I am currently working with a client who currently use AppLocker and will soon be mandated to use WDAC. I am currently setting it up in audit mode in the short term however I will be configuring it with the intention of enabling. I am looking for some deployment of WDAC assistance.
A few questions I had were:
Does WDAC use 'allow' and 'deny' rules or is it just a whitelist or blacklist control?
AppLocker has rules based on multiple conditions (path, publisher, hash etc), how would these transfer to WDAC?
When merging WDAC policies, is there and order of precedence or are they just grouped together (in block /allow)?
Can AppLocker and WDAC co-exist on the same machine at the same time?
If so, can AppLocker allow something WDAC doesn't? Or can AppLocker only block what WDAC has allowed?
Some of the scenarios the client does with AppLocker
Using certain IT tools are only allowed for an IT AD group.
C:\Program Files\* is allowed, with expectations for applications that require users to have modify rights on the directory.
C:\Windows\* is allowed, with expectations for dir/applications that we don’t want to run by a std user. (exclusion example C:\windows\temp)