Windows Defender Application Control (WDAC) Implementation - Part 1: Introduction
Part 1 in a guide to setting up Windows Defender Application Control (WDAC)
WDAC is implemented using XML files that describe what programs should be allowed to run. It comes from a whitelist approach. This means that when WDAC is enabled - ALL programs are blocked. For this reason, I recommend that all testing be done in a Virtual Machine where a snapshot can be taken of the state of the device before applying the policy.
There is a wizard tool that can be downloaded from Microsoft (see: https://webapp-wdac-wizard.azurewebsites.net/), but I had nothing but trouble with it. For these articles I'll be using PowerShell only.
I also recommend that all work be completed in a directory that is under source control using GitHub or similar. This way you have a documented history of changes to your policies.
Over the next few articles, we'll implement a basic policy that only allows the following types of apps to run:
- any executables signed with a Microsoft certificate
- any executables in:
C:\Windows
C:\Program Files
C:\Program Files (x86)
We'll also implement an example policy to allow an app like Postman which installs to the user profile to run, as well as a sample policy which would be targeted to developers who need to run unsigned code from within their user profile.