WDACManager Platform
WDACManager provides a centralized platform for managing Microsoft Windows Defender Application Control (WDAC) policies across enterprise environments.
While WDAC delivers one of the most powerful application control mechanisms available on Windows, operating it at scale can be difficult. Organizations must manage complex policy structures, maintain large rule sets, and deploy policy updates safely across many endpoints.
WDACManager simplifies these tasks by providing a structured platform that manages the full WDAC policy lifecycle — from telemetry analysis and rule generation to policy deployment and operational monitoring.
Security teams can manage WDAC through a centralized interface while preserving the security model and enforcement mechanisms of native WDAC.
Policy Lifecycle Management
- WDACManager provides a structured workflow for managing WDAC policies throughout their lifecycle.
- Security administrators can create, edit, merge, and maintain base and supplemental policies without directly editing XML or relying on complex PowerShell scripts.
- The platform maintains policy version history and allows administrators to safely roll back changes when required.
- This ensures WDAC policies remain maintainable even as environments evolve.
Application Abstraction
- WDACManager introduces the concept of "Applications" which are collections of certificates and hashes managed under one unit.
- Applications can then be included in Base or Supplemental WDAC policies (both as allow or deny). If an application collection changes, every policy that contains this application will also change automatically.
Automated Policy Generation
- WDACManager can generate WDAC policies using application telemetry collected from Microsoft Defender for Endpoint or Windows Event Logs (via WDACWizard-Events).
- By analysing application execution activity, administrators can identify legitimate applications that should be allowed and quickly incorporate them into policy rules.
- Policies are automatically validated and rebuilt before deployment.
Policy Deployment
- Once policies are generated or updated, WDACManager can deploy them across the environment using existing enterprise deployment mechanisms.
- Updated WDAC policies are automatically pushed into Microsoft Intune as a WIN32 application or Application Control for Business.
- WDACManager Windows client can be deployed optionally for maintaining WDAC policies across your infrastructure.
Application Control Operations
- Administrators can control which applications are permitted to run across the organization using a structured application management interface.
- Let WDACManager do the rest and deploy the reconstructed policies across the fleet.
- Applications can be allowed or removed from the policy using structured rule management rather than manual XML editing.
- Maintain policy flexibility between departments, groups or cohorts, each with its own different rules, settings, applications.
- This significantly reduces the operational complexity normally associated with WDAC policy maintenance.
Operational Visibility
- Maintaining WDAC environments requires insight into application execution activity and policy enforcement results.
- WDACManager integrates telemetry from Microsoft Defender for Endpoint and Windows Event logs to provide visibility into:
- policy enforcement events
- deployment results
- installation activity
- This allows security teams to understand how application control policies behave in real environments.
How it works
The WDACManager workflow follows a structured operational cycle:
- Endpoints send application execution telemetry to Microsoft Defender for Endpoint or Windows Event logs.
- WDACManager collects the logs and allows searches and visual filtering to identify potential application updates.
- Security administrators review and approve applications.
- WDACManager generates and updates WDAC policies automatically.
- Policies are deployed to endpoints via Microsoft Intune (WIN32 or ACfB).
- Endpoints enforce the updated policies using native WDAC enforcement.
This provides full visibility and control over application execution across your organization.
Automation
Simple Application Management
Easy ComplianceAir-Gapped and Secure Environment Support
WDACManager is capable of working in complete isolation in secure environments. It can ingest WDAC Windows Events either at a central point, or from all devices (if using WDACManager Windows client).
WDAC Policies deployment can be done via Windows Active Directory integration or directly to all endpoints using WDACManager Windows client.
Event Collection
- WDACManager Windows client can be installed on a central point to ingest Windows Events forwarded from multiple workstations.
- or installed on all workstations.
- or used to capture SOE Baselines and / or software deployments.
Policy Deployment
- WDACManager Windows client can be installed on all devices and can maintain WDAC policies across endpoints.
- Allow fast policy switching and propagation (minutes not hours).
- Provides ability to use OneCode (temporary policy overwrite).
Software Capturing
- WDACManager can also capture full SOE Baselines that can be used as starting points for WDAC policies.
- Allow application installation writing capturing in order to create WDACManager Applications that can then be used in WDAC policies definition.
- Provides ability to use OneCode (temporary policy overwrite).
