Windows Defender Application Control is one of the security features in Windows 10. Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the kernel. WDAC policies also block unsigned scripts and MSIs. WDAC is like AppLocker. WDAC is can be managed by MS Intune. By default, Windows components and all apps from Windows store are trusted to run. So if you enable this feature Windows 10 will still running without crashing or blocking the important apps/components. So, it’s safe to enable this. With AppLocker is this different. You had to be very careful with blocking files and processes with AppLocker. The requirement for this feature is you must use Windows 10 Enterprise only.
More information about Windows Defender Application Control: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
Before deploying this profile to your test device, download and install 7zip on the device. We need this application to test WDAC.
Open MS Intune portal -> Device configuration -> Profiles
Click on the button Create Profile
Enter a name. The platform is Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender Application Control. You will get more settings on the right side.
Change the setting Application control code integrity policies to Enforce. You can also enable Trust apps with a good reputation, but then you can’t test the simple famous applications like 7Zip anymore. So I have this one on not configured. I’m going to test 7Zip with this profile. Click Ok (twice) and click on Create to create the profile.
Click on assignment and search for the group. Select the group and click on the Save button. The policies will now be deployed on the device. You have to wait a few seconds. To check the status of the deployment go to the MS Intune portal -> Devices -> All Devices -> Name of the devices -> Device Configuration.
Go to your Windows 10 device and try to start 7zip from the start menu. You get this message.
WDAC is working and is blocking unknowing applications or Store apps. Only the default Windows applications and Windows store apps are trusted and will not block by WDAC.