Back to DocumentationSecurity

WDAC Configuration with App Control Manager

Step-by-step guide to creating your first WDAC policy using SpyNetGirl's AppControl Manager tool, from base policy creation to enforcement mode deployment.

WDAC Configuration with App Control Manager

Introduction

Welcome to my first post on Windows Defender Application Control (WDAC), also known as App Control for Business. This post will walk you through creating your first WDAC policy using SpyNetGirl's AppControl Manager tool, which simplifies the process significantly.

WDAC Capabilities at a Glance

WDAC is a powerful security feature in Windows that allows you to control which applications and scripts can run on your devices. Key capabilities include:

  • Creating base and supplemental policies
  • Defining rules based on file attributes like publisher, file hash, path, and more
  • Running in audit mode to monitor without blocking
  • Enforcing policies to block unapproved applications
  • Generating detailed event logs for analysis

Prerequisites

Before getting started, ensure you have:

  • Windows 10 or Windows 11 device with administrative privileges
  • PowerShell 5.1 or later
  • A test app you expect to be blocked (so we can generate audit events)
  • Administrative access to deploy policies

Install AppControl Manager

Option A — Microsoft Store (Recommended)

  1. Open Microsoft Store
  2. Search for AppControl Manager
  3. Click Install

Option B — One-liner Bootstrap from GitHub

For offline-friendly installation directly from GitHub:

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

This method downloads and installs the latest version directly from the source repository.

Create a Base Policy

Step 1: Launch AppControl Manager

  1. Open AppControl Manager as Administrator
  2. Navigate to Create AppControl Policy
  3. Choose a starting template from the available options

Step 2: Select Base Policy Template

Choose one of these recommended starting templates:

DefaultWindows_Audit

  • Allows: Windows components + drivers + Store apps
  • Best for: Basic Windows functionality with minimal third-party software
  • Use case: Highly secure environments with limited application requirements

Allow Microsoft

  • Allows: All Microsoft-signed applications (Office, Teams, Visual Studio, etc.)
  • Best for: Standard business environments using Microsoft ecosystem
  • Use case: Most enterprise deployments

Step 3: Configure Policy Rule Options

Set these essential policy rule options in the UI:

Required Settings

  • Enabled: Audit Mode - Start in audit mode for safe deployment
  • Enabled: Allow Supplemental Policies - Enable future policy extensions
  • Managed Installer - If you use Intune or ConfigMgr to deploy apps

Optional Settings (Recommended)

  • Require EV Signers - Enhanced security for high-risk environments
  • Boot Menu Protection - Prevent boot-time policy bypass
  • HVCI Compatible - Ensure compatibility with Hypervisor-protected Code Integrity

Step 4: Generate and Export Policy

  1. Review policy settings in the summary view
  2. Generate the policy - AppControl Manager will create the XML file
  3. Export policy files:
    • Base policy XML file
    • Binary policy file (.p7b) for deployment
    • Policy summary report

Deploy the Base Policy

Local Deployment (Testing)

For immediate local testing:

# Deploy policy locally
Set-CIPolicy -PolicyPath "C:\Path\To\YourPolicy.xml" -Deploy

# Verify deployment
Get-CIPolicy -PolicyId "{Your-Policy-GUID}"

Intune Deployment (Production)

  1. Convert to binary format (if not already done):

    ConvertFrom-CIPolicy -XmlFilePath "C:\Path\To\Policy.xml" -BinaryFilePath "C:\Path\To\Policy.p7b"

  2. Upload to Intune:

    • Navigate to Endpoint Security > App Control
    • Create new policy
    • Upload the .p7b binary file
    • Assign to device groups

Group Policy Deployment

  1. Copy policy file to SYSVOL:

    \\domain.com\SYSVOL\domain.com\Policies\WDAC\Policy.p7b

  2. Create GPO:

    • Computer Configuration > Administrative Templates > System > Device Guard
    • Enable "Deploy Windows Defender Application Control"
    • Specify policy file path

Generate Audit Data

Using Audit mode first allows you to deploy your policy to a group of test users and collect real-world audit telemetry that you can use to craft your supplemental policies later.

Enable Audit Mode

If not already in audit mode, switch your base policy:

# Enable audit mode
Set-CIPolicy -PolicyPath "C:\Path\To\YourPolicy.xml" -Audit

# Redeploy the updated policy
Set-CIPolicy -PolicyPath "C:\Path\To\YourPolicy.xml" -Deploy

Monitor Audit Events

Deploy this audit mode policy to your devices and collect event logs over time (recommended: 2-4 weeks minimum).

