Windows Defender Application Control operational guide

Applies to

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above


Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.

You now understand how to design and deploy your Windows Defender Application Control (WDAC) policies. This guide explains how to understand the effects your policies have and how to troubleshoot when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.

In this section

Article Description
Debugging and troubleshooting This article explains how to debug app and script failures with WDAC.
Understanding Application Control event IDs This article explains the meaning of different WDAC event IDs.
Understanding Application Control event tags This article explains the meaning of different WDAC event tags.
Query WDAC events with Advanced hunting This article covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender for Endpoint.
Admin Tips & Known Issues This article describes some WDAC Admin Tips & Known Issues.
Managed installer and ISG technical reference and troubleshooting guide This article provides technical details and debugging steps for managed installer and ISG.
CITool.exe technical reference This article explains how to use CITool.exe.
Inbox WDAC policies This article describes the WDAC policies that ship with Windows and when they're active.