Application control prevents unauthorised software from executing. In principle it is straightforward: only allow approved programs to run. In practice, managing an allowlist in a real business environment — with legitimate software that changes over time — is considerably more complex.
What Application Control Requires
At Maturity Level One, application control prevents execution of unauthorised executables, software libraries, scripts, and installers in standard user profiles and temporary folders. At Maturity Level Two, control extends across the entire operating system. At Level Three, application control is enforced on all systems including servers, with automated detection of unsigned or unapproved code.
The Most Common Implementation Gap
Organisations frequently implement application control on executables while leaving scripts — PowerShell, VBScript, JavaScript — uncontrolled. Attackers know this and use scripts as their preferred execution method when executables are blocked. Complete application control covers all execution types.
Microsoft AppLocker vs Windows Defender Application Control
Microsoft provides two native tools for application control: AppLocker (available in Windows Enterprise and Education) and Windows Defender Application Control (WDAC). WDAC is the more modern, more robust option — it enforces at the kernel level, making it harder to bypass. AppLocker remains widely used but has known bypass techniques. The ASD's guidance now recommends WDAC for new implementations.
Testing Before Deploying
Application control deployed in enforcement mode without adequate testing disrupts legitimate operations. Always begin in audit mode, review the logs to identify everything that would be blocked, resolve false positives, and then move to enforcement. Rushed deployment causes operational pain and often results in policies being weakened or disabled entirely.
Can application control be implemented in a Microsoft 365 Business environment?
Yes, using Intune to deploy WDAC policies to Intune-enrolled Windows devices. Intune is included in Microsoft 365 Business Premium. The implementation requires careful planning and testing but does not require additional tooling beyond what is already included in the licence.
