Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Windows Defender - Application Control (WDAC)

Frequent Contributor

I may be wrong, but in reviewing and testing this is what I'm seeing as the pragmatic steps forward with WDAC. Has anyone else deployed in Anger anywhere that can provide other feedback?

 

Ideally this could be as simple as letting the ISG decide what is allowed to run + simply apply this via Intune Config Policy (CSP) - Although it seems a bit non-intuitive to force a reboot for this to take effect? :(

 

However, this represents some issues:

 

Further considerations:

  • Clearly Hash is generally for Orgs with a very high & mature Security Posture, so most Orgs will likely only need some form of File Name or Publisher Cert
  • You can roll this out in limited Audit function to gather Auditing details, but this is potentially *noisy* in the Event Viewer and bringing the details needed back in a simple format will take some tweaking…
  • There is *NO* process for allowing users to continue working past Blocking Prompt with audited work around?
  • Currently the Error Message is fixed and cannot be modified to assist users to "understand" that this new process originates from the IT HelpDesk - this would be really good to address
  • Is it possible to combine three functions: (this would allow Productivity? And could be determined by Security Group membership)
    • Specify a Path/Location where Users can install an Application that will be unrestricted
    • Create an immediate Alert to IT HelpDesk everytime a User enables this
    • Back this up with an Automated email to the User + Manager + IT Security 

 

Any and all feedback welcome

0 Replies