Implement and Configure Windows Defender Application Control (WDAC)

Introduction

In this article, you will learn how to protect your on-premises devices from malware attacks.

Windows Defender Application Control is a security software application designed to protect devices, from malware and other harmful software. Its main purpose is to allow trusted applications to run on PCs. Windows Defender Application Control is Available on Windows 10/11, Windows Server 2016, and the latest Windows Server versions.

Implement Windows Defender application control


Step 1. Download the WDAC

  1. Use the following link to download the Microsoft WDAC Wizard: https://webapp-wdac-wizard.azurewebsites.net/
  2. Then click 'Download the Installer'
  3. If your download does not start automatically, click here.
    WDAC ploicy wizard

Step 2. Install the WDAC policy

  1. After downloading, double-click to open the WDAC Wizard Installer.
  2. By selecting "Launce When Ready, "WDAC will open automatically once the installation is complete.
  3. Then Click "Install"
    Install WDAC wizard

Step 3. Creating a WDAC policy

Once the installation is finished, the Windows Defender Application Control Policy Wizard will launch automatically

In that case, I'm going to create a new base WDAC policy.

Choose the option 'Policy Creator'

Policy creator

Step 4. Select a policy type

Windows Defender Application Control (WDAC) has two types of policies

One is for Multiple Policy Format, and the second is for Single Policy Format.

So, In that case, I'm going to create a policy with a single policy format.

  1. Select "Single Policy Format"
  2. Then Click "Next"
    Single policy format

Step 5. Select a base template for the policy

  1. Select the “Default Window Mode”
  2. Then modify the policy name "wdacpolicy"
  3. To change the folder location, click 'Browse'. If not, keep it as the default."
  4. Then Click "Next"
    Default window mode

Step 6. Configure policy template

  1. By enabling or disabling, you can edit the policy rules.
  2. Disable the "Audit Mode"
    If you want to test the new Windows Defender Application Control policies, you have to enable audit mode before enforcing the policies in your environment.
    Turning on audit mode will not enforce the policy.
  3. Then Click "Next"
    Audit mode

Step 7. File rules

You have the option to create custom rules or remove existing ones

Click "Next"

File rules

The Windows Defender Application Control (WDAC) was created successfully,

Building your WDAC ploicy

Step 8. Convert your WDAC policy XML to binary

  1. Open PowerShell ISEas an Administrator
  2. Type the following command "convertFrom-ciPolicy -XmlFilePath c:\wdac\wdacpolicy.xml -BinaryFilePath c:\wdac\siPolicy.p7b "
  3. Then click the "Run Script" button
    Administrator window powershell

In my next article, you will learn how to deploy and manage WDAC policies on a domain controller.....

Deploy and manage the WDAC Policy in the domain controller

  1. Go to the Windows Server 2026 or the Windows Server's latest version
  2. Copy the SiPolicy.p7b file and then create a new folder on the domain controller and paste it
  3. Then share that folder with everyone

Step 8. Deploy on Windows server

  1. Open the Group Policy Management from the Server manager
  2. Click "Tools"
  3. Then Click "Group Policy Management"
    Server manager dashboard

Step 9. Create a new GPO and link to the domain

  1. Right-click on your Domain "techshifa.local"
  2. Then Click "Create a GPO in this domain, and Link it here" to Create a GPO
    Create a GPO in this  domain and link it here

Step 10. Edit the GPO policy

  1. Go to "Computer Configuration"
  2. Click "Policies"
  3. Then Click "Administrative Template"
  4. Then Select "System"
  5. Click on "Device Guard"
  6. Then double-click the Deploy Widows Defender application controller
    Computer configuration

Step 11. Deploy WDAC

  1. Click "Enable"
  2. And then put the path for the WDAC policy\\DC1.techshifa.local\wdac\SiPolicy.p7b
  3. Then Click OK

Note. This policy is attached to the domain and will affect all devices

Enabled

Once a client computer is set up with an Active Directory-based GPO, it typically takes 20 minutes for the client computer to apply any settings after a Group Policy refresh. By default, the Group Policy refresh occurs in the background every 90 minutes with a delay of 0 to 30 minutes. (Source Microsoft)

To update the group policy on a computer, you can follow these steps

By following these steps, you can manually update the group policy on your computer through the command prompt as an administrator.

  1. Open the command prompt as an administrator.
  2. Type the following command to update the policy "gpupdate /force"
  3. Press Enter to execute the command.

Note. This will initiate an update of the group policy settings, on your computer.

Computer policy update has competely successfully


Similar Articles