Application control is implemented on workstations.

Application control is implemented on workstations

Property	Value
ISM Control	ISM-0843
Revision	9
Updated	Sep-21
Guideline	Not provided
Section	Operating system hardening
Topic	Application control
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

App control on workstations uses Windows Defender Application Control to restrict execution to trusted applications, reducing risk from malware and unauthorized software.¹

Implemented via App Control for Business and deployed through Intune to enforce policies across devices.² Policies should be built using publisher rules as the primary mechanism, with hash rules as a fallback for unsigned internal applications. Path rules are discouraged — particularly for user-profile locations — because folder permissions can be modified by users.³

The policy should be deployed in Audit mode first (typically 2–4 weeks) to capture Event IDs 3076–3077 and identify missing allow-list entries before switching to Enforce mode.⁴ Hypervisor-Protected Code Integrity (HVCI) strengthens the stack by protecting the integrity verification process in an isolated environment, and is recommended for all workstations.²

Design Decision

[!NOTE] The App Control for Business policy will be deployed via Intune to enforce Windows Defender Application Control on workstations as part of operating system hardening. Policies will be defined based on publisher certificates, file hashes and file paths to authorize trusted software. This aligns with the App Control for Business deployment guidance via Intune.

Prerequisites

Dependencies

Windows 10 or Windows 11 devices capable of App Control policy deployment. ²
Management through an MDM solution such as Intune or Group Policy to deploy WDAC policies. ²
Intune administration privileges to create and deploy WDAC policies via Intune. ²
Windows PowerShell available for WDAC policy creation and customization. ³
Group Policy deployment is supported as an alternative, but is limited to single-policy format policies on Windows Server 2016 and 2019. ²
Managed Installer configuration — the Intune Management Extension must be authorized as a managed installer so that Intune-deployed packages are automatically trusted without requiring explicit hash or publisher rules for every app. ⁴

Permissions/Roles

Intune Administrator role to perform policy creation and deployment in Intune. ²

Implementation Steps

Deploy WDAC audit policy via Intune

Sign in to Intune admin center. ¹
Within Intune admin center, go to Devices and then Configuration Profiles. ¹
Next, create a Profile > Platform – Windows 10 or Later, Profile Type Templates and Custom. ¹
Create a name for the policy (for example, ‘Application Control - Microsoft Allow – Audit’) and select Next. ¹
Under OMA-URI Settings, select Add. ³
Note: This information depends on the Policy ID generated by the Windows Defender App Control Wizard for the policy XML created from “Create Audit Policy” above. Example values:
- Name: Microsoft Allow Audit
- OMA-URL: ./Vendor/MSFT/ApplicationControl/Policies/CB46B243-C19C-4870-B098-A2080923755C/Policy
- Data Type: Base64 (File)
When the Windows Defender App Control Wizard generates the policy XML it also creates a (GUID).CIP file. Copy the CIP file and rename its extension to .BIN (for example {CB46B243-C19C-4870-B098-A2080923755C}.bin). ³
Upload the BIN under Base64 (File). ³
Select Save. ³
Follow the prompts to create the Configuration Profile. ³
Deploy the policy you created, for example, ‘Application Control - Microsoft Allow – Audit’ Configuration Profile to the intended system. ³

[!NOTE] Audit guidance: apply the policy in Audit mode to a pilot group first. Audit policies only record events and do not block execution — use them to identify legitimate applications that must be allowed. Review WDAC event logs (Event IDs such as 3076/3077), confirm Intune deployment status, adjust rules (publisher/hash/path) and retest before moving to Enforce. Ensure a recovery path (Safe Mode or system recovery image) is available in case rules are overly restrictive.

Policy rule type guidance

The following rule types are supported, in order of preference per ASD guidance:³⁴

Rule type	Recommended use
Publisher (signer) rules	Primary mechanism. Covers all binaries signed by a trusted certificate (Microsoft, third-party vendors).
Hash rules	Fallback for unsigned internal (LOB) applications. Use when no publisher certificate is available.
Path rules	Last resort only. The target folder must have locked-down ACLs (Administrators read/execute only). Never use for user-profile or temporary paths.
Managed Installer rules	Allows any package deployed via Intune to run without explicit hash/publisher entries. Enable via the WDAC Wizard or a supplemental AppLocker policy.
Recommended block rules	Microsoft publishes a maintained list of vulnerable user-mode and kernel-mode (driver) binaries. Import and merge these into the base policy.

[!NOTE] Intune OMA-URI payload limit: Custom Configuration Profile OMA-URI uploads are limited to approximately 350 KB. If a policy contains many hash rules and exceeds this limit, split the policy into a base policy and supplemental policies, or convert hash-only entries to publisher rules where possible.

ASD Blueprint for Application control provides design guidance for WDAC and cloud-managed deployment, including Intune deployment patterns ASD Blueprint: Application control
WDAC enforced infrastructure in Windows Admin Center describes centralized WDAC management via Windows Admin Center for workstations and servers WDAC enforced infrastructure in Windows Admin Center
Deploying App Control for Business policies provides end-to-end policy creation, auditing, and deployment guidance for enterprises Deploying App Control for Business policies
App Control for Business Wizard assists in creating and editing WDAC policies for Intune deployments App Control for Business Wizard

🛡️ Essential 8 Guide