Windows Defender Application Control (WDAC) is very different from HIPS.
"
Windows Defender Application Control (WDAC) can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode."
Windows Defender Application Control (WDAC) (Windows 10)
So, WDAG is rather a kind of Software and Driver policy. It is very strong because it can block also .NET Dlls. I have been playing with it for some time, but it cannot be configured via GPO or PowerShell, or reg tweaks on Windows Home and Pro. WDAC can be deployed on any Windows 10 edition via SIPolicy.p7b file, or on Windows Pro (and higher ed.) via GPO if the user can have access to the custom policy .bin file. Both SIPolicy.p7b and the custom policy .bin file can be made from the .XML policy file when using PowerShell cmdlets on Windows Enterprise ed. On Windows Home and Pro the required cmdlets are not available, you get the error "ConvertFrom-CIPolicy : Device Guard is not available in this edition of Windows."
WDAC can be also optionally managed via Mobile Device Management (MDM), such as Microsoft Intune, but I did not try this.
I installed Windows 10 Enterprise, and then WDAC can be configured via PowerShell cmdlets.
I made the SIPolicy.p7b file that can be copied to C:\Windows\System32\CodeIntegrity, and then WDAC can work on Windows 10 Home and Pro.
In practice, WDAG restrictions can be applied on Windows Home and Pro via SIPolicy.p7b, as a default-allow setup with a blacklist for vulnerable applications (script interpreters, etc.) and DLLs - one can use the Bouncer blacklist for that.
The advanced users can apply WDAC restrictions as default deny setup for drivers and software, but it is not an easy solution, and can be dangerous to system stability on Windows Home.
