Windows Defender Application Control (WDAC)

Introduction

Windows Defender Application Control (WDAC) is a powerful security feature in Windows that helps organisations control which applications and scripts can run on their endpoints. Deploying WDAC via Microsoft Intune ensures policy enforcement across managed devices, providing a robust defence against... Anyone doing literally anything outside of what you allow them to do.

Understanding WDAC

WDAC allows organisations to define rules that permit only approved applications and scripts to run. Unlike traditional application control methods, WDAC leverages code integrity policies and can operate in audit or enforced mode.

Obviously Audit mode is just that, it audits. It doesn't block anything, but reports on anything that may have been blocked. Enforced mode is the opposite, it blocks anything that hasn't been approved.

⚠️ DANGER
WDAC is a powerful security feature that can have a significant impact on your environment. Before deploying WDAC, it is important to understand how it works and how it will affect your organisation. ALWAYS run it on a small subset of devices first to ensure it doesn't break anything, even after you run in audit mode and think you have it all under control. Ask me how I know...

Getting Started

OK so to get started we should first go over everything you are going to need to get started.

Prerequisites

• Defender for Endpoint P2 license
• Windows 10 Enterprise or Education
• Intune enrolled devices
• WDAC Wizard, or even better, App Control Manager. (Please go and check out SpyNetGirl's App Control Manager)
• Device Groups based on your requirements

Implementation Strategy

So basically what you will be doing is creating an audit mode policy to block everything bar Microsoft signed. You will then monitor this in the Security centre for a few weeks to see what is getting blocked. Cross check this with your list of approved apps. Then build a supplemental policy to allow these apps to run.

So in a list:

1. Create a list of approved apps
2. Create a base policy to block all bar MS signed
3. Monitor for a few weeks
4. Create a supplemental policy to allow approved apps that are blocked by the base policy
5. Monitor for a few weeks
6. Deploy the policy to a small subset of devices in enforced
7. Update as required

📝 NOTE
Lucky for you Intune adds a few benefits that mean you don't have to keep updating the supplemental policy. We will get to all that soon though.

Key Benefits of WDAC

Security Advantages

• Zero-day protection: Blocks unknown and potentially malicious applications
• Reduced attack surface: Limits what can execute on endpoints
• Compliance support: Helps meet regulatory requirements for application control
• Integration with Microsoft Defender: Enhanced threat detection and response

Management Benefits

• Centralised control: Manage policies across all Windows devices via Intune
• Flexible deployment: Gradual rollout with audit and enforce modes
• Detailed reporting: Comprehensive logging and monitoring capabilities
• Emergency procedures: Quick policy updates for critical situations

WDAC Policy Types

Base Policies

Purpose: Define the fundamental rules for what can run on devices

Common Base Policy Types:

• Microsoft signed only: Allow only Microsoft-signed applications
• WHQL signed: Include Windows Hardware Quality Labs signed drivers
• Store apps: Allow Microsoft Store applications
• Reputable apps: Include applications with good reputation scores

Supplemental Policies

Purpose: Extend base policies with additional allow rules

Use Cases:

• Line-of-business applications: Internal company applications
• Third-party software: Approved external applications
• Development tools: Software development environments
• Temporary exceptions: Short-term access for specific needs

Deployment Phases

Phase 1: Planning and Preparation

1. Asset Inventory

   • Document all applications currently in use
   • Identify critical business applications
   • Categorise applications by risk level
   • Create approved application list

2. Device Grouping

   • Create pilot groups (5-10% of devices)
   • Establish production groups by department/function
   • Set up emergency/break-glass groups
   • Define rollback procedures

3. Monitoring Setup

   • Configure Microsoft Defender for Endpoint
   • Set up log collection and analysis
   • Create alerting for policy violations
   • Establish review processes

Phase 2: Audit Mode Deployment

1. Create Base Policy

   • Start with Microsoft-signed applications only
   • Include necessary Windows components
   • Add WHQL signed drivers if required
   • Test policy syntax and deployment

2. Deploy to Pilot Group

   • Select representative devices across departments
   • Monitor for 2-4 weeks minimum
   • Collect comprehensive audit data
   • Document all blocked applications

3. Analysis and Refinement

   • Review audit logs daily
   • Identify legitimate applications being blocked
   • Validate business requirements for blocked apps
   • Prepare supplemental policy rules

Phase 3: Supplemental Policy Creation

1. Develop Allow Rules

   • Create rules for approved applications
   • Use publisher certificates where possible
   • Implement file hash rules for unsigned apps
   • Consider path-based rules for internal tools

2. Test Supplemental Policies

   • Deploy supplemental policies in audit mode
   • Verify approved applications can run
   • Check for any remaining blocks
   • Refine rules as necessary

Phase 4: Enforcement Mode

1. Gradual Enforcement

   • Start with least critical systems
   • Monitor closely for the first 48 hours
   • Expand to additional groups weekly
   • Maintain emergency rollback capability

2. Ongoing Management

   • Regular policy reviews and updates
   • Process for new application approvals
   • Incident response for policy violations
   • Continuous monitoring and improvement

Common Challenges and Solutions

Application Discovery

Challenge: Identifying all applications that need to run

Solutions:

• Extended audit periods (4-6 weeks minimum)
• Cross-departmental application surveys
• Integration with software asset management tools
• User feedback mechanisms

False Positives

Challenge: Legitimate applications being blocked

Solutions:

• Comprehensive testing in audit mode
• Staged deployment approach
• Quick exception processes
• Regular policy refinement

User Impact

Challenge: Users unable to run necessary applications

Solutions:

• Clear communication about changes
• Self-service request processes where appropriate
• Quick turnaround on legitimate requests
• Training on new security procedures

Performance Impact

Challenge: WDAC policies affecting system performance

Solutions:

• Optimise policy rules for efficiency
• Use certificate-based rules over hash-based
• Regular policy cleanup and consolidation
• Monitor system performance metrics

Integration with Microsoft Intune

Policy Deployment

WDAC policies can be deployed through Intune using:

• Device configuration profiles
• Endpoint security policies
• PowerShell scripts for complex scenarios
• Win32 apps for policy files

Monitoring and Reporting

Intune provides:

• Compliance reporting for policy deployment status
• Device configuration monitoring
• Integration with Microsoft Defender for advanced analytics
• Custom reporting through Graph API

Management Benefits

• Centralised policy management
• Automated deployment to device groups
• Version control for policy updates
• Rollback capabilities for problematic policies

Next Steps

Check out my next article on configuration of WDAC. We will go over the steps to configure a base policy and supplemental policy using SpyNetGirl's App Control Manager.

Recommended Reading

• WDAC Configuration Guide: Detailed setup instructions
• App Control Manager Documentation: Advanced policy creation
• Microsoft Defender Integration: Enhanced monitoring and response
• Troubleshooting Guide: Common issues and solutions

Tools and Resources

• App Control Manager: Comprehensive WDAC management tool
• WDAC Wizard: Microsoft's official policy creation tool
• PowerShell WDAC Cmdlets: Command-line policy management
• Microsoft Security Compliance Toolkit: Additional security baselines

💡 Pro Tip
Always maintain a test environment that mirrors your production setup. This allows you to validate policy changes before deploying to live systems and helps prevent unexpected application blocks.