Deploying Windows Defender Application Control AppId tagging policies

• Applies to:

  ✅ Windows 11, ✅ Windows 10, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

Note

Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see Windows Defender Application Control feature availability.

Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:

1. Deploy AppId tagging policies with MDM
2. Deploy policies with Configuration Manager
3. Deploy policies using scripting
4. Deploy using the ApplicationControl CSP

Deploy AppId tagging policies with MDM

Custom AppId tagging policies can be deployed to endpoints using the OMA-URI feature in MDM.

Deploy AppId tagging policies with Configuration Manager

Custom AppId tagging policies can be deployed via Configuration Manager using the deployment task sequences, policies can be deployed to your managed endpoints and users.

Deploy AppId tagging Policies via Scripting

Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see Deploy WDAC policies using script. For AppId tagging policies, the only applicable method is deploying to version 1903 or later.

Deploying policies via the ApplicationControl CSP

Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.

However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.

For more information, see ApplicationControl CSP to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability.

Note

WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the ApplicationControl CSP via the MDM Bridge WMI Provider to manage multiple policy format Windows Defender Application Control policies.