diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 401f9b50d4..e5c645d13f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -19,40 +19,13 @@ ms.date: 02/28/2018 You can apply Windows Defender Application Control (WDAC) to Windows 10 client computers using Microsoft Intune. -1. Open the Microsoft Intune portal and click **Create a compliance policy**. +1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Creae profile**. - ![Create a compliance policy in Intune](images\wdac-intune-create-acompliance-policy.png) +3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. -2. Click **Create Policy**. + ![Select platform](images\wdac-intune-create-profile-name.png) - ![Create a new policy](images\wdac-intune-create-new-policy.png) +4. Click **Configure** > **Windows Defender Application Control**. for the following settings and then click **OK**: -3. Type a name for the new policy and for **Platform**, select **Windows 10 and later**. - - ![Select platform](images\wdac-intune-create-policy-name.png) - -4. Click **Device Health**, select **Require** for the following settings and then click **OK**: - - - **Require BitLocker** - - **Require Secure Boot to be enabled on the device** - - **Require code integrity** - - ![Device Health settings](images\wdac-intune-device-health-settings.png) - -5. Click **Device Properties**, configure any operating system version requirements and then click **OK**. - - ![Device properties](images\wdac-intune-device-properties.png) - -6. Click **System Security**, select any security options to include in the policy and then click **OK**. - - ![System security settings](images\wdac-intune-system-security-settings.png) - -7. When you finish configuring settings, click **OK** and then click **Create**. - -8. Click **Assignments**. - - ![Assignments](images\wdac-intune-assignments.png) - -9. Select any mutually exclusive groups to include or exclude from the policy, or assign it to **All users**, and then click **Save**. - - ![Assign the policy to groups](images\wdac-intune-assignments-groups.png) \ No newline at end of file + - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Microsoft Store apps to run. + - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png new file mode 100644 index 0000000000..1b5483103b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png new file mode 100644 index 0000000000..55f5173b03 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png differ