# Application Control

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/application-control

## Quick definition

Application Control helps prevent unauthorized or harmful software from running on a computer. Administrators create rules that list which programs are trusted. Only those trusted programs can start. This keeps the system safer from malware and unwanted apps.

## Simple meaning

Imagine you are the manager of a large office building. You want to make sure only approved employees can enter. You give each employee a special badge. If someone without a badge tries to come in, the door stays locked. Application Control works in a similar way for a computer. Instead of badges, the computer checks a list of trusted software. When a user tries to open a program, Windows looks at this list. If the program is on the trusted list, it runs normally. If the program is not on the list, Windows blocks it. This is very different from traditional antivirus software. Antivirus software usually allows everything to run first and then scans for bad things. Application Control starts by blocking everything and then only allows specific items. This is a much stronger security approach. For example, if a new virus appears, traditional antivirus might not recognize it until it gets an update. But with Application Control, that new virus would be blocked immediately because it is not on the trusted list. This makes Application Control especially powerful against unknown threats. Administrators decide which apps are trusted based on things like the publisher’s digital signature, the file path, or the file hash. This control can be applied to individual computers or to many devices across an organization using management tools. The goal is simple: only approved software can run, and everything else is stopped before it can do any harm.

## Technical definition

Application Control is a security mechanism in Windows that enforces a "default deny" policy for software execution. The most common implementation is Windows Defender Application Control (WDAC) and the older AppLocker. WDAC is the modern, more secure solution and is a core component of Microsoft's security stack, particularly in Windows 10 and Windows 11 Enterprise editions. It uses Code Integrity (CI) policies to determine which executables, scripts, Windows Installer files, and even drivers are allowed to run. The policy is based on rules that can be built from file attributes such as the publisher certificate, the file hash, the path, or the file name. The most secure and recommended rule type is the publisher rule, which relies on the digital signature of the software. This makes it tamper-resistant because the signature must be valid and trusted. WDAC policies are XML files that are compiled into a binary format and stored in the system registry. They are applied at boot time and enforced by the kernel. This means that even a user with administrative privileges cannot bypass the policy easily. The policy can be configured in two main modes: Audit mode and Enforce mode. Audit mode logs events when a blocked action would have occurred, but it does not actually block the execution. This is used for testing and validation before deploying the policy in Enforce mode. Enforce mode actively blocks untrusted software from running and logs the event. For MD-102 exam candidates, understanding how to plan, configure, and deploy WDAC policies using Microsoft Intune or Group Policy is essential. You must know how to create a policy from a reference device, how to sign the policy for added security, and how to manage policy updates. The process involves several stages: creating the base policy, testing it in audit mode, analyzing the event logs, refining the rule set, and finally switching to enforce mode. You also need to understand the concept of “managed installer.” A managed installer is a software distribution tool, like Microsoft Configuration Manager or Intune, that is trusted by the WDAC policy to install software. Any software installed by a managed installer is automatically trusted, which simplifies policy management. Another important component is the Intelligent Security Graph (ISG), which allows Windows to use cloud-based reputation data to make decisions about untrusted apps. This provides a way to allow new or rare software that might have a good reputation without manually updating the policy. The exam also covers how to handle updates to signed applications and how to manage multiple policies on a single device, including supplemental policies that add additional rules without replacing the base policy. Application Control is deeply integrated with Windows security features like Secure Boot, Virtualization-Based Security (VBS), and Hypervisor-Protected Code Integrity (HVCI). For a comprehensive implementation, VBS and HVCI should be enabled to protect the WDAC policy itself from being tampered with by malware that runs at the kernel level.

## Real-life example

Think of a school library. The librarian wants to make sure only students with a valid library card can borrow books. Instead of checking every single student as they leave, the librarian creates a list of students who are allowed to borrow. At the checkout desk, the librarian scans the student’s card. If the student’s name is on the approved list, they can take the book. If the name is not on the list, they are politely told they cannot borrow. This is like Application Control. The librarian does not need to know every book that is bad; they just need to know who is allowed. Now imagine that a new student arrives. They don’t have a library card yet. The librarian has two choices: they can add the new student to the list, or they can deny the request. With Application Control, the system is the same. When a user tries to run a new program, Windows checks if that program is on the trusted list. If the program came from a trusted publisher or was installed by your company’s software management tool, it is automatically added to the trusted list. If not, it is blocked. This is much safer than relying on antivirus to catch every threat. In the library analogy, that is like having a security guard who tries to inspect every book for hidden dangers before a student leaves. That is slow and can miss things. Application Control is like having a strict membership policy: only members can enter, and new members must be approved by the boss. This prevents unknown threats from ever getting inside.

## Why it matters

Application Control matters because traditional antivirus is no longer enough to stop modern cyberattacks. Attackers constantly create new malware that antivirus software has never seen before. These are called zero-day threats. Application Control stops zero-day threats by default because any unknown program is simply not allowed to run. This is a fundamental shift in security strategy. For IT administrators managing corporate devices, Application Control provides a way to enforce compliance and reduce the attack surface. If an employee accidentally tries to open a malicious attachment in an email, Application Control will block it if the attachment is not a trusted application. This prevents ransomware and other malware from gaining a foothold. It also helps with licensing and policy compliance. Admins can ensure that only approved business applications are used, reducing the risk of unlicensed software or applications that violate company policy. From a management perspective, Application Control integrates deeply with Microsoft Intune and Configuration Manager, making it possible to deploy and manage policies at scale. This is especially important in hybrid or cloud-connected environments. The MD-102 exam heavily emphasizes this because it is a core skill for modern endpoint administrators. You need to understand how to plan a deployment, how to test policies in audit mode, and how to handle exclusions for line-of-business applications that may not be digitally signed. The business impact is significant. A successful ransomware attack can cost millions in downtime, data recovery, and reputational damage. Application Control is one of the most effective defenses against such attacks because it does not rely on knowing what the threat looks like. It relies on knowing what is trusted. This makes it a critical tool in any organization's security posture.

## Why it matters in exams

The MD-102 exam, titled Endpoint Administrator, includes Application Control as a key objective under the “Manage security” domain. You will be expected to know the difference between Windows Defender Application Control (WDAC) and AppLocker. The exam focuses on WDAC as the modern solution. Specific objectives include planning a WDAC deployment, creating and managing WDAC policies, configuring policy rules, and troubleshooting policy issues. You must also know how to use audit mode to test policies before enforcement. The exam presents scenarios where you need to choose between different rule types or deployment methods. For example, a question might describe a company that needs to allow a legacy application that is not digitally signed. The correct answer would be to use a file hash rule or a path rule, with the understanding that path rules are less secure. Another common question type involves deploying a WDAC policy via Intune. You would need to know the steps: create the policy XML, convert it to a binary, and upload it to Intune as a custom configuration profile. You also need to be aware of the “managed installer” concept and how it simplifies allowing software from Configuration Manager or Intune. The exam may ask about event log locations for troubleshooting, such as the CodeIntegrity operational log and the AppLocker event log. You might be asked to analyze a log entry to determine why a specific application was blocked. Another important area is understanding the relationship between WDAC and Hypervisor-Protected Code Integrity (HVCI). The exam tests your knowledge of prerequisites, such as Secure Boot and virtualization-based security. You should also know that WDAC policies can be signed for extra protection, and that unsigned policies can be overridden by a local admin if VBS is not enabled. Finally, the exam often includes questions about the Intelligent Security Graph option, which allows cloud-based reputation to influence trust decisions. Being able to describe how the ISG option works and when to use it is important. Overall, Application Control questions on the MD-102 exam range from simple definition recall to complex scenario-based decision making. A solid understanding of the configuration and troubleshooting aspects is essential for scoring well.

## How it appears in exam questions

In the MD-102 exam, Application Control appears in scenario-based questions, configuration questions, and troubleshooting questions. Scenario-based questions often present a company that has experienced a malware infection due to an employee running an unauthorized application. You are asked to recommend a solution that will prevent this in the future. The correct answer will involve implementing Windows Defender Application Control with a default deny policy. Another common scenario involves a legacy line-of-business application that is not digitally signed and needs to be allowed for a specific group of users. You must choose the appropriate rule type, such as a file hash rule, while understanding the security trade-offs. Configuration questions test your knowledge of the steps to create and deploy a WDAC policy. For example, you might be asked which tool is used to create the initial policy XML. The answer is the “WDAC Wizard” or PowerShell cmdlets like New-CIPolicy. You may also be asked about the proper way to deploy the policy via Group Policy versus Intune. Troubleshooting questions present a situation where a policy is in enforce mode, but a trusted application is being blocked. You need to identify the cause, such as an incorrect file hash or a missing publisher certificate in the rule. You might be asked to check the CodeIntegrity event log to find the reason for the block. Another troubleshooting scenario involves an application that was previously allowed but is now blocked after a software update. This tests your understanding of how file hash rules break when a new version is installed. The correct solution would be to update the hash rule or switch to a publisher-based rule. You might also encounter questions about audit mode. For instance, a company wants to test a new policy without impacting users. The answer is to deploy the policy in audit mode, review the logs for a period of time, and then switch to enforce mode. Some questions combine multiple concepts. A question might ask you to configure a WDAC policy that allows all applications from a specific trusted publisher, blocks all others, and also allows apps installed by Configuration Manager. The correct answer would combine a publisher rule for the trusted publisher and a managed installer rule for Configuration Manager. Understanding how these rules work together is key. Finally, you may be asked to explain the impact of enabling VBS and HVCI on WDAC enforcement. This tests your deeper knowledge of the security architecture.

