Windows Defender Application Control
In this post, we’ll see how we can configure Windows Defender Application Control using Microsoft Intune.
Existing setup done:
- Two Local users created
- Azure AD Connect configured
- Seamless Single Sign-On (IE) configured
- Seamless Single Sign-On (Firefox) configured
- Hybrid Azure AD Join configured
- Intune enrollment – Domain Joined Windows 10 devices
- Azure AD Join
- Office 365 Pro Plus Application
- Sample SharePoint Team Site
- OneDrive Known Folder Migration and SharePoint library sync
- Copy necessary files (Win32 App)
- Set Desktop Background, Lock Screen and Screensaver
- Adding applications to StartUp folder
- Adding some 3rd Party applications (Browsers)
- Microsoft Store for Business configuration and integration and Store Apps.
- Windows Defender Application Guard configuration
- Extend Application Guard to Mozilla Firefox and Google Chrome
- Configure Windows Defender Antivirus
- Windows Defender Credential Guard
- Windows Defender Exploit Guard – Attack Surface Reduction
- Windows Defender Exploit Guard – CFA, NP, EP
- SkyDC: Machine with ADDS, DNS, DHCP role
- SkyCON: Machine where we will install Azure AD Connect
- SkyCM: Machine with Configuration Manager Current Branch
- SkyTEN1: Domain Joined Windows 10 machine
- SkyTEN2: Domain Joined Windows 10 machine
- SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
- SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
Windows Defender Application Control
Windows Defender Application Control (WDAC) is a Windows 10 feature which allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.
Configuring WDAC using Microsoft Intune policy is very simple with just two settings. We’ll see both scenarios in this post.
Create a Group with SkyTEN5i as member
I have created a group with SkyTEN5i as member.
Scenario 1: Only Windows components and Microsoft Store apps
Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.
Enter appropriate Name and Description. I have entered:
Name: Win 10 WDAC Policy
Description: Windows 10 : Microsoft Defender Application Control Policy
In Platform, select Windows 10 and later.
In Profile type, select Endpoint protection.
Click on Microsoft Defender Application Control.
In Microsoft Defender Application Control window, select the appropriate option.
Not Configured: Application Control is not enabled
Enforce: Enables Application Control in blocking mode.
Audit Only: Enables Application Control in Audit mode.
In Application control code integrity policies, select Enforce.
In Trust apps with good reputation, select Not configured.
Note: we’ll test other options later.
Select appropriate group.
As I want to test Application Control on a specific machine, I have selected the above created group. After selecting the group, click Save.
The policy is deployed.
In Client machine:
Open any non-Microsoft app.
As Application Guard requires restart, you can see the above message.
You can manually restart the machine or let it restart.
After the machine is restarted, open the same app again.
You will see that it is blocked by Microsoft Defender Application Control.
Scenario 2: Only Windows components, Microsoft Store apps and reputable apps as defined by the Intelligent Security Graph.
Click on the above created policy.
Click on Properties.
Navigate to Settings -> Microsoft Defender Application Control.
In Trust apps with good reputation, select Enable.
In Client machine, sync the policy
Once policy is updated on the client machine, you’ll again see a restart window.
Open the same app again. If it is trusted my Intelligent Security Graph, it will be allowed to run. In my case I am using 7-zip which was allowed to run.
When you try to run any executable which is not trusted by Intelligent Security Graph, it’ll be blocked. Here, in the example above, I tried to execute ransomeware_testfile_unsigned.exe from Exploit Guard sample and it was blocked.