Windows Defender Application Control (WDAC) is the more modern approach to application white listing on a windows 10 device when compared to AppLocker. It is however, just as easy to deploy using Intune as this video shows:
You firstly need to create your WDAC policy as an XML file. Then you use the PowerShell command:
to ‘compile’ it into a .bin file. You upload this .bin file into an Intune device configuration policy and apply that to all the desired machine.
Remember, unlike AppLocker, WDAC applies to the whole machine, not individual users of that machine.
Remember, WDAC is already part of Windows 10 so there is no additional cost and using Intune, it will work with both Windows 10 Enterprise and Professional to help you secure your environment.
4 thoughts on “Basics of deploying Windows Defender Application Control (WDAC) using Intune”
I’ve successfully used some custom policies manually on devices but getting stuck deploying via Intune, even when using the DefaultWindows example policy from C:\Windows\schemas\CodeIntegrity\ExamplePolicies, I just get “not applicable” in the assignment status for the configuration profile on the device.
What does work is using Intune’s built in policies but obviously I need a bit more control than the built in policies and to add some exceptions etc, so deploy via the custom OMA-URI as described here.
There’s nothing particularly out of the ordinary in my setup, test machine is an up to date Windows 10 Enterprise 22H2 physical device and to test I’m just using the XML file C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml converted to bin etc as per the guidance.
Try applying manually on one machine to ensure the BIN file is correct and works.
Hey thanks for replying. I actually figured it out. We’re using SCCM and some of the workloads were not setup for Intune so my device was looking in the wrong place for configuration.