Welcome back. In this lesson, we’ll take a look at how Defender Application Control affects security and privacy on devices.

Let’s start by talking about devices that have not been restarted to enforce a policy. What’s important to know here is that if you have a device that has had a policy deployed to it, be it in Audit Only mode or Enforcement Enabled mode, if the device hasn’t been restarted to enforce the policy, it may be vulnerable to successful installation of untrusted software. In such a scenario, the software may continue to run even after a restart of the device, or even after it receives a policy in Enforcement Enabled mode. This is why it’s important to get a policy applied and enforced on a device BEFORE you start installing software on that device.

As a matter of fact, Microsoft recommends that you should prepare devices in a lab environment ahead of time, to test your policies and to ensure that the Defender Application Control policy you are working with is effective. Once you’ve tested things in your lab, you can then deploy the Enforcement Enabled policy, and restart the device before you give the device to an end user.

It’s also important to note that you should not deploy a policy in Enforcement Enabled mode to a device and then deploy a policy in Audit Only mode to that same device. If you do this, you may wind up with a device that allows untrusted software to run.

And lastly, another caveat to be aware of – and just to reiterate – I’m mentioning these caveats because this is the type of real-world knowledge that exams look for. Another caveat is that using Configuration Manager to enable Defender Application Control on your client machines DOES NOT prevent local admins on those machines from circumventing the Application Control policies. This means those local admins can execute untrusted software. This, in turn, means that if your end users have local administrator rights on their machines, this could be a problem.

To address this local admin caveat, and to prevent local admins from disabling Application Control, you can deploy a signed binary policy Group Policy.

So, with these caveats out of the way, let’s dive into the next section, where I’ll show you how to create and deploy defender application control policies.