It doesn't have a traditional behavior blocker but it does have behavioral signatures which can catch threats post execution based on behavior.
I tested WD last year for a brief period of time here in the hub and it caught some Java/Adwind malwares based on post execution behavior.
View attachment 244682View attachment 244683
Here are some links of such signatures:
Behavior:Win32/SuspHijackAttempt.A threat description - Microsoft Security Intelligence
Here Microsoft publish every signature they add to their local database. If you check history of "Security intelligence update version" which I do often you'll see them adding these behavioral signatures quite regularly:
Just a correction here, it's not behaviour signature, it's behavioural profile - it contains a group of characteristics and a chain of events that, one by one individually might not be malicious, but combined all together, pose a threat.
So it seems like it does have a traditional behavioural blocker.
It has also removed registry entries with randomized names in the case of the Java/Adwind malware, which wouldn't have been possible, unless a behavioural monitor/blocker, saw them being created.
