Windows Defender Application Control deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-1807372%22%20slang%3D%22en-US%22%3EWindows%20Defender%20Application%20Control%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1807372%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20embarked%20on%20deploying%20WDAC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20due%20to%20the%20nature%20of%20our%20estate%2C%20rather%20than%20trying%20to%20build%20a%20single%20device%20will%20%22all%22%20the%20apps%20on%20it%2C%20we've%20deployed%20audit%20mode%20to%20all%20our%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3EUsing%20Windows%20Defender%20Security%20Center%20and%20advanced%20hunting%20-%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDeviceEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%20and%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EActionType%20startswith%20%22AppControl%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWe're%20hoping%20to%20be%20able%20to%20convert%20the%20output%20of%20advanced%20hunting%20into%20the%20WDAC%20xml%20policies.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHas%20anyone%20taken%20this%20approach%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Senior Member

Has anyone embarked on deploying WDAC?

 

Unfortunately, due to the nature of our estate, rather than trying to build a single device will "all" the apps on it, we've deployed audit mode to all our devices.

Using Windows Defender Security Center and advanced hunting -

 
DeviceEvents
| where Timestamp > ago(7d) and
ActionType startswith "AppControl"


We're hoping to be able to convert the output of advanced hunting into the WDAC xml policies.
 
Has anyone taken this approach?
0 Replies