Introduction
When it comes to controlling apps on a Windows endpoint, I used to see App Control for Business as a headache to set up and maintain. But after dealing with the initial pain and figuring things out, I realised that with the right planning and tools, it's totally doable and can give you much stronger security without making life harder. In this post, I'll cover the basics and share the best practices that got me through it. Hopefully, you can get started with App Control for Business without the same pains I had.
What Is App Control for Business?
App Control for Business is a built-in Windows technology that controls which applications, scripts and drivers can run on a device. It enforces an allowlist model: only explicitly trusted software is permitted to execute. Everything else is blocked by default. This is fundamentally different from traditional antivirus, which uses a blocklist model - reacting to known threats after signatures exist. However, App Control for Business can also be configured to allow all applications while blocking specific ones, even though this is not its primary design purpose.
Enforcement happens at the kernel level and applies device-wide. Even local administrators cannot bypass it. This is what makes App Control for Business the strongest application control mechanism available in the Windows ecosystem.
Why It Matters in Secure Environments
If you are advising an organization focused on robust endpoint security, App Control for Business should be on your radar for several reasons:
- Ransomware prevention: Unauthorized executables and scripts are blocked before they can execute.
- Zero-day protection: No signature needed - if it is not on the allowlist, it does not run.
- Compliance and governance: Only IT-approved software operates on managed devices. Shadow IT is eliminated.
- Security frameworks: Application control is a top-tier mitigation strategy in most security frameworks worldwide.
The technology reached general availability in Microsoft Intune in August 2025 and is now Microsoft’s recommended application control solution, replacing AppLocker for new deployments.
App Control for Business vs. AppLocker
Many organizations still run AppLocker. Here is why you should steer them towards App Control for Business:
| App Control for Business | AppLocker | |
|---|---|---|
| Enforcement | Kernel-level, device-wide | User-mode, per-user/group |
| Security boundary | Defensible security feature | Defense-in-depth only |
| Kernel driver control | Yes | No |
| Bypass resistance | High | Multiple known bypasses |
| Managed Installer | Yes | No |
| Multiple policies | Base + supplemental | Single policy per GPO |
| Intune native | Full CSP support | Limited |
| Active development | Yes | Feature-complete, fixes only |
The key takeaway: AppLocker is not a security boundary. Microsoft says so explicitly. App Control for Business is. The trade-off is that App Control for Business has a steeper learning curve, higher risk from misconfiguration - a bad policy can prevent Windows boot.
That said, there are scenarios where AppLocker is actually the smarter choice. Consider sticking with AppLocker if:
- Your environment includes Windows 7 and earlier versions, and you want to enforce policies consistently across all of them.
- You're managing shared machines where different users need different restrictions.
Another approach is combining both tools. You can deploy App Control for Business as your baseline security layer, then layer AppLocker on top for granular, user-based rules. This works well for shared endpoints where specific users shouldn't access certain applications.
Your Toolbox: AppControl Manager
Before diving into the deployment steps, get your tooling right: AppControl Manager is an amazing open-source application for managing App Control for Business policies, developed by Microsoft MVP Violet Hansen. Available on the Microsoft Store:
HotCakeX
What it gives you:
- Create base and supplemental policies from templates with a few clicks
- Parse Code Integrity and AppLocker event logs to auto-generate allow rules
- Import and analyse MDE Advanced Hunting exports to build policies from centralised telemetry
- Simulate policy enforcement against files before deploying
- Edit, merge, validate, and deploy policies
- Build code signing certificates for policy signing
It has zero third-party dependencies. Everything is comprehensively documented on GitHub. If you are doing App Control work, this tool should be your starting point!
Policy Architecture: What You Need to Know
Base vs. Supplemental Policies
A base policy defines the core set of user-mode and kernel-mode rules for the devices. It can contain both allow and deny rules. Deny rules always take precedence over allow rules. A base policy can also be configured in a deny-only manner - for example, to allow all applications except specific ones. Each device can have one or more base policies applied.
A supplemental policy can contain only allow rules. It extends a specific base policy by reference and adds additional allowed applications. Multiple supplemental policies can extend the same base policy without limitation.
Base Policy Templates
App Control for Business provides three base policy templates, which can be used to allow certain core applications. These templates are ordered from the most restrictive to the most permissive:
- Default Windows Mode: Only Windows OS components, Store apps, Office 365, OneDrive, Teams, and WHQL-signed drivers. Best for locked-down endpoints.
- Allow Microsoft Mode: Everything above plus all Microsoft-signed software. Good starting point for most enterprise deployments.
- Signed and Reputable Mode: Everything above plus apps trusted by the Microsoft Intelligent Security Graph (ISG). Broadest compatibility, but requires internet connectivity for ISG lookups.
