only signed apps allowed; known bad binaries blocked
- π§ Overhead: Moderate β fewer exceptions needed, but signing required for custom apps
- π€ Can be combined with Intune auto-deployments
- π¦ Best balance of security and manageability
- Allow Microsoft + IT-Approved Catalog Apps (Hybrid)
- β Security: Strong β relies on signer trust and curated app catalogs
- π Overhead: Moderate-Low β allows app updates if signed properly
- π Good for: Enterprises managing both commercial and in-house software
- Path Rules with Signed Microsoft Core Apps
- β οΈ Security: Moderate β vulnerable to path tampering and DLL injection if not hardened
- π οΈ Overhead: Low β easiest to maintain, especially if core apps are in fixed locations
- π― Target: Lighter lockdown or compatibility testing environments
- Audit Mode with Monitoring (Test Only)
- β Security: None (no enforcement)
- π§ͺ Overhead: Low β used for baseline analysis before enforcement
- π Useful for: Building future enforced policies based on real-world app use
π How ASR and WDAC Work Together
Feature
WDAC
ASR Rules
Type
Application Whitelisting (based on code identity)
Behavior-based rule enforcement (based on context & execution flow)
Scope
Blocks/permits apps before execution
Blocks suspicious or risky behavior during execution
Layer
Prevents app from starting
Stops or audits bad behavior if an app is running
Policy Model
Allow-list focused
Block-list and heuristics driven
Managed via
WDAC policies (XML, Intune, GPO)
Microsoft Defender Antivirus (via MDE Security Settings Management, Intune, GPO, PowerShell)
- β "Use advanced protection against ransomware"
- What it does: Blocks processes from making changes to files in user folders unless they're trusted/signed or have good reputation.
- How it fits with WDAC:
- WDAC might allow a signed app to run, but ASR can still block its behavior if it starts encrypting files.
- ASR provides behavioral protection against misuse of legitimate apps (e.g., Office apps with macros).
- β "Block executable files from running unless they meet a prevalence, age, or trusted list criterion"
- What it does: Uses cloud-based reputation (Microsoft Defender Cloud Protection (aka MAPS)) to determine if a file is likely trustworthy.
- How it fits with WDAC:
- WDAC has Microsoft Intelligent Security Graph (ISG) for runtime signing verification
- This ASR rule acts as a dynamic safety net, especially useful in environments where not all apps are pre-vetted or signed.
- Helps protect against zero-day or just-released malware that isnβt yet blocked by WDAC or antivirus signatures.
