Manage Packaged Apps with Windows Defender Application Control
Note
Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the WDAC feature availability.
This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
Comparing classic Windows Apps and Packaged Apps
The biggest challenge in adopting application control is the lack of a strong app identity for classic Windows apps, also known as win32 apps. A typical win32 app consists of multiple components, including the installer that is used to install the app, and one or more exes, dlls, or scripts. An app can consist of hundreds or even thousands of individual binaries that work together to deliver the functionality that your users understand as the app. Some of that code may be signed by the software publisher, some may be signed by other companies, and some of it may not be signed at all. Much of the code may be written to disk by a common set of installers, but some may already be installed and some downloaded on demand. Some of the binaries have common resource header metadata, such as product name and product version, but other files won't share that information. So while you want to be able to express rules like "allow app Foo", that isn't something Windows inherently understands for classic Windows apps. Instead, you may have to create many WDAC rules to allow all the files that comprise the app.
Packaged apps on the other hand, also known as MSIX, ensure that all the files that make up an app share the same identity and have a common signature. Therefore, with packaged apps, it's possible to control the entire app with a single WDAC rule.
Using WDAC to Manage Packaged Apps
Important
When controlling packaged apps, you must choose between signer rules or Package Family Name (PFN) rules. If any Package Family Name (PFN) rule is used in your WDAC base policy or one of its supplemental policies, then all packaged apps must be controlled exclusively using PFN rules. You can't mix-and-match PFN rules with signature-based rules within a given base policy's scope. This will affect many inbox system apps like the Start menu. You can use wildcards in PFN rules on Windows 11 to simplify the rule creation.
Creating signature-based rules for Packaged Apps
All of the files that make up an MSIX app are signed with a common catalog signature. You can create a signer rule from the MSIX app's installer file (.msix or .msixbundle) or from the AppxSignature.p7x file found in the app's installation folder under %ProgramFiles%\WindowsApps\ using the New-CIPolicyRule PowerShell cmdlet. For example:
Create signer rule from MSIX/MSIXBUNDLE
$FilePath = $env:USERPROFILE+'\Downloads\WDACWizard_2.1.0.1_x64_8wekyb3d8bbwe.MSIX'
$Rules = New-CIPolicyRule -DriverFilePath $FilePath -Level Publisher
Then use the Merge-CIPolicy PowerShell cmdlet to merge your new rule into your existing WDAC policy XML.
Create signer rule from AppxSignature.p7x
$FilePath = $env:ProgramFiles+'\WindowsApps\Microsoft.WDAC.WDACWizard_2.1.0.1_x64__8wekyb3d8bbwe\AppxSignature.p7x'
$Rules = New-CIPolicyRule -DriverFilePath $FilePath -Level Publisher
Then use the Merge-CIPolicy PowerShell cmdlet to merge your new rule into your existing WDAC policy XML.
Creating PackageFamilyName rules for Packaged Apps
Create PFN rules from PowerShell
You can create PFN rules directly from packaged apps that are currently installed using the Get-AppXPackage and New-CIPolicyRule PowerShell cmdlets. For example:
# Query for the packaged apps. This example looks for all packages from Microsoft.
$Packages = Get-AppXPackage -Name Microsoft.*
foreach ($Package in $Packages)
{
$Rules += New-CIPolicyRule -Package $Package
}
Then use the Merge-CIPolicy PowerShell cmdlet to merge your new rule(s) into your existing WDAC policy XML.
Create PFN rules using the WDAC Wizard
Create PFN rule from an installed MSIX app
Use the following steps to create a WDAC PFN rule for an app that is installed on the system:
- From the Policy Signing Rules page of the WDAC Wizard, select Add Custom Rule.
- Check Usermode Rule as the Rule Scope, if not checked.
- Select either Allow or Deny for your Rule Action.
- Select Packaged App for your Rule Type.
- In the Package Name field, enter a string value to search. You can use
?or*wildcards in the search string. Then select Search. - In the results box, check one or more apps for which you want to create rules.
- Select Create Rule.
- Create any other rules desired, then complete the Wizard.
Create a PFN rule using a custom string
Use the following steps to create a PFN rule with a custom string value:
- Repeat steps 1-4 in the previous example.
- Check the box labeled Use Custom Package Family. The Search button label changes to Create.
- In the Package Name field, enter a string value for your PFN rule. You can use
?or*wildcards if targeting Windows 11 devices. Then select Create - In the results box, check one or more apps for which you want to create rules.
- Select Create Rule.
- Create any other rules desired, then complete the Wizard.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for