Chapter 14 – Windows Defender Application Control (WDAC)

 Windows Server Group Policy (GPO) Master Handbook

Chapter 14 – Windows Defender Application Control (WDAC)

Learning Objectives

Understand WDAC architecture, code integrity policies, deployment methods, audit mode, enforcement mode, and enterprise application control.

1. What is WDAC?

Windows Defender Application Control (WDAC), also called App Control for Business, allows organizations to define trusted applications using code integrity policies. WDAC provides stronger protection than AppLocker because it operates at the kernel level and can restrict unsigned or untrusted code before execution.

2. GPO Path

Computer Configuration → Administrative Templates → System → Device Guard (legacy policy location for many WDAC settings). Modern WDAC policies are created as Code Integrity (CI) policies and deployed through management tools.

3. WDAC Components

Code Integrity Policy (CIP), Intelligent Security Graph (ISG), Managed Installer, Supplemental Policies, User Mode Code Integrity (UMCI), Kernel Mode Code Integrity (KMCI).

4. Deployment Modes

Audit Mode records events without blocking applications. Enforced Mode blocks applications that do not satisfy the policy. Always validate in Audit Mode before switching to enforcement.

5. Policy Creation

Create baseline policies using PowerShell, merge supplemental policies, sign policies when required, and deploy through Group Policy, Microsoft Intune, Configuration Manager, or scripts depending on the environment.

6. Managed Installer

A managed installer such as Microsoft Configuration Manager can mark applications it installs as trusted, reducing administrative effort.

7. Enterprise Best Practices

Start with Microsoft's recommended base policy, pilot on test devices, review audit events, maintain change documentation, and create supplemental policies for business applications.

8. PowerShell Commands

New-CIPolicy
Merge-CIPolicy
ConvertFrom-CIPolicy
Set-RuleOption
Get-CimInstance Win32_DeviceGuard

9. Event Logs

Event Viewer → Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational. Review audit and enforcement events before production rollout.

10. Troubleshooting

Verify the Code Integrity policy is deployed, review CodeIntegrity operational logs, confirm Secure Boot and virtualization-based security requirements where applicable, test with audit mode first, and check effective policy version.

11. Comparison: WDAC vs AppLocker

WDAC offers stronger kernel-level enforcement and is recommended for high-security environments. AppLocker is simpler to manage for many organizations and focuses on user-mode application control.

12. Interview Questions

What is WDAC? How is WDAC different from AppLocker? What is a Code Integrity Policy? Why should Audit Mode be used before enforcement?

13. Practical Lab

Generate a baseline Code Integrity policy, deploy it in Audit Mode to a test computer, review CodeIntegrity logs, then enable Enforced Mode after validating application compatibility.

WDAC Quick Reference

Feature

Recommendation

Purpose

Audit Mode

Use first

Compatibility testing

Enforced Mode

After validation

Application control

Managed Installer

Enable if available

Trust enterprise-installed apps

Supplemental Policies

Use

Add approved applications

Code Integrity Logs

Review regularly

Troubleshooting

Secure Boot

Enable

Improve trust chain

VBS/HVCI

Enable where supported

Enhanced protection

Official Microsoft Learn

App Control for Business (WDAC)

WDAC Design Guide

Deploy WDAC Policies

ConfigCI PowerShell

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server