Microsoft Defender Application Control
The course is part of this learning path
This course explores Microsoft Defender Application Control. We'll look at the fundamentals of the service and then cover some of the key security and privacy caveats when using Application Control. You'll follow along with a real-life demonstration of how to create and deploy a Defender Application Control policy.
- Get an introductory understanding of Microsoft Defender Application Control
- Understand some key security and privacy caveats for using Application Control
- Learn how to create and deploy a Defender Application Control policy
This course is designed for anyone who wishes to learn about Microsoft Defender Application Control.
To get the most out of this course, you should have a basic understanding of Microsoft Defender.
Hello and welcome to Defender Application Control. Defender Application Control is a service that is used to protect PCs against malware and untrusted software by preventing malicious code from running. In turn, it allows you to ensure that only approved code can be run on your machines. In other words, Defender Application Control enforces a specific list of software that is allowed to run on a PC.
To protect PCs with Defender Application Control, you deploy Application Control policies. These policies are deployed to targeted collections of PCs via Configuration Manager.
When you use Configuration Manager to deploy Defender Application Control policies, you can configure Defender Application Control to run in two different modes on the PCs in your defined collection. You can configure it to run in Enforcement Enabled mode, or Audit Only mode.
When run in Enforcement Enabled mode, only trusted executables are allowed to run. When run in Audit Only mode, it allows all executables, including trusted and untrusted ones, to run, but it logs untrusted executables that run in the local client event log.
When you deploy a Defender Application Control policy, the executables that you see on your screen are typically the only ones allowed to run.
Software that has a good reputation according to the Microsoft Intelligent Security Graph can also run.
Now, before you can use Defender Application Control with Configuration Manager, the workstations you are managing must run Windows 10 Enterprise version 1703 or later. Servers must be running Windows Server 2019, or later.
Now, there ARE some use case caveats to be aware of when using Defender Application Control with Configuration Manager.
For example, once a policy is processed on a machine, Configuration Manager is configured as a Managed Installer on that machine. This means that any software that gets deployed through Configuration Manager, after the policy processes, is automatically trusted. However, software that’s installed by Configuration Manager BEFORE the Defender Application Control policy is processed is NOT automatically trusted. This is a really important distinction because it’s the type of nuanced information that often turns up on exams.
I should also point out that, by default, compliance evaluation for Application Control policies happens once a day. However, this is configurable during deployment.
I should also mention that, regardless of what enforcement mode you choose to deploy in, client PCs CAN NOT run HTML applications with the extension .hta. That’s another bit of information that kinda writes itself as an exam question.
So, with that, we’ll wrap this intro lesson up. The key takeaway here is that Defender Application Control is a service that is used to protect PCs against malware and untrusted software by preventing malicious code from running. To protect PCs with Defender Application Control, you deploy Application Control policies to targeted collections of PCs via Configuration Manager.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.