Windows Defender Application Control design guide

Applies to

  • Windows 10
  • Windows Server 2016 and above

This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.

Plan for success

A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be very successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning:

  • Executive sponsorship and organizational buy-in is in place.
  • There is a clear business objective for using application control and it is not being planned as a purely technical problem from IT.
  • The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps.
  • The organization has considered where application control can be most useful (e.g. securing sensitive workloads or business functions) and also where it may be difficult to achieve (e.g. developer workstations).

Once these business factors are in place, you are ready to begin planning your WDAC deployment. The following topics can help guide you through your planning process.

In this section

Topic Description
Plan for WDAC policy management This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies.
Understand WDAC policy design decisions This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies.
Understand WDAC policy rules and file rules This topic lists resources you can use when selecting your application control policy rules by using WDAC.

After planning is complete, the next step is to deploy WDAC. The Windows Defender Application Control Deployment Guide covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.