A recent analysis of Windows Defender ATP data found that 96% of malware encountered is unsigned.

Application control is regularly identified as one of the most effective mitigations against modern security threats because anything that’s not allowed by policy is blocked from running.

To make application control more deployable, Microsoft has delivered new capabilities for Windows Defender Application Control (WDAC), originally part of a scenario called Device Guard. Now multiple policy files are supported with the concept of base and supplemental policies.

This release came in response to feedback asking for manageability improvements. Application control enthusiasts will appreciate the improved experience and ability to cover completely new scenarios.

Use Windows Defender Application Control policies to control whether specific plug-ins, add-ins and modules can run from specific applications. New capabilities include:

1. File path rules, including optional runtime admin protection checks:
   This new capability is an essential tool for organizations that are looking to adopt application execution control while simultaneously attempting to balance IT overhead. The runtime check included in this capability allows for increased security for file path rules, which adds an additional safeguard for organizations.
2. Multiple policy file support with composability:
   To mitigate the app control issues that come from limiting support to a single policy file, this update will support multiple file policies through a new concept of base and supplemental policies. For execution to be completed, an application must pass each base policy independently and it must also pass the supplemental policies that expand and complements the base policies to establish further security.
3. Application Control CSP to provide a new, richer MDM policy management capability:
   Application Control CSP integration of a rebootless policy deployment will help solve the lack of this feature in the AppLocker CSP. This Application Control CSP will also bring about support for the new multiple policies and allow better error reporting for device management software vendors.
4. COM object registration support in policy:
   To reduce the risk that is posed from having certain powerful COM objects, this update enforces a built-in allows list of COM object registrations. Customers can also now specify cases in their environment where certain COM objects need to be allowed for registration.
5. Disabling script enforcement rule option:
   This update allows for the “Disabled:Script Enforcement” rule to turn off policy enforcement for MSIs, PowerShell scripts and wsh-hosted scripts, allowing users to approach EXE, DL and driver enforcement without needing to also address script host at the same time. This will give customers the ability to separate their application control projects into smaller chunks to help with deployment effectiveness.

Are you getting the most out of new Windows 10 features?

With frequent new updates and capabilities in Windows 10, it’s a challenge to keep up and understand how your business can take advantage of them. If you’re looking for a partner to help you make the most of these transformations and simplify your security strategy, contact us to learn more about our managed defense services.