Windows Defender Application Control (WDAC) allows controlling which applications and drivers can run in Windows. Microsoft provides a recommended list of apps and drivers that should be blocked. Our example implementation shows how to distribute block rules using Microsoft Intune. WDAC is available in Windows 10 build 1903 and higher and Windows 11. In addition, it is available in Windows Server operating systems, including Windows Server 2016 and higher.

WDAC provides rules-based application security, allowing rules to restrict the execution of binaries. So, using WDAC, we can implement a blacklist or whitelist to block applications. The recommended block rules are a list of applications that attackers commonly use to bypass Windows Defender Application Control. Unless you need these applications, Microsoft recommends disabling them.

The recommended driver block rules are designed to harden systems against third-party-developed drivers used across the Windows landscape that contain the following:

  • Known vulnerabilities—Skilled attackers easily exploit drivers that have known vulnerabilities for privilege escalation.
  • Malware—Drivers that demonstrate malicious behavior or are associated with certificates known to sign malicious code.
  • Security compromising behaviors—Any drivers that exhibit behaviors known to circumvent the Windows security model can be used by attackers for privilege escalation and compromising the Windows kernel.

Implement Microsoft-recommended block rules ^

The two most common ways to apply WDAC policy rules are by using an MDM solution, such as Microsoft Intune, or the traditional policy enforcement approach of Active Directory Group Policies. However, you can also use Microsoft Endpoint Manager Configuration Manager (MEMCM), using the on-premises management solution to manage desktops and servers, or a configuration script to roll out the WDAC rules deployment.

You can obtain the XML version of the policy block rules here:

On both pages, you will see the XML code you can copy and save to a file on your administrative workstation.

Downloading the WDAC recommended block rules

Downloading the WDAC recommended block rules

Navigating to Microsoft Endpoint Manager and Intune, we select Device > configuration profile to create a profile that allows us to use the XML files for both the recommended block rules and the driver block rules for WDAC.

On the Create a profile blade, populate the following settings:

  • Platform—Windows 10 and later
  • Profile type—Templates
  • Template name—Custom
Creating a new device configuration profile in Intune

Creating a new device configuration profile in Intune

This launches a new custom device configuration profile wizard. The first step is to name the new configuration profile.

Name the new device configuration profile

Name the new device configuration profile

The second page of the new configuration profile wizard is the one to pay attention to. It contains information about the custom device configuration profile. Populate the name and description field as well as the OMA-URI. This is a string filled with information you get from the policy text you download from Microsoft:

For the custom template, we use the OMA-URI base string of ./Vendor/MSFT/ApplicationControl/Policies/{Policy ID}/Policy according to the documentation from Microsoft.

  • Replace the policy ID in the braces above with the PolicyTypeID in the policy file downloaded from Microsoft.
    • The completed string will look like this: ./Vendor/MSFT/ApplicationControl/Policies/A244370E-44C9-4C06-B551-F6016E563076/Policy
  • Data type—Since the policy text downloaded from Microsoft is in XML format, we choose String (XML file).
Getting the policy ID from the policy file

Getting the policy ID from the policy file

Use the information above to complete the OMA-URI Settings page.

Setting the new device configuration profile

Setting the new device configuration profile

The OMA-URI settings are now entered on the configuration settings screen.

The configuration settings with the OMA URI are now configured

The configuration settings with the OMA URI are now configured

On the Assignments screen, choose the users, groups, or devices to which you want to assign the new WDAC configuration profile.

Configure the assignment settings for the new device configuration profile

Configure the assignment settings for the new device configuration profile

You can just click Next on the Applicability Rules screen.

Click Next on Applicability Rules

Click Next on Applicability Rules

Finally, on the Review + create screen, review the configuration settings and click the Create button.

The WDAC configuration profile is now listed on the device Configuration profiles screen.

The new WADC configuration profile is listed among the device configuration profiles

The new WADC configuration profile is listed among the device configuration profiles

Using this method, you can import both the recommended block rules and driver block rules and apply the WDAC rules through the device configuration profiles.

Wrapping up ^

Windows Defender Application Control (WDAC) is a solution built into Windows 10 and 11. It allows organizations to control the trust level of applications users can execute on their end-user clients.

Subscribe to 4sysops newsletter!

Using modern endpoint management, such as Microsoft Endpoint Manager with Intune, you can easily apply the WDAC rules using device configuration profiles. Learn more about Windows Defender Application Control (WDAC) here.

avataravatar
2 Comments
  1. bgavin 5 months ago

    Interesting article.
    It appears the Windows open operating system is going the direction of the Mac and many commercial firewalls. It is moving away from Promiscuous mode to Restricted. I’m not a Mac guy, but I can understand the value of a closed system, same as a closed firewall, to keep the bad actors at bay.

  2. Tony Pieromaldi 4 months ago

    hi there. I am following these instructions verbatim but cannot get this to work on my Intune test machine. The error code given in Intune is 0x87d10190, any ideas? Thanks

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account