Chapter 14 – Windows Defender Application Control (WDAC)
Windows Server Group Policy (GPO) Master Handbook
Chapter 14 – Windows Defender Application Control (WDAC)
Learning Objectives
Understand WDAC architecture, code integrity policies, deployment methods, audit mode, enforcement mode, and enterprise application control.
1. What is WDAC?
Windows Defender Application Control (WDAC), also called App Control for Business, allows organizations to define trusted applications using code integrity policies. WDAC provides stronger protection than AppLocker because it operates at the kernel level and can restrict unsigned or untrusted code before execution.
2. GPO Path
Computer Configuration → Administrative Templates → System → Device Guard (legacy policy location for many WDAC settings). Modern WDAC policies are created as Code Integrity (CI) policies and deployed through management tools.
3. WDAC Components
Code Integrity Policy (CIP), Intelligent Security Graph (ISG), Managed Installer, Supplemental Policies, User Mode Code Integrity (UMCI), Kernel Mode Code Integrity (KMCI).
4. Deployment Modes
Audit Mode records events without blocking applications. Enforced Mode blocks applications that do not satisfy the policy. Always validate in Audit Mode before switching to enforcement.
5. Policy Creation
Create baseline policies using PowerShell, merge supplemental policies, sign policies when required, and deploy through Group Policy, Microsoft Intune, Configuration Manager, or scripts depending on the environment.
6. Managed Installer
A managed installer such as Microsoft Configuration Manager can mark applications it installs as trusted, reducing administrative effort.
7. Enterprise Best Practices
Start with Microsoft's recommended base policy, pilot on test devices, review audit events, maintain change documentation, and create supplemental policies for business applications.
8. PowerShell Commands
New-CIPolicy
Merge-CIPolicy
ConvertFrom-CIPolicy
Set-RuleOption
Get-CimInstance Win32_DeviceGuard
9. Event Logs
Event Viewer → Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational. Review audit and enforcement events before production rollout.
10. Troubleshooting
Verify the Code Integrity policy is deployed, review CodeIntegrity operational logs, confirm Secure Boot and virtualization-based security requirements where applicable, test with audit mode first, and check effective policy version.
11. Comparison: WDAC vs AppLocker
WDAC offers stronger kernel-level enforcement and is recommended for high-security environments. AppLocker is simpler to manage for many organizations and focuses on user-mode application control.
12. Interview Questions
What is WDAC? How is WDAC different from AppLocker? What is a Code Integrity Policy? Why should Audit Mode be used before enforcement?
13. Practical Lab
Generate a baseline Code Integrity policy, deploy it in Audit Mode to a test computer, review CodeIntegrity logs, then enable Enforced Mode after validating application compatibility.
WDAC Quick Reference
Feature | Recommendation | Purpose |
Audit Mode | Use first | Compatibility testing |
Enforced Mode | After validation | Application control |
Managed Installer | Enable if available | Trust enterprise-installed apps |
Supplemental Policies | Use | Add approved applications |
Code Integrity Logs | Review regularly | Troubleshooting |
Secure Boot | Enable | Improve trust chain |
VBS/HVCI | Enable where supported | Enhanced protection |
Official Microsoft Learn
Comments
Post a Comment