Generate Windows Defender Application Control (WDAC) policies

Windows version	Windows 10 Windows 11
Auditing	Auditing mode Logs drivers and applications that would have been blocked in one of these event logs: `Microsoft-Windows-CodeIntegrity/Operational` `Microsoft-Windows-AppLocker/MSI and Script` Auditing mode on boot failure When the policy blocks a system driver and thus would prevent Windows from booting, use auditing mode. Otherwise, use enforcement mode. Enforcement mode Drivers and applications will be blocked unless allowed by the policy. (Policies created by this service always use the Enabled:Advanced Boot Options Menu setting. Therefore, when a system driver is blocked and Windows cannot boot, press `F8` to enter the Startup Settings screen and then `F7` to Disable driver signature enforcement.)
GUID	If you want to replace an existing CI policy, enter its GUID here. Otherwise, use the generated pseudo-random GUID.
Whitelisting of Windows folder	Use default publisher rules Built-in publisher rules will also apply to user-mode CI (in addition to kernel-mode CI). A path rule for `%WINDIR%` is not created as legitimate files in this folder are all digitally signed. Use path rule for `%WINDIR%` All files in the `%WINDIR%` folder and its subfolders will be allowed, but known user-writable folders such as `%WINDIR%\Temp` or `%WINDIR%\Debug\WIA` will be blocked. Built-in publisher rules will not apply to user-mode CI.
Script enforcement	Disabled PowerShell will run in Full Language Mode. Enabled PowerShell will run in Constrained Language Mode. See Script Enforcement for details.
Well-known block rules	Use Microsoft recommended block rules (version 10.1.0.2, last modified 2024-03-12, which was 44 days ago) Microsoft has compiled a list of applications that an attacker might use to bypass WDAC. Developers and power users should review the list beforehand as it includes commonly used programs such as `cscript.exe`, `dotnet.exe` and `InfDefaultInstall.exe`. Use Microsoft recommended driver block rules (version 10.0.26025.0, last modified 2024-01-25, which was 92 days ago) Microsoft has compiled a list of drivers with known security vulnerabilities, malicious behaviors or behaviors that can be exploited by attackers. Tick this checkbox to block these drivers.
Path and name rules	Allowed: %OSDRIVE%\Program Files (x86)\* %OSDRIVE%\Program Files\* %OSDRIVE%\Users\Admin* Blocked: You can allow or block apps and scripts by specifying their file name or file path: To create a name rule, simply type the literal name of the file, e.g. `OneDriveSetup.exe`. On the other hand, path rules contain fully qualified paths or parts thereof. You can use one wildcard (`*`), either at the beginning or at the end of the path, but not in the middle. You can also use the following macros: `%OSDRIVE%` `%WINDIR%` `%SYSTEM32%`
Allow files by publisher	Select files that are digitally signed with a certificate to create a Publisher Rule based on that certificate. For example, .NET developers may want to select `C:\Program Files\dotnet\dotnet.exe`, which is signed by a certificate with subject `CN=.NET, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`.
Allow executable files by hash	Executable files include the following: `.exe` `.dll` `.ocx` `.mui`
Allow script files by hash	Script files include the following: `.vbs` `.ps1` `.bat` `.cmd`
	⚠ Files selected here are uploaded and processed on the server. They are deleted immediately after processing. Their total size must be less than 32 MiB.

Windows version

Windows 10

Windows 11

Auditing

Auditing mode Logs drivers and applications that would have been blocked in one of these event logs:

Microsoft-Windows-CodeIntegrity/Operational
Microsoft-Windows-AppLocker/MSI and Script

Auditing mode on boot failure When the policy blocks a system driver and thus would prevent Windows from booting, use auditing mode. Otherwise, use enforcement mode.

Enforcement mode Drivers and applications will be blocked unless allowed by the policy. (Policies created by this service always use the Enabled:Advanced Boot Options Menu setting. Therefore, when a system driver is blocked and Windows cannot boot, press F8 to enter the Startup Settings screen and then F7 to Disable driver signature enforcement.)

GUID

If you want to replace an existing CI policy, enter its GUID here. Otherwise, use the generated pseudo-random GUID.

Whitelisting of Windows folder

Use default publisher rules Built-in publisher rules will also apply to user-mode CI (in addition to kernel-mode CI). A path rule for %WINDIR% is not created as legitimate files in this folder are all digitally signed.

Use path rule for %WINDIR% All files in the %WINDIR% folder and its subfolders will be allowed, but known user-writable folders such as %WINDIR%\Temp or %WINDIR%\Debug\WIA will be blocked. Built-in publisher rules will not apply to user-mode CI.

Script enforcement

Disabled PowerShell will run in Full Language Mode.

Enabled PowerShell will run in Constrained Language Mode. See Script Enforcement for details.

Well-known block rules

Use Microsoft recommended block rules (version 10.1.0.2, last modified 2024-03-12, which was 44 days ago) Microsoft has compiled a list of applications that an attacker might use to bypass WDAC. Developers and power users should review the list beforehand as it includes commonly used programs such as cscript.exe, dotnet.exe and InfDefaultInstall.exe.

Use Microsoft recommended driver block rules (version 10.0.26025.0, last modified 2024-01-25, which was 92 days ago) Microsoft has compiled a list of drivers with known security vulnerabilities, malicious behaviors or behaviors that can be exploited by attackers. Tick this checkbox to block these drivers.

Path and name rules

Allowed: Blocked:

You can allow or block apps and scripts by specifying their file name or file path:

To create a name rule, simply type the literal name of the file, e.g. OneDriveSetup.exe.
On the other hand, path rules contain fully qualified paths or parts thereof. You can use one wildcard (*), either at the beginning or at the end of the path, but not in the middle. You can also use the following macros:
- %OSDRIVE%
- %WINDIR%
- %SYSTEM32%

Allow files by publisher

Select files that are digitally signed with a certificate to create a Publisher Rule based on that certificate. For example, .NET developers may want to select C:\Program Files\dotnet\dotnet.exe, which is signed by a certificate with subject CN=.NET, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.

Allow executable files by hash

Executable files include the following: .exe .dll .ocx .mui

Allow script files by hash

Script files include the following: .vbs .ps1 .bat .cmd

⚠ Files selected here are uploaded and processed on the server. They are deleted immediately after processing. Their total size must be less than 32 MiB.