Windows Defender Application Control

In this post, we’ll see how we can configure Windows Defender Application Control using Microsoft Intune.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration
  17. Extend Application Guard to Mozilla Firefox and Google Chrome
  18. Configure Windows Defender Antivirus
  19. Windows Defender Credential Guard
  20. Windows Defender Exploit Guard – Attack Surface Reduction
  21. Windows Defender Exploit Guard – CFA, NP, EP

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

 

Windows Defender Application Control

Windows Defender Application Control (WDAC) is a Windows 10 feature which allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.
Configuring WDAC using Microsoft Intune policy is very simple with just two settings. We’ll see both scenarios in this post.

Create a Group with SkyTEN5i as member

I have created a group with SkyTEN5i as member.

Scenario 1: Only Windows components and Microsoft Store apps

Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.

Enter appropriate Name and Description. I have entered:

Name: Win 10 WDAC Policy

Description: Windows 10 : Microsoft Defender Application Control Policy

In Platform, select Windows 10 and later.

In Profile type, select Endpoint protection.

Click on Microsoft Defender Application Control.

In Microsoft Defender Application Control window, select the appropriate option.

Not Configured: Application Control is not enabled

Enforce: Enables Application Control in blocking mode.

Audit Only: Enables Application Control in Audit mode.

In Application control code integrity policies, select Enforce.

In Trust apps with good reputation, select Not configured.

Click OK.

Note: we’ll test other options later.

Click OK.

Click Create.

Select appropriate group.

As I want to test Application Control on a specific machine, I have selected the above created group. After selecting the group, click Save.

The policy is deployed.

In Client machine:

Before Sync:

Open any non-Microsoft app.

After Sync

As Application Guard requires restart, you can see the above message.

You can manually restart the machine or let it restart.

After the machine is restarted, open the same app again.

You will see that it is blocked by Microsoft Defender Application Control.

Scenario 2: Only Windows components, Microsoft Store apps and reputable apps as defined by the Intelligent Security Graph.

Click on the above created policy.

Click on Properties.

Navigate to Settings -> Microsoft Defender Application Control.

In Trust apps with good reputation, select Enable.

Click OK.

Click OK.

Click Save.

In Client machine, sync the policy

Once policy is updated on the client machine, you’ll again see a restart window.

 

Open the same app again. If it is trusted my Intelligent Security Graph, it will be allowed to run. In my case I am using 7-zip which was allowed to run.

 

When you try to run any executable which is not trusted by Intelligent Security Graph, it’ll be blocked. Here, in the example above, I tried to execute ransomeware_testfile_unsigned.exe from Exploit Guard sample and it was blocked.

 

Done.

1 Comment

  1. Sanchit

    Reply

    This is a really great blog series where all the information can be found in a single place. It has simplified by learning experience by many folds. Everything has been articulated with details and I am able to build my lab environment using this series. Appreciate all your help and I hope you will continue to write these blogs 🙂

Leave a comment

Your email address will not be published. Required fields are marked *