Configure App Control for Business by using OSConfig
App Control for Business is a software-based security layer that reduces attack surface by enforcing an explicit list of software that's allowed to run. Microsoft developed a default policy for Windows Server 2025, which you can implement on the server by using Windows PowerShell cmdlets. App Control implementation is facilitated through the OSConfig security configuration platform and provides two main operation modes:
- Audit mode: Allows untrusted code to run while events are recorded.
- Enforcement mode: Disallows untrusted code from running while events are recorded.
To learn more about these security event logs, see Understanding App Control events and Understanding App Control event tags.
Because App Control is a component of Windows Server 2025, deployment of its policies provides easier access to audit mode and enforcement mode through PowerShell. By default, audit-mode App Control policies aren't set in Window Server 2025. Instead, organizations can use businesses can use the OSConfig tool to add these policies. OSConfig includes base policies (unsigned) that can be customized with supplemental policies to meet specific business needs. To learn more about this security enhancement, see Application Control for Windows.
Note
An Azure Monitor workbook simplifies the process of reviewing audit or block events that the operating system emits when App Control is activated. This workbook provides insights on file audit and block activity, along with:
- Collecting and sending Windows event logs for App Control for Business to your Log Analytics workspace.
- Identifying file and policy event activities by using various dashboards, charts, filters, and export capabilities. These features help you analyze and troubleshoot the effects and the status of your App Control policies.
- Refining your App Control policies by exporting the workbook data and ingesting it in the Microsoft App Control Wizard.
To begin using the Azure Monitor workbook for App Control for Business, see How to get insights into App Control for Business (WDAC) events.
Prerequisites
You must be running a production-signed Windows Server 2025 build on your device. This requirement ensures compliance with the App Control for Business policies.
Caution
Flight-signed binaries are not permitted. Failure to comply with this requirement results in the inability to start your device.
The OSConfig PowerShell module must be installed on your server device. See Install the OSConfig PowerShell module for details.
You must be running Windows 10 version 1909 or later on your client device, and have the App Control Wizard installed.
Note
If the client device doesn't have .NET Desktop Runtime 8.0 or later installed, the App Control Wizard will prompt you to download and install this application.
Manage default policies
To configure the default App Control policies in audit mode, open PowerShell as admin and run the following command:
Set-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\DefaultPolicy\Audit -Default
Set-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\AppBlockList\Audit -Default
To configure the default App Control policies in enforcement mode, open PowerShell as admin and run the following command:
Set-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\DefaultPolicy\Enforce -Default
Set-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\AppBlockList\Enforce -Default
Monitor event logs
To view captured events after you apply the App Control policy, choose any third-party application that you want to run on your device. If you set the App Control policy in audit mode, check if the operating system emitted event ID 3076 for any third-party applications. If you set the policy in enforcement mode, check if the operating system emitted event ID 3077.
The system detects attempts by the third-party application to access restricted content and takes measures to block access. To view and export these event logs, follow these steps:
- Right-click Start, and then select Event Viewer.
- On the left pane, go to Applications and Service Logs\Microsoft\Windows\CodeIntegrity\Operational.
- On the middle pane, look for event ID 3076 for audit mode or 3077 for enforcement mode.
Configure supplemental policies
To create supplemental App Control policies, follow these steps:
- Copy the
.evtx
log file from your server to your client device. - On the client device, open the App Control Wizard.
- On the Home screen, select Policy Editor.
- On the Policy Editor screen, select Convert Event Logs to a Policy. Then, under Parse Event Log evtx Files to Policy, select Parse Log File(s).
- In the Choose event logs to convert to policy dialog, locate your
.evtx
file, and then select Open. Select OK in the prompt, and then select Next. - On the File Rules screen, under Filename, select the file that you want to add to the policy.
- Under Rule Type, select Path, and then select + Add Allow.
- Repeat step 7 for all items that you want to add to the policy, and then select Next.
Note
By default, supplemental policies are stored in C:\Users\Username\Documents in XML format.
After the supplemental policy is generated, copy the XML file to your server and run the following script:
$policyPath = "<Path to the XML policy file>"
# Reset GUID (best practice)
Set-CIPolicyIdInfo -FilePath $policyPath -ResetPolicyID
# Set policy version (VersionEx in the XML file)
$policyVersion = "1.0.0.1"
Set-CIPolicyVersion -FilePath $policyPath -Version $policyVersion
# Set policy info (PolicyName and PolicyID in the XML file)
Set-CIPolicyIdInfo -FilePath $policyPath -PolicyID "<App name>-Policy_$policyVersion" -PolicyName "<App name>-Policy" # E.g. Set-CIPolicyIdInfo -FilePath $policyPath -PolicyID "Chrome-Policy_$policyVersion" -PolicyName "Chrome-Policy"
$base = "{9214D8EE-9B0F-4972-9073-A04E917D7989}"
Set-CIPolicyIdInfo -FilePath $policyPath -SupplementsBasePolicyID $base
#Set the new policy into the system
Set-OSConfigDesiredConfiguration -Scenario AppControl -Name Policies -Value $policyPath
To verify that the supplemental policies were applied, monitor event IDs 3076 and 3077 as described earlier in Monitor event logs. Verify that the operating system didn't generate any new events.
Query policies
To view the policies that are currently in effect in your environment, run the following command:
(Get-OSConfigDesiredConfiguration -Scenario AppControl).Value.PolicyInfo | Where-Object { $_.IsEffective -eq $true }
To view policies that are currently inactive in your environment, run the following command:
(Get-OSConfigDesiredConfiguration -Scenario AppControl).Value.PolicyInfo | Where-Object { $_.IsEffective -eq $false }
Output for these queries varies based on your policy configuration needs.