Hello and welcome to Defender Application Control. Defender Application Control is a service that is used to protect PCs against malware and untrusted software by preventing malicious code from running. In turn, it allows you to ensure that only approved code can be run on your machines. In other words, Defender Application Control enforces a specific list of software that is allowed to run on a PC. 

To protect PCs with Defender Application Control, you deploy Application Control policies. These policies are deployed to targeted collections of PCs via Configuration Manager.

When you use Configuration Manager to deploy Defender Application Control policies, you can configure Defender Application Control to run in two different modes on the PCs in your defined collection. You can configure it to run in Enforcement Enabled mode, or Audit Only mode.

When run in Enforcement Enabled mode, only trusted executables are allowed to run. When run in Audit Only mode, it allows all executables, including trusted and untrusted ones, to run, but it logs untrusted executables that run in the local client event log.

When you deploy a Defender Application Control policy, the executables that you see on your screen are typically the only ones allowed to run.

Software that has a good reputation according to the Microsoft Intelligent Security Graph can also run. 

Now, before you can use Defender Application Control with Configuration Manager, the workstations you are managing must run Windows 10 Enterprise version 1703 or later. Servers must be running Windows Server 2019, or later.

Now, there ARE some use case caveats to be aware of when using Defender Application Control with Configuration Manager.

For example, once a policy is processed on a machine, Configuration Manager is configured as a Managed Installer on that machine. This means that any software that gets deployed through Configuration Manager, after the policy processes, is automatically trusted. However, software that’s installed by Configuration Manager BEFORE the Defender Application Control policy is processed is NOT automatically trusted. This is a really important distinction because it’s the type of nuanced information that often turns up on exams.

I should also point out that, by default, compliance evaluation for Application Control policies happens once a day. However, this is configurable during deployment. 

I should also mention that, regardless of what enforcement mode you choose to deploy in, client PCs CAN NOT run HTML applications with the extension .hta. That’s another bit of information that kinda writes itself as an exam question.

So, with that, we’ll wrap this intro lesson up. The key takeaway here is that Defender Application Control is a service that is used to protect PCs against malware and untrusted software by preventing malicious code from running. To protect PCs with Defender Application Control, you deploy Application Control policies to targeted collections of PCs via Configuration Manager.