Create a default Microsoft Defender Application Control policy
To create a default policy, start by creating a reference computer that is virus- and malware-free and that contains the set of apps that your users need to run. It might be that you have to create several reference computers, each representing a typical device configuration within your organization. For example, you create a standard device for the research department, and perhaps you create a kiosk-type device for use in the library.
Having created the reference computer, sign in and then complete the following procedure:
- Open an elevated Windows PowerShell command prompt.
- Create the required variables for the process by running the following three commands:
Click here to view code image
$CIPolicyPath=$env:userprofile+”\Desktop\”
$InitialCIPolicy=$CIPolicyPath+”InitialScan.xml”
$CIPolicyBin=$CIPolicyPath+”DeviceGuardPolicy.bin”
3. Scan the system for installed apps using the New-CIPolicy cmdlet:
Click here to view code image
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs 3>
CIPolicyLog.txt
4. Convert the Windows Defender Application Control (WDAC) policy to a binary format (for import) using the ConvertFrom-CIPolicy cmdlet:
Click here to view code image
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
Enable Microsoft Defender Application Control
After creating the default WDAC policy, you can use GPOs to distribute the required settings. Use the following procedure to complete this process:
- On a domain controller, open Group Policy Management.
- Open the appropriate GPO for editing and navigate to Computer Configuration > Policies > Administrative Templates > System > Device Guard.
- Double-click the Deploy Windows Defender Application Control setting.
- In the Deploy Windows Defender Application Control dialog box, select Enabled.
- Specify a value for the Code integrity policy file path and select OK. The file must be specified as a UNC path. Whichever file you point to, when downloaded to the client, it is renamed as SIPolicy.p7b.
- Close the Group Policy Management Editor.
Need More Review? Planning and Getting Started on the Microsoft Defender Application Control Deployment Process
To review further details about deploying Microsoft Defender Application Control, refer to the Microsoft website at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.