## Example scenario

Contoso Ltd is a mid-sized company with 500 Windows 10 devices managed using Microsoft Intune. The IT department recently faced a ransomware attack that began when an employee downloaded and ran a fake invoice from an email. The ransomware encrypted hundreds of files before the antivirus could react. The IT manager decides to implement Windows Defender Application Control to prevent similar incidents in the future. The first step is to create a base WDAC policy. The IT administrator sets up a reference device that has all the approved business applications installed, including Microsoft Office, a custom accounting software, and company-standard tools. Using the WDAC Wizard, the administrator creates a policy based on the publisher certificates of these applications. The policy is saved as an XML file. The administrator then deploys the policy in audit mode to a pilot group of 20 devices. Over the next week, the administrator monitors the CodeIntegrity operational log on those devices. The logs show that the custom accounting software is generating block events because its publisher certificate is not included in the policy. The administrator adds the publisher to the rule set. The logs also show that several employees are trying to run personal applications like Spotify and a third-party PDF viewer. These are flagged but not blocked because the policy is in audit mode. After analyzing the logs, the administrator refines the policy to include the missing publisher and decides to keep the policy strict by not allowing the personal apps. The updated policy is compiled into a binary file and uploaded to Intune as a custom configuration profile. The policy is then assigned to all 500 devices. The administrator switches the policy to enforce mode. A week later, another employee receives a phishing email with a malicious executable. The employee attempts to run it, but WDAC immediately blocks the execution because the executable is not signed by any trusted publisher. The malware never runs, and no data is encrypted. The IT team is alerted by a block event logged in the CodeIntegrity log. This scenario shows how Application Control provides a proactive defense against unknown threats, reduces the risk of ransomware, and gives administrators visibility into unauthorized software attempts.

## Common mistakes

- **Mistake:** Thinking that AppLocker and WDAC are interchangeable and equally secure.
  - Why it is wrong: AppLocker is an older technology that can be bypassed by a local administrator, while WDAC is kernel-enforced and more secure with features like virtualization-based security.
  - Fix: Always use Windows Defender Application Control (WDAC) for enterprise-level security. Understand that AppLocker is legacy and only used for specific backwards-compatibility scenarios.
- **Mistake:** Deploying a WDAC policy in enforce mode without first testing in audit mode.
  - Why it is wrong: This can block critical business applications, causing widespread disruption and user frustration.
  - Fix: Always deploy a new WDAC policy in audit mode first. Monitor the CodeIntegrity event logs for at least a week to catch all blocked applications, then refine the policy before switching to enforce mode.
- **Mistake:** Using path-based rules for all applications because they are easy to create.
  - Why it is wrong: Path rules are less secure because an attacker can place a malicious file in the same trusted path. Path rules also do not survive software updates if the path changes.
  - Fix: Use publisher-based rules whenever possible because they rely on digital signatures, which are tamper-proof. Reserve path rules only for specific, legacy applications that cannot be signed.
- **Mistake:** Assuming that once a WDAC policy is deployed, no further management is needed.
  - Why it is wrong: Applications get updated, and new trusted applications are added. The policy must be maintained and updated regularly to prevent legitimate applications from being blocked.
  - Fix: Establish a process for reviewing and updating the WDAC policy whenever new software is approved or existing software is updated. Use supplemental policies to extend the base policy without redeploying it.
- **Mistake:** Forgetting to enable Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
  - Why it is wrong: Without VBS and HVCI, an administrator with local privileges can modify or disable the WDAC policy, defeating its purpose.
  - Fix: Ensure that VBS and HVCI are enabled on devices that enforce WDAC policies. This protects the policy itself from tampering.
- **Mistake:** Confusing the managed installer feature with simply allowing all software installed by any installer.
  - Why it is wrong: Only installers that are specifically designated as managed installers in the WDAC policy are trusted. This is typically Configuration Manager or Intune, not any random installer.
  - Fix: Define which software distribution tools are trusted managed installers in the WDAC policy. Any software installed by those tools will be automatically allowed.

## Exam trap

{"trap":"A question says a company wants to allow all applications from a specific folder, and the answer choices include creating a publisher rule or a path rule. The trap is that path rules seem easier and fit the requirement perfectly, so many learners choose path rules.","why_learners_choose_it":"Learners focus only on the requirement to allow apps from a specific folder and overlook the security implications. They remember that path rules exist and think it is the simplest solution.","how_to_avoid_it":"Remember that the exam emphasizes security best practices. Path rules are less secure and discouraged. The best answer is to use a publisher rule if the applications in that folder are signed. If they are not signed, then a file hash rule is more secure than a path rule. Always prioritize publisher rules first."}

## Commonly confused with

- **Application Control vs AppLocker:** AppLocker is an older application control feature that works at the user level and can be bypassed by administrators. WDAC works at the kernel level and is much more secure. For the MD-102 exam, WDAC is the recommended solution, while AppLocker is considered legacy. (Example: If a user is a local admin on a device, they can disable AppLocker. They cannot disable WDAC if VBS is enabled.)
- **Application Control vs Antivirus / Microsoft Defender Antivirus:** Antivirus uses signatures and behavior analysis to detect and block malware after it tries to run. Application Control blocks software from running in the first place if it is not on an allow list. They are complementary but work very differently. (Example: Antivirus is like a guard checking bags at the door for weapons. Application Control is like only letting in people with a VIP pass. Both keep the party safe, but in different ways.)
- **Application Control vs Windows Defender Firewall:** Windows Defender Firewall controls network traffic to and from applications. Application Control controls whether the application can start at all. A firewall does not prevent a malicious app from running if it is already installed; it only controls its network access. (Example: The firewall is like a bouncer checking who gets to use the phone. Application Control is a bouncer checking who even gets into the building.)
- **Application Control vs User Account Control (UAC):** UAC prompts users for permission when an application tries to make system changes. It does not prevent the application from launching. Application Control can block an application entirely regardless of user choice. (Example: UAC asks you if you want to let a guest rearrange the furniture. Application Control does not let the guest into the house at all.)

## Step-by-step breakdown

1. **Plan and Identify** — Determine which applications your organization trusts and needs to run. This includes operating system components, line-of-business apps, and common tools. Also identify any unsigned or legacy software that might require special rules.
2. **Set Up a Reference Device** — Install all approved applications on a clean Windows device. This device will be used to scan and generate the initial WDAC policy. Ensure the device is fully updated and represents the standard configuration.
3. **Create the Base Policy** — Use the WDAC Wizard or PowerShell cmdlets like New-CIPolicy to scan the reference device and generate an XML policy file. Choose the appropriate rule level, such as Publisher for signed apps or FilePublisher for more precise control.
4. **Deploy in Audit Mode** — Convert the XML policy to a binary (.p7b) file and deploy it to a pilot group using Intune or Group Policy. Set the policy to audit mode initially. This logs block events without actually blocking anything, allowing you to test for false positives.
5. **Analyze Event Logs** — Monitor the CodeIntegrity operational event log (Event ID 3076 for audit blocks and 3077 for enforced blocks). Identify any applications that would be blocked and determine if they need to be allowed. Adjust the policy rules accordingly.
6. **Refine and Merge Rules** — Based on the log analysis, create supplemental policies or merge new rules into the base policy. Consider adding rules for trusted publishers, file hashes for unsigned apps, or managed installer rules to cover software deployed by Configuration Manager.
7. **Switch to Enforce Mode** — After thorough testing, compile the final policy and deploy it in enforce mode to all target devices. Ensure VBS and HVCI are enabled to protect the policy itself. Continue monitoring logs for any new blocks caused by updated applications.

