![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 94%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
App Control for Business (formerly Windows Defender Application Control) is used by organizations to block or allow which applications, scripts, and code can run on Windows devices.
When App Control for Business is configured in enforced mode, only code that matches the organization’s allow rules can run. Everything else is blocked. This can include:
- Traditional Win32 apps (.exe, .dll, etc.)
- Scripts, MSI installers, and PowerShell (which can be forced into Constrained Language Mode)
- Drivers and kernel-mode code
Organizations can design policies to:
- Block undesirable apps while auditing everything else.
- Lock down fully managed or fixed-workload devices so only approved apps run.
- Allow only apps that are:
- Signed and trusted
- Deployed by a managed installer such as Microsoft Intune
- Installed in admin-only locations
- Or have good reputation via Microsoft’s Intelligent Security Graph
They can also block specific executables that might be abused to bypass controls (for example, powershell.exe, wscript.exe, mshta.exe, wsl.exe, etc.), unless those tools are explicitly required.
If a device is managed by an organization and App Control for Business is configured to block certain software, end users on that device won’t be able to run those blocked apps unless the policy is changed by IT.
References: