Question Microsoft app control wizard malfuntion on IoT LTSC

[Parkinsond]

Microsoft app control wizard on Windows 11 Enterprise (23H2) works perfectly, while it fails to create a policy on Windows 11 IoT Enterprise LTSC (24H2) if selecting to add MS recommended rules option.

Is it the missing WMIC in the IoT version?

 

[Bot]

Microsoft app control wizard on Windows 11 Enterprise (23H2) works perfectly, while it fails to create a policy on Windows 11 IoT Enterprise LTSC (24H2) if selecting to add MS recommended rules option.

Is it the missing WMIC in the IoT version?

Hey Parkinsond,

That's an interesting catch—I've seen similar quirks pop up with specialized Windows editions like IoT Enterprise LTSC. Let me break this down factually based on what I know about WDAC (Windows Defender Application Control) and the App Control Wizard.

Quick Context on the App Control Wizard:
It's a PowerShell-based tool (part of the WDAC module) that helps generate application control policies. When you select the option to add Microsoft-recommended rules, it scans for things like allowed publishers, file paths, and hashes, often pulling in data from system queries.

WMIC and Its Status:
You're spot on to suspect WMIC (Windows Management Instrumentation Command-line). Microsoft deprecated it back in Windows 10 (around 21H1), and it's been phased out in Windows 11—especially in newer builds like 24H2. In standard Windows 11 Enterprise (23H2), WMIC might still be available if it was carried over or installed manually, but in IoT Enterprise LTSC (which is optimized for embedded/ IoT scenarios), non-essential components like WMIC are often stripped out to reduce footprint and attack surface. IoT editions prioritize stability for fixed-function devices, so tools like WMIC aren't always included by default.

To confirm if this is the culprit:
- On your IoT system, open a Command Prompt and try running wmic. If it's missing, you'll get an error like "'wmic' is not recognized as an internal or external command."
- Compare that to your Enterprise (23H2) machine, where it might still work.

If WMIC is indeed absent on IoT, that could absolutely cause the wizard to fail when trying to add those recommended rules, as some policy generation steps might rely on WMIC for querying system info (e.g., installed software or hardware details). Microsoft has been pushing PowerShell alternatives (like Get-WmiObject or CIM cmdlets), but not all tools have fully transitioned yet.

Potential Workarounds:

• Manual Policy Creation: Skip the wizard and build the policy manually using PowerShell cmdlets like New-CIPolicy. You can reference Microsoft's WDAC docs for adding recommended rules without the wizard—it's more hands-on but avoids dependencies.
• Install WMIC if Possible: On IoT LTSC, check if you can add it via Optional Features (Settings > Apps > Optional features) or DISM. Something like: DISM /Online /Add-Capability /CapabilityName:WMIC~~~~ (run as admin). But fair warning: This might not be supported or available in IoT editions.
• Use PowerShell Equivalents: If the wizard is choking on WMIC calls, try scripting around it with Get-CimInstance instead. Microsoft's WDAC GitHub repo has examples.
• Update or Feedback: Ensure your IoT install is fully updated (24H2 should be current), and if it's a bug, report it via the Feedback Hub or Microsoft Docs issues. IoT editions sometimes lag on tool updates.

If WMIC isn't the issue (e.g., if it's present but the wizard still fails), it could be something else like missing .NET components, PowerShell module versions, or even IoT-specific restrictions on system scanning. Feel free to share more details—like the exact error message from the wizard—and I'll help dig deeper. Have you tried running the wizard in verbose mode to see what it's tripping on?

Stay secure!
@Bot

 

[Brahman]

The Windows Management Instrumentation Command-line (WMIC) tool is progressing toward the next phase for removal from Windows. WMIC will be removed when upgrading to Windows 11, version 25H2. All later releases for Windows 11 will not include WMIC added by default. it's no longer pre-installed and is only available as an optional Feature on Demand (FoD). (Windows Management Instrumentation Command-line (WMIC) removal from Windows - Microsoft Support)
If installing WMIC doesn't resolve the issue or you prefer not to install deprecated components, create your base policy without the Microsoft recommended rules option, then manually merge the recommended block rules policy afterward.

1. Create your base policy in the App Control Wizard without selecting Microsoft recommended rules
2. Download the Microsoft recommended block rules XML policy separately from Microsoft's documentation.
3. Use PowerShell to merge the policies,

$DenyPolicy = "path_to_microsoft_recommended_block_rules.xml"
$YourPolicy = "path_to_your_base_policy.xml"
Merge-CIPolicy -PolicyPaths $DenyPolicy, $YourPolicy -OutputFilePath $YourPolicy

 

[Parkinsond]

The Windows Management Instrumentation Command-line (WMIC) tool is progressing toward the next phase for removal from Windows. WMIC will be removed when upgrading to Windows 11, version 25H2. All later releases for Windows 11 will not include WMIC added by default. it's no longer pre-installed and is only available as an optional Feature on Demand (FoD). (Windows Management Instrumentation Command-line (WMIC) removal from Windows - Microsoft Support)
If installing WMIC doesn't resolve the issue or you prefer not to install deprecated components, create your base policy without the Microsoft recommended rules option, then manually merge the recommended block rules policy afterward.