## Practical mini-lesson

Application Control, specifically Windows Defender Application Control (WDAC), is a critical skill for any endpoint administrator. In practice, the most important concept to grasp is the trust model. WDAC does not decide what is bad; it decides what is good. Everything else is bad by default. This is called a default deny model. The trust is based on cryptographic signatures, file hashes, or paths. Publisher-based trust is the gold standard because a digitally signed application cannot be tampered with without breaking the signature. When you create a WDAC policy, you typically start with a reference computer that has all your approved software. You run a scan using the WDAC Wizard or the New-CIPolicy PowerShell cmdlet. The scanner looks at every executable, script, and installer on the device and records their file attributes. You then choose a rule level. For maximum security, choose Publisher or FilePublisher. These levels use the digital signature of the file. If the file is unsigned, the scanner will fall back to a hash rule, but you can also create a path rule for that specific folder if needed. After the policy is created, you convert it to a binary format using ConvertFrom-CIPolicy. This binary is what you deploy. The deployment method depends on your environment. For Intune-managed devices, you create a custom configuration profile and upload the binary file. For on-premises devices with Group Policy, you place the binary in a specific folder and configure the Group Policy setting. One common challenge is handling software updates. If you used file hash rules for an application, and that application updates, the hash changes, and the new version will be blocked. This is why publisher rules are preferred. They are version-agnostic. Another practical scenario is allowing line-of-business applications that are not signed. You can use a file hash rule, but this requires re-scanning after every update. A better approach is to use a managed installer. You designate your software distribution tool (like Intune or Configuration Manager) as a managed installer in the WDAC policy. Then, any software installed by that tool is automatically trusted. This simplifies management significantly. Troubleshooting is a daily task. The primary tool is the CodeIntegrity event log. You need to know how to filter for Event IDs 3076 and 3077. Event 3076 means a file would be blocked in audit mode. Event 3077 means a file was blocked in enforce mode. The log entry tells you which file was blocked, why (e.g., no publisher certificate), and the file hash. You can use this information to create a supplemental policy that allows the blocked file. Remember that you can have multiple policies on a single device: a base policy and several supplemental policies. Supplemental policies add rules but cannot remove rules from the base policy. This allows you to deploy a core policy and then add exceptions for specific departments or users without modifying the base policy. Finally, always protect your policy. Enable Secure Boot, VBS, and HVCI. Without these, a local admin can disable or replace the WDAC policy. In high-security environments, sign your WDAC policy with a code signing certificate. A signed policy cannot be replaced unless the attacker has the signing certificate. This is the ultimate protection level.

## Commands

```

```


```

```


```

```


## Troubleshooting clues

- **undefined** — symptom: undefined. undefined
- **undefined** — symptom: undefined. undefined
- **undefined** — symptom: undefined. undefined
- **undefined** — symptom: undefined. undefined
- **undefined** — symptom: undefined. undefined

## Memory tip

Remember 'DAD' for WDAC: Default Deny, Audit first, Digital signatures best. Default deny stops unknown threats. Audit mode prevents outages. Digital signatures provide the most reliable trust.

## FAQ

**What is the difference between Windows Defender Application Control and AppLocker?**

AppLocker is an older, user-mode feature that can be bypassed by local administrators. WDAC is kernel-enforced and works with virtualization-based security, making it much harder to bypass. Microsoft recommends WDAC for all modern deployments.

**Can WDAC block Microsoft Office updates?**

If your WDAC policy includes publisher rules for Microsoft, updates to Microsoft Office are automatically trusted because the publisher certificate remains the same. If you use file hash rules, updates may be blocked until you update the policy.

**How do I allow a specific line-of-business application that is not digitally signed?**

You can use a file hash rule for that application, but you will need to update the rule every time the application is updated. Alternatively, you can use a path rule, but that is less secure. The most scalable approach is to use a managed installer to deploy the app.

**What happens if I deploy a WDAC policy in enforce mode and it blocks a critical system process?**

This can cause serious issues, including boot failures. That is why testing in audit mode is critical. If it happens, you can boot into Safe Mode, which disables WDAC, and remove the policy or switch it back to audit mode.

**Does WDAC protect against kernel-level rootkits?**

Yes, especially when combined with Hypervisor-Protected Code Integrity (HVCI). WDAC can control which drivers are allowed to load, preventing malicious or vulnerable drivers from running at the kernel level.

**Can I use WDAC on Windows 10 Pro?**

WDAC is available on Windows 10 Enterprise and Education editions. It is also available on Windows 11 Pro, but some advanced features like VBS are not fully supported on all hardware. For the MD-102 exam, focus on Enterprise edition.

**How do I check the current WDAC policy on a device?**

You can use the PowerShell cmdlet Get-CIPolicyInfo to list all active policies. You can also check the registry at HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard for policy settings.

## Summary

Application Control, specifically Windows Defender Application Control (WDAC), is a powerful security feature that takes a default deny approach to software execution. Instead of trying to identify bad software, it defines a list of trusted software and blocks everything else. This makes it extremely effective at stopping unknown threats, including zero-day malware and ransomware. For IT professionals preparing for the MD-102 exam, understanding WDAC is essential. The exam tests your ability to plan, configure, deploy, and troubleshoot WDAC policies using tools like Intune and Group Policy. Key concepts include rule types (publisher, hash, path), audit versus enforce mode, managed installer integration, and the importance of protecting the policy with VBS and HVCI. Common mistakes include skipping audit mode testing, using insecure path rules, and forgetting to maintain policies after deployment. By mastering Application Control, you not only prepare for the exam but also gain a practical skill that directly improves the security posture of any Windows environment. Remember the core principle: trust nothing by default, and only allow what is explicitly trusted.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/application-control
