Security Windows Defender App Control Lead image: Lead Image © dimaberkut,
Lead Image © dimaberkut,

Reducing your attack surface

En Garde

Windows Defender Application Control protects systems against threats that traditional virus scanners and signature-based mechanisms cannot detect by restricting applications in the user context and reducing the code allowed in the system kernel. By Marc Grote

Microsoft learned in previous versions of its software that it is difficult to create code integrity (CI) policies (application control policies) under Windows Defender Application Control (WDAC) [1]. As a result, the vendor is now shipping a set of preconfigured CI policies in Microsoft Windows Server 2019 and Windows 10 v1709 that allow the execution of operating system files and applications such as Microsoft SQL Server but block executable files known to bypass the configured CI policies. Additionally, Windows Server 2019 now allows multiple CI policies to be nested to create a whitelist containing all nested CI policies, all without the need to reboot the system.

When a user runs a process, that process has the same access rights to data as the user, which means that confidential information is easily deleted or taken out of the organization. In this article, I show how you can use WDAC to create policies that block all access that is not specified in a configurable whitelist. WDAC is similar to AppLocker, which uses group policies to control access to applications in the form of path, hash, and StoreApps rules. Before Windows 10 v1709, these policies were known as configurable CI policies; Device Guard was the name of WDAC in earlier Windows versions.

Implementing WDAC

A successful WDAC implementation [2] requires extensive planning. You need to determine the necessary hardware and software and decide whether to work with whitelisting or blacklisting. Then, you need to inventory the software used in your departments to decide how many WDAC policies are required. Scanning reference PCs to identify the installed software and create WDAC policies accordingly is also recommended.

Because WDAC policies can also be used with applications and drivers signed with certificates, it is important that as many applications as possible are digitally signed. If you have applications that are not – or cannot be – digitally signed, you can use catalog files in WDAC deployment. To prepare WDAC policies that allow these trusted applications but block unsigned code, create a catalog file that contains information about the trusted applications. After signing and distributing the catalog, the trusted applications can be processed by WDAC in the same way as any other signed application. You can use catalog files [3] to block all unsigned applications and allow only signed apps and drivers to run.

WDAC Policies

Creating WDAC guidelines can be a bit complex at the start, because you first need to become familiar with the structure and setup. The best way to get started is to use the sample policies provided by Microsoft, which you will find in C:\Windows\Schemas\CodeIntegrity\ExamplePolicies [4].

To begin, look at the policy named DenyAllAudit.xml as an example. Here, Enabled:Audit Mode enables logging of application access; Enabled:UMCI means that WDAC policies restrict the binaries for kernel and user mode. By default, only the kernel-mode binaries are restricted. After enabling this option, WADC scans the user-mode executables and scripts.

In the section below </Rules> (Figure 1, line 23), you then set the rules for accessing the applications:

This sample policy blocks and logs all access.
Figure 1: This sample policy blocks and logs all access.

Creating Your Own WDAC Rules

After you have familiarized yourself with the sample rules in WDAC and developed an understanding of how WDAC will be used in your environment, you can create your own WDAC policies. You can store several CI policy rules in a single variable (i.e., $Rules in this example). To create your rules, use the New-CIPolicyRule cmdlet, and to create a new policy that uses the rules stored in the variable, use the New-CIPolicy cmdlet:

$Rules = New-CIPolicyRule -FilePathRule 'C:\Program Files\AdminMag\*'
$Rules = New-CIPolicyRule -FilePathRule 'C:\Program Files\MyApp\*'
New-CIPolicy -Rules $Rules -FilePath C:\CIPolicyStore\FilePathRule.xml -UserPEs

The WDAC policy is stored in an XML file. If you specify the -UserPEs parameter to include user-mode executables in the scan, the 0 Enabled: UMCI rule option is automatically added to the WDAC policy. In the future, WDAC then scans user-mode executables and scripts.

You also have the option to merge multiple WDAC policies:

Merge-CIPolicy -PolicyPaths C:\CIPolicyStore\FilePathRule.xml, C:\CIPolicyStore\DefaultWindows_Audit.xml -OutputFilePath C:\CIPolicyStore\FilePath-Audit.xml

This example merges the FilePathRule.xml and DefaultWindows_Audit.xml policies to create an XML file named FilePath-Audit.xml.

Creating a Default WDAC Policy

Now you can create a new WDAC policy in which you check the system for installed applications. Once the policy is ready, its format is converted to binary so that Windows can use its contents. All installed applications need to be considered trusted before you start defining a policy, so I recommend that you check the reference PC for software that can load any DLL and run code or scripts; then, initialize the variables to be used. The following examples use InitialScan.xml and WDACPolicy.bin as names of the files to be created:


Next, define the storage location for WDAC policies and create a WDAC policy:

New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs 3> CIPolicyLog.txt

The PcaCertificate parameter adds the highest available certificate in the specified certificate chain to the list of signature providers and is usually located directly below the root certificate, because verification does not extend beyond the certificates contained in the signature provided. The UserPEs parameter specifies that the PowerShell cmdlet should also scan files in user mode. You need to convert a new WDAC policy to binary format,

ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

before you can distribute it by means of a group policy.

Creating a Path Rule

As of Windows 10 v1903, policies for WDAC can contain path-based rules. For this to happen, a new FilePath parameter has been added to the New-CIPolicy cmdlet. The command

New-CIPolicy -f .\IT-Admin-Policy.xml -l FilePath -s C:\<MyApplication> -u

generates a WDAC policy that can act as a permit-or-deny policy for everything to which the user does not have write access. If your users do not explicitly require certain applications, Microsoft recommends blocking them. Table 1 lists the applications or files that can be used by attackers to circumvent whitelisting policies, including WDAC.

Tabelle 1: WDAC Dangers

Attack Files






















WDAC and Group Policy

The easiest way to assign a WDAC policy to managed clients is with a group policy, for which you can use the WDAC file created earlier. Start the Group Policy Management Editor, create a new group policy, and navigate to Computer Configuration | Administrative Templates | System | Device Guard. When you get there, enable the Deploy Windows Defender Application Control configuration and enter the path to the WDAC policy (Figure 2).

Group policy lets you assign WDAC policies to users.
Figure 2: Group policy lets you assign WDAC policies to users.

You do not need to copy the policy file to each computer; instead, copy it to a file share that all computer accounts can access. Each computer account needs access permissions for the file. If you have problems with the policy, it's usually helpful to check the Windows Event Viewer. You will find WDAC logging in Applications and Services Logs | Microsoft | Windows | CodeIntegrity | Operational.


Microsoft has once again developed a new technique for controlling access to applications, drivers, and services in the form of Windows Defender Application Control. Unlike the proven AppLocker technology, WDAC supports application whitelisting with Windows Code Integrity. The initial work involved to implement WDAC should not be underestimated; plan for a large chunk of your time, particularly considering that WDAC can only run in audit mode, especially in the initial period until the IT department has created efficient policies.

After a successful WDAC implementation, however, it is easy to make changes later (e.g., by adding additional policies to the standard policies that manage the required access to or blocking of applications). Don't get confused by terminology such as code integrity policies, WDAC policies, and Device Guard: WDAC is just the new name for something old – but with a few new features.