Event Log Locations

Monitor these Windows Event Logs:

  • Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational
  • Event IDs to watch:
    • 3076: Blocked file (would be blocked in enforce mode)
    • 3077: Allowed file
    • 3089: Policy loaded successfully

PowerShell Monitoring

# Get recent WDAC audit events
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-CodeIntegrity/Operational'; ID=3076} -MaxEvents 100 |
    Select-Object TimeCreated, Id, LevelDisplayName, Message |
    Format-Table -AutoSize

Analyse Audit Data

  1. Export audit events to CSV for analysis
  2. Identify legitimate applications being blocked
  3. Categorise applications by business criticality
  4. Document approval process for each application

Create Supplemental Policy

Step 1: Review Audit Events

Use AppControl Manager to analyse collected audit data:

  1. Import audit events from Event Logs
  2. Review blocked applications and their details
  3. Identify applications that should be allowed
  4. Validate business justification for each application

Step 2: Create Supplemental Policy

  1. Launch AppControl Manager
  2. Navigate to "Create Supplemental Policy"
  3. Select base policy to extend
  4. Add allow rules for approved applications

Rule Types Available

  • Publisher rules: Allow all files from a specific publisher
  • File hash rules: Allow specific file versions
  • Path rules: Allow files from specific locations
  • Certificate rules: Allow files signed by specific certificates

Step 3: Configure Supplemental Policy

# Example: Create supplemental policy for specific applications
New-CIPolicy -Level Publisher -FilePath "C:\Path\To\SupplementalPolicy.xml" -Fallback Hash -UserPEs

# Link to base policy
Set-CIPolicyIdInfo -FilePath "C:\Path\To\SupplementalPolicy.xml" -PolicyId "{Base-Policy-GUID}" -BasePolicyToSupplementPath "C:\Path\To\BasePolicy.xml"

Step 4: Deploy Supplemental Policy

  1. Test supplemental policy in audit mode first
  2. Convert to binary format:
    ConvertFrom-CIPolicy -XmlFilePath "C:\Path\To\SupplementalPolicy.xml" -BinaryFilePath "C:\Path\To\SupplementalPolicy.p7b"
  3. Deploy via Intune or Group Policy
  4. Verify applications can now run correctly

Flip to Enforce Mode

After testing and verifying your policies work correctly, switch from audit to enforce mode to actively block unapproved applications.

Pre-Enforcement Checklist

  • Audit period completed (minimum 2-4 weeks)
  • All critical applications included in policies
  • Supplemental policies tested and deployed
  • Emergency procedures documented
  • Rollback plan prepared

Enable Enforcement

# Switch base policy to enforce mode
Set-CIPolicy -PolicyPath "C:\Path\To\YourPolicy.xml" -Enforce

# Redeploy the policy
Set-CIPolicy -PolicyPath "C:\Path\To\YourPolicy.xml" -Deploy

Monitor Enforcement

After enabling enforce mode:

  1. Monitor Event Logs for blocked applications (Event ID 3077)
  2. Track user reports of blocked legitimate applications
  3. Respond quickly to false positives
  4. Update supplemental policies as needed

Ongoing Management

Regular Maintenance Tasks

  1. Weekly: Review blocked application reports
  2. Monthly: Update supplemental policies for new applications
  3. Quarterly: Review and optimise policy rules
  4. Annually: Complete policy audit and cleanup

Emergency Procedures

Temporary Policy Disable

# Disable WDAC policy (emergency only)
Set-CIPolicy -PolicyPath "C:\Path\To\YourPolicy.xml" -Disable

Quick Application Allow

# Create emergency supplemental policy for critical app
New-CIPolicy -Level Hash -FilePath "C:\Path\To\EmergencyPolicy.xml" -ScanPath "C:\Path\To\CriticalApp.exe"

What's Next

In upcoming posts, I will cover:

  • Deep dive into WDAC capabilities and advanced features
  • Using AppControl Manager advanced features for complex scenarios
  • Building supplemental policies from audit logs with automation
  • Deploying policies with Intune at enterprise scale
  • Managing multiple policies and updates efficiently
  • WDAC hardening and ongoing management strategies

Advanced Topics Preview

WDAC Capabilities Deep Dive

  • Policy rule options and their security implications
  • File rule levels and when to use each
  • Event logging configuration and analysis
  • Audit vs Enforce modes comparison

Building Supplemental Policies

  • Automated policy creation from audit events
  • Linking supplemental policies to base policies
  • Best practices for rule creation and maintenance

Enterprise Deployment

  • Microsoft Intune integration and management
  • Custom XML and OMA-URI deployments
  • Managing policies across multiple device groups

Policy Management

  • Base vs supplemental policy strategies
  • Side-by-side policy deployments
  • Handling policy updates and versioning

Hardening and Maintenance

  • Microsoft's recommended driver and app block lists
  • Handling packaged apps and modern applications
  • Long-term policy maintenance strategies

Stay tuned for these comprehensive guides!

💡 Pro Tip
Always start with a small pilot group and gradually expand your WDAC deployment. This approach helps identify issues early and builds confidence in your policy configuration before organisation-wide rollout.

Back to Documentation
Technical BlogCreative Writing