MT.1179 - Ensure App Control for Business is enabled
Overviewβ
Ensure at least one Intune App Control for Business (formerly Windows Defender Application Control / WDAC) policy is configured.
App Control for Business restricts which applications and drivers are allowed to run on Windows devices using code integrity policies. This is one of the most effective defenses against malware, ransomware, and unauthorized software because it blocks untrusted executables from running at all β even if they bypass antivirus detection.
Key settings this test evaluates:
- Build Options: Whether the policy uses built-in controls (
built_in_controls_selected) or a custom uploaded policy (upload_policy_selected) - Policy XML: For uploaded policies, whether an XML code-integrity payload is actually present (not empty)
- Audit Mode: Whether the policy is in audit mode (logging only) or enforce mode (blocking)
- Managed Installer: Whether apps deployed via Intune/SCCM are automatically trusted
- Intelligent Security Graph (ISG) Reputation: Whether apps with good reputation scores are trusted
The test passes if at least one App Control for Business policy is enforcing (audit mode disabled) AND has either built-in controls selected or an uploaded XML policy with a non-empty payload. Audit-only policies and upload-mode policies with no XML payload are reported but do not satisfy the pass criterion, because they do not block untrusted executables.
Remediation action:β
- Navigate to Microsoft Intune admin center.
- Go to Endpoint security > Application control.
- Click + Create policy.
- Set Platform to Windows 10 and later and Profile to App Control for Business.
- Enter a policy name (e.g., "App Control - Audit Mode").
- Configure the following settings:
- App Control for Business: Select Built-in controls
- Audit mode: Enabled (start in audit mode to identify blocked apps)
- Trust apps from managed installer: Enabled (trusts Intune-deployed apps)
- Trust apps with good reputation: Disabled (optional β ISG adds convenience but reduces strictness)
- Assign the policy to a test device group first.
- Monitor blocked/audited apps in Microsoft Defender for Endpoint > Reports > Application control.
- After validating that legitimate apps are not being blocked, transition to Enforce mode.
Related linksβ
- Microsoft Intune - Application Control
- Microsoft Learn - App Control for Business in Intune
- Microsoft Learn - Application Control for Windows
- Microsoft Learn - Managed Installer and ISG options
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1179 |
| Severity | High |
| Suite | Maester |
| Category | Intune |
| PowerShell test | Test-MtIntuneAppControl |
| Tags | Intune, Maester, MT.1179 |
Sourceβ
- Pester test:
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 - PowerShell source:
powershell/public/maester/intune/Test-MtIntuneAppControl.ps1