Skip to main content

148: WDAC / App Control

Overview

Windows Defender Application Control (WDAC) and Windows App Control are powerful tools for managing and securing applications on Windows devices. Here's a detailed overview:

Benefits

  1. Enhanced Security: WDAC helps prevent unauthorized applications from running, reducing the risk of malware and other security threats.
  2. Compliance: Helps meet regulatory and organizational security requirements by enforcing strict application control policies.
  3. Centralized Management: Intune allows you to manage WDAC policies from a single console, simplifying administration.
  4. Flexibility: Supports multiple policy formats and configurations, allowing you to tailor policies to your organization's needs.

Drawbacks

  1. Initial Setup Complexity: Configuring WDAC policies can be complex and time-consuming, especially for large organizations.
  2. Potential for Application Blockage: Legitimate applications might be blocked if not properly whitelisted, requiring careful planning and testing.
  3. Maintenance: Ongoing maintenance is required to update policies and ensure they remain effective.

Impact on End Users

  • Improved Security: Users benefit from enhanced security without needing to take additional actions.
  • Potential Disruption: Users might experience disruption if legitimate applications are blocked, requiring support intervention.
  • User Training: Some users might need training to understand the new application control policies.

Steps to Deploy WDAC

  1. Plan Your Deployment: Identify the devices you'll manage with WDAC and split them into deployment rings to control the speed and scale of the deployment.
  2. Create a Policy: In Intune, create a new WDAC policy. Navigate to Device configuration > Profiles > Create profile. Choose Windows 10 and later as the platform, and select Endpoint Protection from the profile type drop-down.
  3. Configure Settings: Define the applications and scripts that are allowed to run. You can use built-in policies or create custom policies using OMA-URI settings.
  4. Convert Policy to Binary: Convert your WDAC policy XML to binary using PowerShell, as WDAC policies must be in binary format for deployment.
  5. Deploy the Policy: Assign the policy to the appropriate groups of devices or users. Ensure to test the policy in audit mode before enforcing it to monitor and adjust as needed².
  6. Monitor and Adjust: Continuously monitor the deployment and make adjustments based on feedback and observed behavior.

Tying to Zero Trust

Zero Trust is a security model that assumes no implicit trust and continuously verifies every request. Deploying WDAC through Intune aligns with Zero Trust principles by:

  • Ensuring Secure Access: WDAC enforces strict application control, ensuring only trusted applications can run.
  • Continuous Verification: Regularly updated policies help maintain secure access, aligning with the continuous verification aspect of Zero Trust.
  • Reducing Attack Surface: By controlling which applications can run, WDAC reduces the potential attack surface.

Reference