mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-11 20:17:23 +00:00
43 lines
13 KiB
Markdown
43 lines
13 KiB
Markdown
---
|
||
title: Feature Availability
|
||
description: Compare WDAC and AppLocker feature availability.
|
||
keywords: security, malware
|
||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||
ms.prod: w10
|
||
ms.mktglfcycl: deploy
|
||
ms.sitesec: library
|
||
ms.pagetype: security
|
||
ms.localizationpriority: medium
|
||
audience: ITPro
|
||
ms.collection: M365-security-compliance
|
||
author: denisebmsft
|
||
ms.reviewer: isbrahm
|
||
ms.author: deniseb
|
||
manager: dansimp
|
||
ms.date: 04/15/2020
|
||
ms.custom: asr
|
||
---
|
||
|
||
# WDAC and AppLocker feature availability
|
||
|
||
**Applies to:**
|
||
|
||
- Windows 10
|
||
- Windows Server 2016 and above
|
||
|
||
| Capability | WDAC | AppLocker |
|
||
|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||
| Platform support | Available on Windows 10 | Available on Windows 8+ |
|
||
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
|
||
| Management solutions | <ul><li>[Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) </li><li>PowerShell</li></ul> | <ul><li>[Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)</li><li>PowerShell</li><ul> |
|
||
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
|
||
| Kernel mode policies | Available on all Windows 10 versions | Not available |
|
||
| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
|
||
| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
|
||
| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
|
||
| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
|
||
| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
|
||
| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
|
||
| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
|
||
| Enforceable file types | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
|