Windows Defender Application Control (WDAC) Implementation - Part 1: Introduction

Part 1 in a guide to setting up Windows Defender Application Control (WDAC)

Windows Defender Application Control (WDAC) Implementation - Part 1: Introduction
Photo by Philipp Katzenberger / Unsplash

WDAC is implemented using XML files that describe what programs should be allowed to run. It comes from a whitelist approach. This means that when WDAC is enabled - ALL programs are blocked. For this reason, I recommend that all testing be done in a Virtual Machine where a snapshot can be taken of the state of the device before applying the policy.

There is a wizard tool that can be downloaded from Microsoft (see: https://webapp-wdac-wizard.azurewebsites.net/), but I had nothing but trouble with it. For these articles I'll be using PowerShell only.

I also recommend that all work be completed in a directory that is under source control using GitHub or similar. This way you have a documented history of changes to your policies.

Over the next few articles, we'll implement a basic policy that only allows the following types of apps to run:

  • any executables signed with a Microsoft certificate
  • any executables in:
    • C:\Windows
    • C:\Program Files
    • C:\Program Files (x86)

We'll also implement an example policy to allow an app like Postman which installs to the user profile to run, as well as a sample policy which would be targeted to developers who need to run unsigned code from within their user profile.