IT-Master has deployed new Windows 10 workstations on an entire office floor to modernize the work environment and improve network security. The previous Windows 7 workstations were at high risk to network vulnerabilities due to rogue applications that employees installed. IT management wants to prevent these same risks by having more control over what applications can install on these new workstations while using better endpoint protection solutions.
As the Windows desktop administrator, you must utilize the Windows Defender Application Control (WDAC) feature to set up a baseline policy that sets up an "allow list" of applications for all office workstations. Start with the most basic protection before working to more fine-grained options. You must apply the policy to all users and departments and verify the policy works before enforcing it.
Base Policy Requirements:
- Allow Windows OS components
- Allow applications from the Microsoft Store
- Allow Office 365 apps
- Allow Microsoft Endpoint Configuration Manager to install apps
- Use folder "special_auth" on local C drive for trusted executables
- Validate Windows Hardware Quality Labs (WHQL) signature for drivers
- Disable Pre-boot menus
- Restart clients when applying policy
- Do NOT use PowerShell scripts
Policy v2 Additions:
- Must use Microsoft's AI engine to determine applications that are trusted using intelligent platform
- Must specify trusted publisher for third-party applications
Signing Rule Types:
- File Attribute – based on authenticated file attributes
- File Hash – rules using the hash of the file
- Path – does not provide the same security that explicit signer rules do, as they are based on mutable access permissions
- Publisher – uses properties in the code signing certificate chain to base file rules
To return this interactive to its initial state, click Reset.