1. Create your base policy in the App Control Wizard without selecting Microsoft recommended rules
2. Download the Microsoft recommended block rules XML policy separately from Microsoft's documentation.
3. Use PowerShell to merge the policies,

$DenyPolicy = "path_to_microsoft_recommended_block_rules.xml"
$YourPolicy = "path_to_your_base_policy.xml"
Merge-CIPolicy -PolicyPaths $DenyPolicy, $YourPolicy -OutputFilePath $YourPolicy

I checked the W 11 23h2 version; it lacks WMIC also (I removed before, but forgot about); so it is not the culprit.

 

[Brahman]

I checked the W 11 23h2 version; it lacks WMIC also (I removed before, but forgot about); so it is not the culprit.

Windows 11 24H2 introduced changes to the System.Management.Automation.dll that broke several features, including AppLocker Script Enforcement and Constrained Language Mode. The App Control Wizard relies heavily on PowerShell and the ConfigCI module, so these changes could affect the wizard's ability to process Microsoft recommended rules(Windows 11 24H2: AppLocker Script Enforcement not working) and apart from that the App Control Wizard uses ConfigCI PowerShell cmdlets in the backend to generate policies. Windows 11 24H2 has had reported issues with PowerShell operations and module loading. The IoT LTSC version may be missing specific dependencies or registry configurations that the wizard expects when downloading and parsing the Microsoft recommended block rules XML files. So Open a PowerShell as Administrator and verify and if ConfigCI cmdlets are missing or fail to import, this may be your problem.

Get-Module -ListAvailable ConfigCI
Import-Module ConfigCI
Get-Command -Module ConfigCI

Edit: The App Control Wizard is bundled as an MSIX package written in C#. Ensure all required .NET runtimes are installed on your IoT LTSC.

 

[Parkinsond]

AppLocker Script Enforcement and Constrained Language Mode

I tried both; they work okay on 24h2.

The IoT LTSC version may be missing specific dependencies or registry configurations that the wizard expects

This is the most probable cause, but I cannot find out which one exactly.

 

[Parkinsond]

If installing WMIC doesn't resolve the issue or you prefer not to install deprecated components, create your base policy without the Microsoft recommended rules option, then manually merge the recommended block rules policy afterward.

1. Create your base policy in the App Control Wizard without selecting Microsoft recommended rules
2. Download the Microsoft recommended block rules XML policy separately from Microsoft's documentation.
3. Use PowerShell to merge the policies,

As a workaround, I use online policy creator (including the block rules), then modify the xml using the wizard according to my needs.

 

[Brahman]

As a workaround, I use online policy creator (including the block rules), then modify the xml using the wizard according to my needs.

Have you checked whether all .net runtimes dependencies are present ?

 

[Parkinsond]

Have you checked whether all .net runtimes dependencies are present ?

But it works on W 11 23h2 without.

 

[ForgottenSeer 114717]

Windows 11 IoT Enterprise LTSC (24H2)

LTSC is not built or intended for desktop use. It is intended for systems such as bank ATMs, medical CT/MRI, and really, really expensive cappuccino machines.

 

[Parkinsond]

LTSC is not built or intended for desktop use. It is intended for systems such as bank ATMs, medical CT/MRI, and really, really expensive cappuccino machines.

MS app control wizard works fine on W 10 IoT Ent LTSC

 

[Brahman]

LTSC is not built or intended for desktop use. It is intended for systems such as bank ATMs, medical CT/MRI, and really, really expensive cappuccino machines.

Ltsc is far less bloated than the pro or home version and it saves you a lot of time spend debloating the the regular home/pro/enterprise versions.Yes, it's ment for industrial use where feature update is not desirable, but it's pretty fast on old pcs. The only issue is that one cannot really buy a key for it legally. Ms doesn't sell it to individual users.

 

[Victor M]

I just installed WDAC Wizard for you and made a base policy 'Windows only' and checkmarking both Block rules and it was able to create the cip file. So it is not the missing WMIC because my 24H2 (Oct 2025 Update) also doesn't have WMIC.

 

[ForgottenSeer 114717]

MS app control wizard works fine on W 10 IoT Ent LTSC

It is expected to work. LTSC is deployed mostly in commercial, healthcare, and industrial environments where many features, services, LOLBins, etc are removed, disabled, or blocked because the OS is meant to be configured for the bare minimum to fulfill its use case. For example, when embedded in ATMs or medical devices, a lot of the OS is disabled via the various means Microsoft ships to enable admins to remove, disabled, and block stuff.

However, LTSC does not have an active dedicated developer team at Microsoft for this specific Windows edition. So problems can occur and they don't get fixed unless critical.

Ltsc is far less bloated than the pro or home version and it saves you a lot of time spend debloating the the regular home/pro/enterprise versions.Yes, it's ment for industrial use where feature update is not desirable, but it's pretty fast on old pcs. The only issue is that one cannot really but a key for it legally. Ms doesn't sell it to individual users.

Yes. Of course.

 

[Brahman]

However, LTSC does not have an active dedicated developer team at Microsoft for this specific Windows edition

Can you provide a link to verify this information? Iot LTSC is often supported for 10 years and it's impossible without a dedicated team of active developers.