Skilling snack: Application Control for Windows
Published Nov 16 2023 10:00 AM 6,340 Views

Windows Defender Application Control (WDAC) is a technology available to use with multiple modern management solutions on Windows 10 and Windows 11 platforms, as well as on Windows Server 2016 and later. Note: You’ll soon find it under its new name, App Control for Business. Our earlier Skilling snack: Windows application security gave you a taste for what’s out there, and today you get to try the house special.

timer-icon.png Time to learn: 78 minutes

read-icon.pngREAD

Application Control for Windows

Explore the motivation for application control and the solutions available in Windows. What’s the difference between Windows Defender Application Control (WDAC) and Smart App Control? Find the answer and the requirements in this introductory documentation.

(4 mins)

WDAC + AppLocker + Smart App Control + Windows 11 + Windows 10 + Windows Server 2016 + Pro + Enterprise + Education

 

READ icon.pngREAD

WDAC and AppLocker Overview

Choose when to use Windows Defender Application Control (WDAC) or AppLocker. Read about the design of each solution, system requirements, rules, and additional considerations to keep your organization protected and productive. The general recommendation is WDAC.

(4 mins)

WDAC + AppLocker + Windows 11 + Windows 10 + MDM + Group Policy + ConfigMgr +PowerShell

     

read-icon.pngREAD

Create a WDAC policy for lightly managed devices

If your organization is new to application control, you might want to start with this scenario and harden your policy over time. Learn about the “circle-of-trust” for lightly managed devices. Use an example scenario to create a custom base policy with sample PowerShell script. Learn more about users with administrative access, unsigned policies, and other security considerations before getting started.

(8 mins)

Windows 11 + Windows 10 + WHQL + ConfigMgr + PowerShell + ISG + Administrator

 

read icon.pngREAD

Create a WDAC policy for fully managed devices

If you manage all software deployed to devices at your organization and users can’t install arbitrary apps, this article is for you. First, define the “circle-of-trust" for fully managed devices. Then, create a custom base policy using an example WDAC base policy. Finally, review some security considerations for this scenario.

(7 mins)

Windows 11 + Windows 10 + WHQL + ConfigMgr + PowerShell + ISG + Administrator

     

read icon.pngREAD

Deploy WDAC policies using Mobile Device Management (MDM)

See how to use Microsoft Intune or another cloud solution to deploy WDAC policies. Learn about Intune’s built-in WDAC support and what you need to use it. Follow step-by-step guidance to deploy or remove policies with custom OMA-URI.

(5 mins)

MDM + Intune + CSP + Policy + OMA-URI + AppLocker

 

read icon.pngREAD

Deploy Windows Defender Application Control policies with Configuration Manager

Another way to deploy WDAC policies is with Microsoft Configuration Manager. Configure Windows 10 and Windows 11 client devices with built-in policies. Follow the steps to create and deploy a WDAC policy in Configuration Manager. Additionally, learn about Software Distribution Packages and Programs or task sequences to customize policies.

(3 mins)

ConfigMgr + Windows 11 + Windows 10 + Audit + Endpoint Protection + Policy

     

READ icon.pngREAD

Manage approved apps for Windows devices with App Control for Business policy and Managed Installers...

In public preview today, you can now configure both the Intune Management Extension as a managed installer and endpoint security App Control for Business policies. Read about the prerequisites and guidance to get started. Learn how to monitor or delete App Control for Business policies. Finally, browse special considerations for Education tenants and answers to commonly asked questions.

(26 mins)

Intune + Management Extension + Managed Installer + CSP + RBAC + Government + Education + Cloud + AppLocker + AVD + Log Analytics

 

WATCH icon.pngWATCH

Balancing security and flexibility when implementing Windows Defender Application Control (WDAC)

What's changed in WDAC across Windows, Intune, and Microsoft Defender for Endpoint? Learn about that and find best practices for creating and deploying app control policies with WDAC. Watch demos on application control events, advanced hunting for querying, Managed Installer, reputation, and more.

(19 mins)

WDAC + Intune + Defender for Endpoint + Policy +Rule + Wizard + MDE + M365 + Managed Installer

     

experience icon.pngEXPERIENCE

Windows Defender Application Control Wizard

Read about and download a WDAC Wizard. It’s an open-source Windows desktop application that helps you create, edit, and merge Application Control policies.

(2 mins)

WDAC + MSIX + ConfigCI + PowerShell + cmdlets + GitHub


Take your application security to the next level with the capabilities of WDAC or App Control for Business. Use it with your favorite management solution and for lightly or fully managed devices. It’s like your favorite seasoning that goes with anything and makes everything taste better!

Hungry for more? Check out Windows skilling snacks: bite-sized learning for IT pros and leave us a comment below to share your experience with peers!


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.

2 Comments
Version history
Last update:
‎Nov 16 2023 10:00 AM
Updated by: