Skip to content

Protecting devices against malware and other undesirable applications using Windows Defender Application Control 

Introduction to WDAC

WDAC stands for Windows Defender Application Control is a security feature in Windows Enterprise that allows administrators to control which apps and files are allowed to run on a device. WDAC help organizations preventing malware and other unwanted software from executing on a device. It also provides a way to control which apps can access sensitive data and resources, such as the Windows registry or the file system. This feature can be managed either using MDM Solutions or Group Policy.

WDAC is important because it helps to protect against malware and other unwanted software, and can also help to limit the potential damage if a device is compromised.

  1. Malware Protection: WDAC can be used to block known malicious software from executing on a device, helping to protect against cyber threats such as viruses, Trojan horses, and ransomware.
  2. Limiting the attack surface: By limiting the permissions and capabilities of apps and files, WDAC can reduce the attack surface of a device. This means that even if a device is compromised, the attacker’s ability to cause damage is limited.
  3. Compliance and regulatory requirements: Some industries and organizations are required to comply with specific regulations or standards that mandate the use of security controls such as application whitelisting. WDAC can be used to meet these requirements.
  4. Reducing the risk of malicious insiders: WDAC can be used to control which apps and files are allowed to run on a device, even if a user with malicious intent is able to log in to the device. This can help to protect against threats from malicious insiders, who may have legitimate access to the device.
  5. Protecting Sensitive Data: WDAC can also be used to control which apps can access sensitive data and resources, such as the Windows registry or the file system. This can help prevent sensitive data from being compromised in case of a malware or other cyber attack.




When to use WDAC ?

WDAC can be used in scenarios where the security of the device or network is a high priority, such as in a corporate environment or when handling sensitive data. Some specific use cases where WDAC may be useful include:

  1. Preventing malware and other unwanted software from running on a device.
  2. Enforcing a “least privilege” model
  3. Some industries and organizations are required to comply with specific regulations or standards that mandate the use of security controls such as application whitelisting.
  4. WDAC can be used to control which apps and files are allowed to run on a device, even if a user with malicious intent is able to log in to the device.

It is important to note that while WDAC can be an effective security measure, it should be used as part of a comprehensive security strategy and should be carefully configured to meet the specific needs of your organization.

Configuring WDAC on managed devices using Intune.

When it comes to WDAC, Intune can be used to deploy and configure the feature across an organization. This includes setting the level of protection, creating and managing the list of allowed and blocked apps, and monitoring the compliance of devices.

With Intune, you can use the following features for WDAC:

  1. Deploy WDAC policies: Intune allows you to deploy WDAC policies to Windows 10 devices to control which apps and files are allowed to run.
  2. Create and manage your list of allowed and blocked apps: You can use Intune to create a list of apps that are allowed to run on devices and a list of apps that are blocked. This can be done through the use of App Locker rules.
  3. Monitor compliance: Intune can be used to monitor the compliance of Windows 10 devices with your WDAC policies. This allows you to track the devices that are not compliant with the policies and take corrective action.
  4. Reports: Intune provides several reports on WDAC compliance, including devices that are not compliant with the policies and apps that are blocked or allowed to run. This allows you to identify potential security risks and take action to mitigate them.

Steps to Push WDAC Policy using Intune.

Once you have XML file created using WDAC Configuration Wizard tool you can leverage that to push that configuration file using either MDM Solution or Group Policies.




Login to Microsoft Intune Portal i.e. https://endpoint.microsoft.com and create a new configuration profile for Windows Devices. 

Type-in the appropriate name.

Click on Add to add the WDAC Configuration XML.

Click on Create to create the new profile



Let the device sync and profile get pushed to the device. Below screen shot show denied applications are blocked and user is not able to run the application.

Removing WDAC Configuration Profile.

There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you’ve deployed. Before removing any policy, you must first disable the method used to deploy it.

You can leverage AllowAll.xml configuration file available on Windows device remove the WDAC policy. Click on WDAC Configuration tool and click on Policy Editor. 

 

Browse to AllowAll.xml on a windows device





Click on Edit for Configuration Settings. 

Click on Edit

Post syncing of profile to the devices, you should be able to run the blocked applications.

Hope this will be informative for you, please do share if you find worth sharing it.