WDAC Policies

Windows Defender Application Control (WDAC) enforces application control at the kernel level. Deploy WDAC policies through Intune to control which drivers and applications are allowed to run.

Note: WDAC is available on all Windows 10/11 editions.

Policy Types

Single Policy Format

One active policy per device. Suitable for simpler environments.

Multiple Policy Format

Windows 10 1903+ supports multiple simultaneous policies with base and supplemental policy layers.

Policy Rules

Allow Rules

Publisher — Certificate-based trust (recommended)
File Hash — SHA256 hash of the binary
File Path — Directory-based rules
File Attributes — Product name, version

Deny Rules

Block specific applications. Deny rules take precedence over allow rules.

Creating a WDAC Policy

Audit existing software in audit mode
Build trust rules for discovered applications
Add supplemental policies for specific use cases
Test in Audit mode to verify no legitimate apps blocked
Enable enforcement after validation

Deployment Through Intune

Deploy as custom OMA-URI configuration profiles:

OMA-URI — ./Vendor/MSFT/ApplicationControl/Policies/{GUID}/Policy
Data Type — Base64 encoded binary policy
Assignment — Target device groups

Enforcement Modes

Audit Mode

Evaluates but does not block. Events logged for testing.

Enforced Mode

Blocks unsigned or untrusted binaries from executing.

Managed Installer

Configure Intune as managed installer so apps deployed through Intune are automatically trusted by WDAC.

Best Practices

Start with Microsoft recommended base policies
Use audit mode for at least 30 days
Leverage managed installer for Intune-deployed apps
Use publisher rules over hash rules
Plan emergency policy removal procedures
Test on pilot devices first

API Reference

GET /api/devices/wdac/policies — List policies
POST /api/devices/wdac/policies — Create policy
GET /api/devices/wdac/policies/:id/status — Get status
GET /api/devices/wdac/events — Get audit events