Recommendations
- Assign a single base policy from one of the templates above to all devices, and use supplemental policies that reference this base policy to allow specific applications on different devices. This provides both control and flexibility for varied workloads.
- Create one supplemental policy per app. This approach simplifies updates, troubleshooting, and removal. You’ll end up with many policies in Intune, but this is the way.
- Use separate policies when you need to create block rules - for example, a policy for the Microsoft-recommended user and kernel block lists. Use the AppControl Manager to create these policies.
Managed Installer
Managed Installer is the feature that makes App Control for Business practical at scale. When you designate the Intune Management Extension (IME) as a managed installer, Windows tags every file the IME writes to disk. App Control then trusts those tagged files automatically - no explicit rules needed per application.
This means: deploy an app through Intune, and it just works. No supplemental policy required for Intune-delivered apps. This single feature eliminates the bulk of the policy maintenance burden.
Managed installer tagging is not retroactive - apps deployed before the enablement of managed installer are not tagged and therefore not trusted.
Deploying App Control for Business
Here is the practical playbook for rolling out App Control for Business in an enterprise environment:
Step 1: Install AppControl Manager
Install AppControl Manager from the Microsoft Store or GitHub on your test device. Familiarise yourself with the interface. This is where you will create, edit, and test all your policies.
Step 2: Deploy Managed Installer and Base Policy in Audit Mode
Configure the Intune Management Extension as a managed installer through the Intune admin center (Endpoint Security > App Control for Business > Managed Installer tab) as early as possible. It doesn't hurt.
After that deploy a base policy in audit mode via AppControl Manager to Intune to start collecting data. Choose the "Allow Microsoft Mode" template as a solid starting point for most environments. Apart from the default options, make sure you enable:
- Managed Installer (Option 13): This is critical. Enable it from day one so the tagged apps are allowed.
- Allow Supplemental Policies (Option 17): You will need this for per-app policies later.
- Audit Mode: Nothing gets blocked. The policy only logs what would be blocked in enforcement mode.
Check the other rule options available for the base policy:
jsuther1974
Step 3: Collect and Analyze Logs
With audit mode active, App Control for Business generates events for every binary, script, and driver that would have been blocked. These appear in the Code Integrity Operational log locally and can be forwarded to Microsoft Defender for Endpoint Advanced Hunting for centralized analysis.
Let the audit run for a meaningful period - at least two to four weeks - to capture application usage across update cycles, monthly patching, and varied user workflows. Use MDE Advanced Hunting KQL queries, export the data and import it into AppControl Manager for analysis:
HotCakeX
Step 4: Create Supplemental Policies Per App
For each application that shows up in your audit logs and is not covered by the base policy or managed installer, create a dedicated supplemental policy. Use AppControl Manager to generate these from event logs, MDE Advanced Hunting logs, directory scans, or certificate files.
Practical guidance
- Use publisher rules where possible – they survive application updates.
- Fall back to hash rules for unsigned or irregularly signed software.
- Name each supplemental policy clearly (e.g., "Supplemental – Google Chrome", "Supplemental – Zoom Client").
- Store all policy XML files in a central repository for version control. This is critical for operational consistency and traceability.
Step 5: Iterate and Refine
Continue monitoring audit events after deploying your supplemental policies. New applications, updates, and edge cases will surface. Repeat the cycle: review logs, create or update supplemental policies, redeploy. The goal is to reach a state where audit logs show zero blocks for legitimate business software.
Step 6: Switch to Enforced Mode
Once you are confident that all required applications are covered:
- Switch the base policy from audit to enforced mode.
- Roll out enforcement in stages: pilot group first, then department by department.
- Keep monitoring closely after each rollout phase.
- Have a rollback plan: keep the audit-mode policy version ready to redeploy quickly if issues arise.
Step 7: Ongoing Operations
App Control is not a deploy-and-forget solution. Build these into your organization’s operational processes:
- New app deployments through Intune are automatically covered by Managed Installer.
- For apps deployed outside the managed installer, create a supplemental policy before or immediately after deployment.
- Periodically review and merge the Microsoft recommended user-mode and kernel-mode block rules into your base policy.
- Consider signing your policies for tamper protection in high-security environments.
Wrapping Up
App Control for Business is the most powerful application control technology available on Windows today. The learning curve is real, but the deployment approach is straightforward: get your tooling, deploy early in audit mode with Managed Installer, analyse your logs, build per-app supplemental policies, and transition to enforcement when ready.
The earlier you begin collecting audit data, the smoother the path to enforcement will be. The combination of Managed Installer, supplemental policies, and AppControl Manager makes this manageable even in complex enterprise environments.
Member discussion