Join the roundtable event on Microsoft Security in London - spaces limited

Register Now
Close Notice

What you need to know about Windows Defender Application Control (WDAC)

Posted : 2 December 2024

Posted In : Blogs

Written by:

Sam Jackson, Security Solutions Architect

In an era during which cyber threats are smarter and stealthier than ever, securing your devices calls for new defence measures that neutralise new threats. This is where Windows Defender Application Control (WDAC) comes in. It is a Microsoft security feature designed to restrict or authorise the execution of applications on a Windows device, similar to the traditional offering of Windows AppLocker.

So why not use AppLocker?

Unlike AppLocker, its predecessor, the new Microsoft security feature WDAC offers a more comprehensive and robust approach. Not only does Microsoft recommend using WDAC over AppLocker, WDAC follows a more restrictive model where an IT administrator must authorise applications as part of a WDAC security policy or has gained a trusted reputation through the Microsoft Intelligence Security Graph (ISG). All of this makes WDAC a better fit, not to mention a stronger integration with Defender for Endpoint and Microsoft Intune.

WDAC works simultaneously with Windows Defender Anti-Virus scanning. When an application is executed, the operating system checks against the WDAC security policy and the Windows Defender real-time scanning is conducted at the same time to ensure that the application is authorised AND the application does not contain any known threats.

Microsoft Intune can now play a big role in WDAC. By being approved as a ‘Managed Installer’ as part of your WDAC security policies, you can authorise applications published from your Microsoft Intune platform to reduce the overhead of whitelisting every application, path, and folder.

Microsoft Intune also offers a small collection of built-in WDAC controls, which can be turned on without the need to dive into configuring XML policies; however, there is a useful WDAC wizard that will create these XML policies for you. We’ll touch on that later.

Why do you need it?

WDAC helps you reduce your attack surface by blocking unauthorised or malicious applications that could be more likely to harm your environment with a threat such as malware.

Often, your organisation has to abide by security standards that require controls around application execution, or you may have a specific requirement to lock down a certain subset of devices (such as student devices in education) to reduce the risk of malicious activity.

WDAC can also reduce the IT overhead of reviewing anti-virus incidents that are generated when an application installer is executed or an application itself is blocked by following the Zero-Trust model: “Unless the IT administrator authorises the application or Microsoft Intelligent Security Graph (ISG) agrees then NO running! ”

So how does WDAC work?

There are various ways to configure WDAC, and the level of complexity will ultimately determine how and where you configure your WDAC policies. The easiest way to configure WDAC is by using Microsoft Intune built-in WDAC controls, which can be assigned to a group of devices or users, just like a configuration profile.

Although this is a ‘quick win’, it lacks the granularity needed for deploying larger applications, such as typical CAD software used in manufacturing. Additionally, you may not have the in-house skills to package Win32 applications using the “IntuneWinAppUtil” software.

The WDAC Wizard

The WDAC Wizard is a GUI that allows the IT administrator to configure an XML security policy without the need to write the XML file line by line.  On the Home screen, you’ll be able to create, edit or merge a WDAC security policy and then select your type of policy to create.

To keep it short and sweet, a single policy format is a ‘one policy for all’ and a multiple policy is a ‘collection of multiple policies which can coexist’.

For this example, we’ll keep it simple and create a new single policy format with a base policy.

WDAC provides you with three different templates depending on the level of control you want to enforce on your Windows devices.

Default Windows Mode’ is the most restrictive policy by default, which only allows Microsoft Store applications, Office 365 and core OS components to be authorised to run.

Allow Microsoft Mode’ allows the same as the Default policy, but also allows ‘Microsoft Signed Applications’, such as Microsoft Edge to run as well.

Signed Reputable Mode’ is the policy that integrates Microsoft’s Intelligent Security Graph (ISG), which leverages the same intelligence that powers Microsoft Defender Smart Screen and Microsoft Defender Anti-Virus to determine what reputation an application is known to have.

I’ll use the ‘Allow Microsoft Mode’.

From there, you can select the controls you want to implement and designate Microsoft Intune as your trusted Managed Installer.

Once you’ve decided your policy rules, you’ll be able to see the whitelisted signing list, which, as you can see, has those ‘Allowed Microsoft Mode’ authorised applications and components already configured within the WDAC policy.

So, where do I whitelist my applications?

You can create custom rules by selecting the type of rule and defining a reference file that will be used to identify the application, folder, and path, etc. Once done, you can export the XML configuration and upload it to WDAC by changing the dropdown from ‘use built-in controls’ to ‘use XML configuration file’ and then upload.

Key takeaways

Balancing security and productivity is challenging. Fortunately, Microsoft is addressing this by offering various levels of controls and restrictions. These can be used out of the box, or you can take a more granular approach with the WDAC Wizard and create custom XML configurations.

WDAC can be extremely useful, especially when you have a subset of devices that need a greater level of control around application execution. This could be student devices in education or just to ensure that your golden image remains your golden image.

I always recommend you run your WDAC deployment in audit mode first to review what applications are being blocked and work backwards from there. Understanding end-user behaviour and identifying which applications require additional attention is crucial to ensure they can be executed properly when WDAC is moved to enforced.

Share

Related insights

Getting started with us couldn’t be easier.

Just use the form or call us on +44 (0) 1223 834 333 to set up a call.

Sign up for our monthly Security Decoded newsletter