11 KiB
title, description, ms.assetid, ms.reviewer, ms.author, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, manager, audience, ms.collection, ms.topic, ms.date
| title | description | ms.assetid | ms.reviewer | ms.author | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | author | manager | audience | ms.collection | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Create your Windows Defender Application Control (WDAC) planning document (Windows 10) | This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document. | 41e49644-baf4-4514-b089-88adae2d624e | dansimp | w10 | deploy | library | security | medium | dansimp | dansimp | ITPro | M365-security-compliance | conceptual | 09/21/2017 |
Create your Windows Defender Application Control (WDAC) planning document
Applies to
- Windows 10
- Windows Server
This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document.
The WDAC deployment design
The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using WDAC.
You should have completed these steps in the design and planning process:
WDAC planning document contents
Your planning document should contain:
- A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information.
- Application control policy project target dates, both for planning and deployment.
- A complete list of apps used by each business group (or organizational unit), including version information and installation paths.
- What condition to apply to rules governing each application (or whether to use the default set provided by WDAC).
- A strategy for using Group Policy to deploy the WDAC policies.
- A strategy in processing the application usage events generated by WDAC.
- A strategy to maintain and manage WDAC polices after deployment.
Sample template for an WDAC planning document
You can use the following form to construct your own WDAC planning document.
Business group:
Operating system environment: (Windows and non-Windows)
Contacts |
Business contact: |
Technical contact: |
Other departments |
In this business group: |
Affected by this project: |
Security policies |
Internal: |
Regulatory/compliance: |
Business goals |
Primary: |
Secondary: |
Project target dates |
Design signoff date: |
Policy deployment date: |
| Business group | Organizational unit | Implement WDAC? | Apps | Installation path | Use default rule or define new rule condition | Allow or deny | GPO name | Support policy |
|---|---|---|---|---|---|---|---|---|
|
| Business group | WDAC event collection location | Archival policy | Analyzed? | Security policy |
|---|---|---|---|---|
|
| Business group | Rule update policy | App decommission policy | App version policy | App deployment policy |
|---|---|---|---|---|
|
Planned: Emergency: |
Rules
| Business group | Organizational unit | Implement WDAC? | Applications | Installation path | Use default rule or define new rule condition | Allow or deny | GPO name | Support policy |
|---|---|---|---|---|---|---|---|---|
Bank Tellers |
Teller-East and Teller-West |
Yes |
Teller Software |
C:\Program Files\Woodgrove\Teller.exe |
File is signed; create a publisher condition |
Allow |
Tellers-WDACTellerRules |
Web help |
Windows files |
C:\Windows |
Create a path exception to the default rule to exclude \Windows\Temp |
Allow |
Help desk |
||||
Human Resources |
HR-All |
Yes |
Check Payout |
C:\Program Files\Woodgrove\HR\Checkcut.exe |
File is signed; create a publisher condition |
Allow |
HR-WDACHRRules |
Web help |
Time Sheet Organizer |
C:\Program Files\Woodgrove\HR\Timesheet.exe |
File is not signed; create a file hash condition |
Allow |
Web help |
||||
Internet Explorer 7 |
C:\Program Files\Internet Explorer\ |
File is signed; create a publisher condition |
Deny |
Web help |
||||
Windows files |
C:\Windows |
Use the default rule for the Windows path |
Allow |
Help desk |
| Business group | WDAC event collection location | Archival policy | Analyzed? | Security policy |
|---|---|---|---|---|
Bank Tellers |
Forwarded to: WDAC Event Repository on srvBT093 |
Standard |
None |
Standard |
Human Resources |
DO NOT FORWARD. srvHR004 |
60 months |
Yes, summary reports monthly to managers |
Standard |
| Business group | Rule update policy | App decommission policy | App version policy | App deployment policy |
|---|---|---|---|---|
Bank Tellers |
Planned: Monthly through business office triage Emergency: Request through help desk |
Through business office triage 30-day notice required |
General policy: Keep past versions for 12 months List policies for each application |
Coordinated through business office 30-day notice required |
Human Resources |
Planned: Monthly through HR triage Emergency: Request through help desk |
Through HR triage 30-day notice required |
General policy: Keep past versions for 60 months List policies for each application |
Coordinated through HR 30-day notice required |