diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index ecceb40ef9..4bf7c5ff89 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -11,14 +11,15 @@ ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) ### [Types of devices](types-of-devices.md) -### [Use WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) ###Use WDAC with custom policies #### [Create an initial default policy](create-initial-default-policy.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) -### [Deploy WDAC policies](deploy-windows-defender-application-control-policies-using-group-policy.md) +### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) +### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) +### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md new file mode 100644 index 0000000000..8031bc1bbf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -0,0 +1,33 @@ +--- +title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.date: 05/17/2018 +--- + +# Deploy Windows Defender Application Control policies by using Microsoft Intune + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. + +1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Creae profile**. + +3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. + + ![Configure profile](images\wdac-intune-create-profile-name.png) + +4. Click **Configure** > **Windows Defender Application Control**. for the following settings and then click **OK**: + + - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run. + - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. + + ![Configure WDAC](images\wdac-intune-wdac-settings.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png new file mode 100644 index 0000000000..1b5483103b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png new file mode 100644 index 0000000000..55f5173b03 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png differ