Deploy WDAC policies using Mobile Device Management (MDM)

• Applies to:

  ✅ Windows 11, ✅ Windows 10, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

Note

Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.

You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.

Important

Due to a known issue, you should always activate new signed WDAC Base policies with a reboot on systems with memory integrity enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies via script and activate the policy with a system restart.

This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.

Use Intune's built-in policies

Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run:

• Windows components
• Third-party hardware and software kernel drivers
• Microsoft Store-signed apps
• [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)

Note

Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the improved Intune WDAC experience, currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.

Note

Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the improved Intune WDAC experience, currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP.

To use Intune's built-in WDAC policies, configure Endpoint Protection for Windows 10 (and later).

Deploy WDAC policies with custom OMA-URI

Note

Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use multiple policies which allow more granular policy.

You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in Deploying Windows Defender Application Control (WDAC) policies.

Deploy custom WDAC policies on Windows 10 1903+

Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the ApplicationControl CSP, which has support for multiple policies and rebootless policies.

Note

You must convert your custom policy XML to binary form before deploying with OMA-URI.

The steps to use Intune's custom OMA-URI functionality are:

1. Open the Microsoft Intune portal and create a profile with custom settings.

2. Specify a Name and Description and use the following values for the remaining custom OMA-URI settings:

   • OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
   • Data type: Base64 (file)
   • Certificate file: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf.

   

Note

For the Policy GUID value, do not include the curly brackets.

Remove WDAC policies on Windows 10 1903+

Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.

For pre-1903 systems

Deploying policies

The steps to use Intune's Custom OMA-URI functionality to apply the AppLocker CSP and deploy a custom WDAC policy to pre-1903 systems are:

1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.

2. Open the Microsoft Intune portal and create a profile with custom settings.

3. Specify a Name and Description and use the following values for the remaining custom OMA-URI settings:

   • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy
   • Data type: Base64 (file)
   • Certificate file: upload your binary format policy file

   Note

   Deploying policies via the AppLocker CSP will force a reboot during OOBE.

Removing policies

Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.