🛡️ Essential 8 Guide

Microsoft’s recommended application blocklist is implemented.

Summary

Microsoft’s recommended application blocklist is implemented by Windows Defender Application Control (WDAC) via App Control for Business, restricting execution to organization-approved apps and drivers to prevent malicious code from running¹. Intune can configure App Control for Business in the admin console, including setting up Intune as a managed installer to simplify deployment¹.

Design Decision

[!NOTE] The Windows Defender Application Control policy will be implemented using App Control for Business to enforce Microsoft’s recommended application blocklist, deployed via Intune as the managed installer.

Prerequisites

• Licensing: M365-related services described in Microsoft 365 and Office 365 service descriptions to understand licensing requirements.¹

• Permissions/Roles: Administrators have appropriate permissions across the solutions used.¹

• Dependencies: Windows 11 22H2 Enterprise; Intune management solution; Defender for Endpoint; Microsoft Sentinel; App Control for Business configuration via Intune (Intune as managed installer).¹

Implementation Steps

Step 1 — Generate the recommended block list policy XML

1. Install the WDAC Policy Wizard (App Control for Business Wizard) from the Microsoft Store.
2. Launch the Wizard → Policy Creator → Multiple Policy Format → Base Policy.
3. On the Policy Template screen, select Microsoft Recommended Block List. Export the XML.
4. If you also need a base allow policy, start from AllowAll.xml located at %windir%\schemas\CodeIntegrity\ExamplePolicies — the block-list deny rules take effect over a blanket allow.²

Step 2 — (Optional) Merge with a custom base policy

1. In the Wizard, choose Policy Merger. Select your custom base policy XML and the recommended block list XML.
2. Ensure any <AllowAll> rules are removed from the merged result before converting to binary — an allow-all rule will override deny rules.
3. Validate with: ConvertFrom-CIPolicy -XmlFilePath MergedPolicy.xml -BinaryFilePath MergedPolicy.p7b

Step 3 — Deploy via Intune

1. In the Microsoft Intune admin centre, go to Endpoint security → App control for Business (Preview) → Create policy.
2. Platform: Windows 10 and later; Profile type: Windows Defender Application Control.
3. Under Configuration settings, select Enter XML data and paste the merged policy XML.
4. Start in Audit only mode to observe impact before enforcing.
5. Assign the profile to the target Azure AD device group.
6. After a policy refresh (or manual trigger via Invoke-CimMethod on the device), verify the policy is loaded: Event Viewer → Applications and Services Logs → Microsoft → CodeIntegrity → Operational (Event ID 3033 = loaded; 3076 = block event in audit mode).
7. Once validated, edit the profile to switch from Audit to Enforcement mode.

Step 4 — Add the vulnerable driver blocklist

Additional related information

• ASD Blueprint: Windows Defender application control explains WDAC design decisions and cloud-managed deployment guidance via Intune ASD Blueprint: Windows Defender application control

• ASD Blueprint: Application management covers WDAC deployment considerations with Endpoint Manager ASD Blueprint: Application management

• ASD Blueprint: User application hardening discusses Essential Eight aligned WDAC user hardening guidance ASD Blueprint: User application hardening

• Essential Eight application control provides recommended controls for workstation app control and WDAC guidance Essential Eight application control

• Microsoft recommended driver block rules describe how to apply the vulnerable driver blocklist within WDAC Microsoft recommended driver block rules

• Smart App Control overview explains enforcement mode blocks for unsafe apps and file intelligence Smart App Control overview

• Application Control for Windows provides WDAC guidance for Windows Defender Application Control fundamentals Application Control for Windows