I'm rolling out Windows Defender Application Control (WDAC) using the Microsoft App Control Wizard. All target machines are running at least Windows 11 24H2. My current plan for structuring my policies includes:
- A base policy that incorporates Microsoft's recommended user and kernel block lists.
- Another base policy for my specific options, along with supplemental policies under this base for individual applications.
Initially, these policies will run in audit mode, and I'll be monitoring the Windows Event Log via my SIEM. However, I've encountered a couple of issues:
1) While deploying through Intune, if I combine the user and kernel blocklist policies, I get an unspecified error. Splitting them into two base policies resolves this.
2) My supplemental policy isn't functioning as expected. Despite having identical configurations across all three base policies, one base policy (usually the Kernel block list) is blocking files that my supplemental policy should allow based on their digitally signed publisher.
I'm opting for multiple base policies because it's supported and seems to be the recommended approach, allowing for scalability in the future. I'm looking for insights from anyone who has successfully deployed WDAC: how do you structure your policies following best practices?
4 Answers
Check out this post—it’s got some really helpful insights on WDAC implementation: https://www.example.com
Honestly, WDAC has too much overhead for my liking. If you can, consider investing in a solution like Airlock. Once we switched, we realized how many Microsoft applications aren't signed properly; the number of overrides we had to create was staggering. But with advanced tools, you can set conditional policies that allow specific executables for certain staff without the complication of multiple WDAC policies. Good luck!
I’ve read mixed reviews on both WDAC and third-party solutions. I’d love to see if WDAC can do the job since it’s free. At worst, I’ll end up with a solid case for an alternative if it all goes south.
We pivoted from WDAC back to AppLocker because there was just too much overhead. Emergencies required quick rule creation, and waiting to finalize new rules simply took too long. It just wasn't a good fit for our needs.
What specifically made it unmanageable for you? We're a small, cloud-driven company. Legacy apps are getting shifted to the cloud. I initially thought about AppLocker because it seemed simpler, even though WDAC appears more secure.
That's a valid point; AppLocker isn't getting new features while WDAC seems more robust security-wise.
WDAC can definitely feel overwhelming at first. It’s all about balancing vendor best practices with what works best in your setup. I eventually stepped back from WDAC due to the operational hassles it caused. Good luck with your implementation!
Maybe multiple base policies aren't the best route for me? The docs suggest it uses an intersection, meaning something has to be allowed by all base policies. A single base plus supplemental might fit better. I just want to double-check I’m not missing anything before committing.
Yeah, WDAC isn’t as simple as just switching it on; you can really mess up your entire organization if you're not careful.
Wow, that’s exactly the type of info I was looking for!