Hi there! We've been relying on AppLocker for quite a while, but as we're now moving from Group Policy to Intune configuration policies, it's clear that Microsoft isn't adding any new features to AppLocker. They've been nudging us towards Windows Defender Application Control (WDAC) instead. However, both AppLocker and WDAC are quite tricky to manage with Intune since there's no user-friendly GUI out there. In my testing, I've found that we can't create AppLocker rules based on user or group objects anymore—only built-in group SIDs are usable. Typical Microsoft situation, right? So I'm really curious about what others are using for application whitelisting. If you've had hands-on experience with ThreatLocker, Airlock Digital, or any similar tools, I'd love to get your insights!
8 Answers
If you're looking for ThreatLocker info, here’s their website: [threatlocker.com](https://threatlocker.com).
We've gone for CyberArk EPM, and it's been decent so far. However, with their recent acquisition by PA, we’re contemplating our next steps.
I get that AppLocker and WDAC can be cumbersome, but there's an App Control Wizard made by Microsoft which helps with managing WDAC. You can use the XML it generates for Intune. Also, I definitely recommend Violet Hansen's App Control Manager; it’s really user-friendly and has a lot of useful insights available for free! Check it out!
AppControl Manager is a game changer! It doesn’t eliminate all the challenges, but it makes things a bit more manageable.
In a previous enterprise role, we used BeyondTrust for privileged access management. It might be overkill for some, but it does offer centralized management and lots of features. I’ve heard of Carbon Black App Control as well, although we didn’t end up using it. Just keep in mind that BeyondTrust is quite an investment!
I know BeyondTrust is solid, but we're mainly looking for something focused purely on application whitelisting to complement our NGAV/EDR setup.
If you’re looking for comprehensive control, combining WDAC with BeyondTrust can give you the best of both worlds—control over kernel and user modes.
We’ve implemented application blocking with Sophos, and we still haven’t completely switched to Defender even though we have E5 licenses. I also find WDAC quite annoying, so we’re considering moving to ThreatLocker instead if we decide to drop Sophos.
Trend Micro Worry Free includes app control features, which might be worth exploring for your whitelisting needs.
We shifted away from AppLocker and WDAC due to some apps having issues with constrained language mode. We've transitioned to Airlock Digital, and it’s been promising so far. We had a 14-day demo, and the testers found it fits our needs well! The UI is quite intuitive, and we love the admin feedback feature which shows exactly what gets blocked and notifies when clients have updated rules.
For those discussing WDAC/AppLocker, how are you all handling auditing and testing? DfE P2 or a SIEM solution seems like a must for visibility. It’s hard to trust a Microsoft go-live test alone; they often feel like more of a guess than a guarantee!
F*** it, we’ll do it live!
I second this! Their support is pretty solid, and despite a few quirks, it’s very doable for a small team like mine.