Empowering Microsoft WDAC
At a high level, WDACManager operates as a centralized platform for managing Windows Defender Application Control (WDAC) policies across enterprise environments. Administrators access the platform through a web interface where WDAC policies, telemetry, and deployment workflows are managed. The platform integrates with Microsoft cloud services through Microsoft Graph to retrieve application execution telemetry from Microsoft Defender for Endpoint and to deploy WDAC policies using Microsoft Intune and Application Control for Business (ACfB). A core architectural concept of WDACManager is the **Application Abstraction** model. Instead of managing individual WDAC rules such as hashes, certificates, or file paths, WDACManager groups these elements into logical *Applications*. Administrators build policies using these application objects, simplifying policy lifecycle management while still producing fully compliant WDAC policies. WDACManager can optionally integrate with endpoint agents that communicate securely with the platform using mutually authenticated TLS (mTLS). These agents submit telemetry, retrieve policy updates, and apply policies locally on endpoints.
The WDACManager web interface provides administrators with a centralized platform for managing application control policies.
Administrators can:
The interface communicates with backend services through a secure API.
The backend service implements the main operational logic of the platform.
Responsibilities include:
Backend services expose APIs used by the web interface and by administrative workflows.
The Agent Gateway is responsible for secure communication with endpoints.
Endpoints communicate with the platform through outbound HTTPS connections to the gateway. The gateway validates endpoint identity using mutual TLS authentication and processes telemetry submitted by the endpoint agents.
Responsibilities include:
Separating the gateway from the main backend limits the public attack surface of the platform.
WDACManager stores operational data in a PostgreSQL database.
Key data domains include:
The data platform supports both operational workflows and analytical visibility into WDAC environments.
Endpoint Integration
WDACManager integrates with endpoint agents that collect WDAC telemetry and enforce policy updates.
WDACManager is designed to support the full operational lifecycle of Windows Defender Application Control environments. The platform separates policy design, telemetry analysis, and deployment workflows to ensure administrators can safely evolve policies without disrupting endpoint enforcement.
The operational model follows a controlled cycle: This model ensures that WDAC policies evolve through controlled and observable changes rather than ad-hoc rule modifications.
The OneCode workflow allows organizations to temporarily execute new or previously unseen software on endpoints protected by Windows Defender Application Control (WDAC) without permanently weakening security policies. When a valid OneCode is entered through the WDACManager Local Client, the endpoint temporarily switches its WDAC policy from Enforced Mode to Audit Mode for a limited period of time. This controlled window allows a user to install or execute required software while maintaining full visibility of application activity. During this period the WDACManager agent captures detailed execution telemetry including binaries, signing information, and execution events. This telemetry is securely transmitted to the WDACManager platform where administrators can review the activity and determine which rules are required to allow the application under normal enforcement conditions. Once the OneCode window expires, the endpoint automatically returns to Enforced Mode, restoring full WDAC protection.
Key characteristics include:
