Security and Privacy Caveats with Defender Application Control
Security and Privacy Caveats with Defender Application Control

This course explores Microsoft Defender Application Control. We'll look at the fundamentals of the service and then cover some of the key security and privacy caveats when using Application Control. You'll follow along with a real-life demonstration of how to create and deploy a Defender Application Control policy.

Learning Objectives

  • Get an introductory understanding of Microsoft Defender Application Control
  • Understand some key security and privacy caveats for using Application Control
  • Learn how to create and deploy a Defender Application Control policy

Intended Audience

This course is designed for anyone who wishes to learn about Microsoft Defender Application Control.


To get the most out of this course, you should have a basic understanding of Microsoft Defender.


Welcome back. In this lesson, we’ll take a look at how Defender Application Control affects security and privacy on devices.

Let’s start by talking about devices that have not been restarted to enforce a policy. What’s important to know here is that if you have a device that has had a policy deployed to it, be it in Audit Only mode or Enforcement Enabled mode, if the device hasn’t been restarted to enforce the policy, it may be vulnerable to successful installation of untrusted software. In such a scenario, the software may continue to run even after a restart of the device, or even after it receives a policy in Enforcement Enabled mode. This is why it’s important to get a policy applied and enforced on a device BEFORE you start installing software on that device.

As a matter of fact, Microsoft recommends that you should prepare devices in a lab environment ahead of time, to test your policies and to ensure that the Defender Application Control policy you are working with is effective. Once you’ve tested things in your lab, you can then deploy the Enforcement Enabled policy, and restart the device before you give the device to an end user.

It’s also important to note that you should not deploy a policy in Enforcement Enabled mode to a device and then deploy a policy in Audit Only mode to that same device. If you do this, you may wind up with a device that allows untrusted software to run.

And lastly, another caveat to be aware of – and just to reiterate – I’m mentioning these caveats because this is the type of real-world knowledge that exams look for. Another caveat is that using Configuration Manager to enable Defender Application Control on your client machines DOES NOT prevent local admins on those machines from circumventing the Application Control policies. This means those local admins can execute untrusted software. This, in turn, means that if your end users have local administrator rights on their machines, this could be a problem.

To address this local admin caveat, and to prevent local admins from disabling Application Control, you can deploy a signed binary policy Group Policy. 


So, with these caveats out of the way, let’s dive into the next section, where I’ll show you how to create and deploy defender application control policies.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.