deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
448d4609d53a824310a481b47d34ff4fe9263e4d
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
Liz Long 45315ca476 add ms.topic as needed
2022-12-08 17:09:09 -05:00

2.6 KiB
Raw Blame History

title, description, keywords, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, author, ms.reviewer, ms.author, manager, ms.date, ms.technology, ms.topic
title description keywords ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority audience author ms.reviewer ms.author manager ms.date ms.technology ms.topic
Managing and troubleshooting Windows Defender Application Control policies (Windows) Gather information about how your deployed Windows Defender Application Control policies are behaving. security, malware 8d6e0474-c475-411b-b095-1c61adb2bdbb windows-client deploy library security medium ITPro jsuther1974 isbrahm vinpa aaroncz 03/16/2020 itpro-security article

Windows Defender Application Control operational guide

Applies to

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

Note

Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.

After enabling you understand how to design and deploy your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.

WDAC Events Overview

Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC doesn't generate events when a binary is allowed; however, there's the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.

WDAC events are generated under two locations:

  • Applications and Services logs Microsoft Windows CodeIntegrity Operational

  • Applications and Services logs Microsoft Windows AppLocker MSI and Script

In this section

Topic Description
Understanding Application Control event IDs This topic explains the meaning of different WDAC event IDs.
Understanding Application Control event tags This topic explains the meaning of different WDAC event tags.
Query WDAC events with Advanced hunting This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender for Endpoint.