Is it possible to use WD Application Control (WDAC) on Windows 10 Home, with disabled WD? The answer is somewhat surprising. Why?
WDAC is the Windows 10 security feature, which was introduced for Windows Enterprise editions. It can be used only on the computers with UEFI. The working WDAC (WD Application Control) code integrity policy cannot be created on WIndows Home and Windows Pro via registry tweaks or PowerShell, or GPO.
But, WDAC code integrity policy can be applied on any Windows 10 editions, if the user has the file
SIPolicy.p7b, that was created on the machine with Windows Enterprise.
So, yes - WDAC can be used on Windows 10 Home and Pro. But, for the standard home user applying it, in the usual way (block applications), would be impractical.
Yet, WDAC can be used as a very practical diagnostic tool, to monitor the execution of processes, which are not whitelisted by WDAC.
The below events are logged in the Windows Event Log :
- All user-mode code not built-in to the OS or originating from the Microsoft Store.
- All kernel drivers except Windows, HAL, and ELAM-signed drivers.
The events are logged under Applications and Services Logs >> Microsoft >> Windows >> CodeIntegrity >> Operational, Event Id 3076. It is recommended to make a custom filter only for that event.
Applying it is very easy. Download a pre-built version of SIPolicy.p7b, copy it to C:\Windows\System32\CodeIntegrity (admin rights are required), and reboot. The details are available in Matt Graeber's article:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode