To enable Microsoft Defender Application Control in your organization, you must digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways, as listed below:
- Publish your apps by using the Microsoft Store All apps in the Microsoft Store are automatically signed with signatures from a trusted certificate authority (CA).
- Use your own digital certificate or public key infrastructure (PKI) You can sign the apps by using a certificate issued by a CA in your own PKI.
- Use a non-Microsoft CA You can use a trusted non-Microsoft CA to sign your own desktop Windows apps.
- Use the Microsoft Defender Application Control signing portal In Microsoft Store for Business, you can use a Microsoft web service to sign your desktop Windows apps.
Create a Default Microsoft Defender Application Control Policy
To create a default policy, create a virus- and malware-free reference computer that contains the set of apps your users require to run. You might need to create several reference computers, each representing a typical device configuration within your organization. For example, you create a standard device for the research department, and perhaps you create a kiosk-type device for use in the library.
Having created the reference computer, sign in and then complete the following procedure:
- Open an elevated Windows PowerShell command prompt.
- Create the required variables for the process by running the following three commands:
Click here to view code image
$CIPolicyPath=$env:userprofile+”\Desktop\”
$InitialCIPolicy=$CIPolicyPath+”InitialScan.xml”
$CIPolicyBin=$CIPolicyPath+”DeviceGuardPolicy.bin” - Scan the system for installed apps using the New-CIPolicy cmdlet:
Click here to view code image
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs
3> CIPolicyLog.txt - Convert the WDAC policy to a binary format (for import) using the ConvertFrom- CIPolicy cmdlet:
Click here to view code image
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
Enable Microsoft Defender Application Control
After creating the default WDAC policy, you can configure the settings with GPOs or Microsoft Intune. To use Intune, use the following procedure:
- Open Microsoft Intune admin center.
- Navigate to Devices and then select Windows.
- Click Configuration profiles.
- Click Create profile.
- On the Create a profile page, select Windows 10 and later and then select Templates.
- In the list of templates, select Endpoint protection and click Create.
- Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Control.
- In the Application control code integrity policies list, select Enforce or Audit only as appropriate.
- Then in the Trust apps with good reputation list, select Enable. Click Next.
- Configure scope tags and assignments as necessary, and then Create the profile.
Need More Review? Planning and Getting Started on the Microsoft Defender Application Control Deployment Process
To review further details about deploying Microsoft Defender Application Control, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.