Implementing WDAC and AppLocker
A high level guide to help you get application control policies applied to your Windows devices
In my work, we use a combination of Windows Defender Application Control and AppLocker to secure our devices and prevent unsanctioned software from running, as part of the Australian Essential 8 policy.
The rules we had in place essentially boiled down to: if the user wasn't authorised by an AAD group to have that software, or it wasn't a standard part of the SOE, we were instructed to ensure it's blocked.
We initially started off with AppLocker, but this did not scale well, requiring separate policies for each combination of apps we might have installed.
So, enter WDAC. This allows us to "stack" policies using supplemental policies that we apply based on user group membership.
WDAC
WDAC starts with a block all approach, and all policies built on top of that are essentially allow lists. Because of this approach, it's entirely possible to render a device unbootable.
Our base policy - all users and devices get this policy:
- turns on HVCI/Core Isolation
- adds the Microsoft code signing certificates to an allowlist
- enables enforcement
- explicitly enables scripts - AppLocker takes care of scripts (see below)
We then attach a supplemental policy to enable execution in:
- C:\Windows
- C:\Program Files
- C:\Program Files (x86)
We add these because I bricked so many VM's, that rebuilding them or restoring from snapshots was getting quite tedious!
For developers we have another WDAC policy that allows executables in the C:\Users directory. For standard users, it's normally blocked.
We then add a separate WDAC policy for any apps that for some reason can only be installed in the user profile. I hate these apps. These policies allow the code signing certificate that's attached to those apps. If there's no certificate, we deny its installation.
All these policies were built using the command line tools. I found the wizard annoying and troublesome.
I recommend keeping all your policies in source control like Git so you have a managed backup of them somewhere. You should do the same for any scripts you write.
AppLocker
MSI's are blocked with an AppLocker policy. This is applied via AppLocker to prevent a user from running MSI's, but allow local admins to allow them.
An EXE policy is applied to all users to block:
- fsquirt.exe to block Bluetooth file transfers
- other undesirable apps that no user dev or otherwise should be running (such as Zoom - it's banned in our org) - blocked using the apps code signing certificate.
Scripts are blocked using AppLocker - this policy is separate from the others as we have a requirement for some users to run scripts. It's tied to an AAD group.
Implementation
- Collect a list of all applications out in your environment and evaluate which ones you need and which ones can be removed.
- Implement them into Intune. We want to get to a point where the only method for installing apps is via the Company Portal. Use HyperV for testing so you can take snapshots and roll back if needed.
- Start implementing application control policies in audit mode only. Collect logs.
- Test, test, test. And when you think you've done enough testing, go back to step 4!
- Take a snapshot of your test VM, and apply the policies in enforce mode.
- Test to ensure you can install all apps from the Company Portal, and that they all run as expected - you may need to bring in other users to your test group if they have specific needs (for example: we use a third party ClickOnce app that once running downloads additional executables. I don't have access to this app to test).
- Rollout. Slowly.
This is the culmination of almost a years worth of work. It won't happen over night, and I had so many false starts and errors and "throw my hands up in the air and give up" moments, while trying to design and build this that I think I went prematurely grey.
Though once you get the procedures down, it's actually not that difficult to do.
Update 2024-08-16: I've written a guide to deploying WDAC. See the following articles: