How to enable ISG in App Control for Business Policy

App Control for Business is a tool that can be used to increase the security of your Servers and Endpoints. However, sometimes it might be hard to apply it to your endpoints. The most common reason is when the IT Department doesn't have the resources to design, test, apply the solution, and resolve all the issues at the beginning.

For every solution that you will apply to the users, the scope is to make easier your daily task. In the end, we don't want to have more helpdesk tickets when you apply the App Control for Business policies.

So after I published the previous article How to use the Windows Defender Application Control I start looking for a solution to avoid most of the headaches after deploying the App control for Business policies in your endpoints.

I found that the App Control for Business can be integrated with Microsoft Intelligent Security Graph

 

What is Microsoft Intelligent Security Graph

It's not the scope of this article to explain in deep what is the Microsoft Intelligent Security Graph. However, we must have at least a basic knowledge of what is the Microsoft Intelligent Security Graph to understand the solution that will be given with App Control for Business.

With simple words Microsoft Intelligent Security Graph collects data from all the Microsoft products and with machine learning(AI) provides actionable alerts. Then the data that has been collected in the Microsoft Intelligent Security Graph used by other products like Windows Hello, and Device Guard.

 

Limitations when using App Control for Business with Microsoft Intelligent Security Graph

There are some cases in which the Microsoft Intelligent Security Graph can block applications that the company should be using it. A common example can be when a company has an in-house application that the ISG doesn't know and can't predict the reputation. In this case, the application will be blocked. Then you must allow it from the App Control Policy.

Also Microsoft Intelligent Security Graph is not recommended to use it when the endpoints aren't connected to the Internet.

So let's see it in practice.

 

Create WDAC Policy including Intelligent Security Graph 

As best practice it's better to test the WDAC Policy before you will deploy it to your Production environment.

The most important with Intelligent Security Graph is to verify the applications that you are using in your company will not be blocked from the Intelligent Security Graph  in WDAC Policy.

When you have verify it you can proceed to apply the WDAC Policy and be sure that you will not create big problems.

  • Open the Windows Defender App Control Wizard and click Launch
  • We are working with Single Policy Format until now. The reason is that deploy the Policies through GPO which support only Single Policy Format.

 

  • Check the Signed and Reputable Mode. Change the Policy Name and File Location if you want. Click Next

 

  • Verify that the Intelligent Security Graph is enable. Click Next.

 

  • In the Policy Signing Rule List you don't need to change anything. Click Next.

 

  • The policy has been created. You can find the  .p7b file in your Documents if you didn't change the default location.

 

 

Edit a WDAC Policy to include the Intelligent Security Graph 

  • Open the Windows Defender App Control Wizard and click Launch
  • Click on Policy Editor.

 

  • Click Browse and find out the WDAC Policy. Click Next.

 

  • Enable the Intelligent Security Graph. Click Next.

 

  • If the Policy has Custom Rules, don't remove it. Click Next.

 

  • The policy has been created. You can find the  .p7b file in your Documents if you didn't change the default location.

 

  • Now replace the old .p7b file in your share location with the new one.

If you try it you will understand that it's not so difficult to create or edit a WDAC Policy and apply it in your users. The difficult part is to prepare yourself with all the requirements before apply the AppLocker to avoid problems in your environment.