Integrate Microsoft Defender Application Control
Microsoft Defender Application Control enables you to determine precisely which apps your users are allowed to run; it does so by blocking any unsigned apps and scripts. You configure Microsoft Defender Application Control with policies that specify whether a code that runs in kernel mode, such as device drivers or apps, can run.
A policy typically includes rules that
- Control options, such as whether audit mode is enabled
- Determine whether user mode code integrity (UMCI) is enabled
- Specify the level at which apps are identified and/or trusted
Each Windows 10 device has a single Microsoft Defender Application Control policy defined for it. Typically, you configure this policy by using GPOs in an AD DS environment or by using MDM for enrolled devices. Either way, the policy is stored as a local file called SIPolicy.p7b that resides in the C:\Windows\System32\CodeIntegrity folder; for unified extensible firmware interface (UEFI)-based computers, the file is <EFI System Partition>\Microsoft\Boot.
Sign apps
To enable Microsoft Defender Application Control in your organization, you must digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways:
- Publish your apps by using the Microsoft Store. All apps in the Microsoft Store are automatically signed with signatures from a trusted certificate authority (CA).
- Use your own digital certificate or public key infrastructure (PKI). You can sign the apps by using a certificate issued by a CA in your own PKI.
- Use a non-Microsoft CA. You can use a trusted non-Microsoft CA to sign your own desktop Windows apps.
- Use the Microsoft Defender Application Control signing portal. In Microsoft Store for Business, you can use a Microsoft web service to sign your desktop Windows apps.
