{
	"id": "5a7df760-3eb6-4311-ba27-a087da389e9a",
	"created_at": "2026-04-06T00:13:32.020314Z",
	"updated_at": "2026-04-10T03:24:29.426654Z",
	"deleted_at": null,
	"sha1_hash": "ec60d51eb726562cbaba5f1193860e22fb66bb3c",
	"title": "Application Control for Windows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58898,
	"plain_text": "Application Control for Windows\r\nBy jsuther1974\r\nArchived: 2026-04-05 19:57:57 UTC\r\nYour organization's data is one of its most valuable assets... and adversaries want it. No matter what security\r\ncontrols you apply over your data, there are no controls to fully protect your most vulnerable target: the trusted\r\nuser sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the\r\nuser has. So your sensitive information is easily transmitted, modified, deleted, or encrypted when a user,\r\nintentionally or not, runs malicious software. And with thousands of new malicious files created every day, relying\r\nsolely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks.\r\nApplication control changes Windows from a place where all code runs unless your AV solution confidently\r\npredicts it's bad, to one where code runs only if your policy says so. The cyber threats you face change rapidly,\r\nand your defenses need to change too. Government and security organizations, like the Australian Signals\r\nDirectorate, frequently cite application control as one of the most effective ways to address the threat of\r\nexecutable file-based malware (.exe, .dll, etc.). It works alongside your AV solution to help mitigate security\r\nthreats by restricting the apps that users can run and even what code runs in the System Core (kernel).\r\nImportant\r\nAlthough application control can significantly harden your computers against malicious code, it's not a\r\nreplacement for antivirus. You should continue to maintain an active antivirus solution alongside App Control for\r\na well-rounded enterprise security portfolio.\r\nAlthough we call it application control, the code running on your system isn't always an app. Application control\r\nextends beyond apps to also cover scripts and Microsoft installers (MSI), command-line batch files, and even\r\ninteractive sessions of Windows PowerShell, which run in Constrained Language Mode.\r\nWindows includes two application control technologies you can use depending on your organization's specific\r\nscenarios and requirements:\r\nApp Control for Business (app control); and\r\nAppLocker\r\nApp Control and Smart App Control\r\nStarting in Windows 11 version 22H2, Smart App Control brings robust application control to consumers and to\r\nsome small businesses with simpler app portfolios. Smart App Control ensures only signed code runs or code\r\npredicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is\r\nunable to predict with confidence that it's safe to run, then we block it. Over time, the code's reputation might\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control\r\nPage 1 of 3\n\nchange as the service processes new signals it receives. Meanwhile, code determined to be unsafe is always\r\nblocked.\r\nWhile Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations.\r\nAnd since we built it entirely upon App Control for Business, you can create a policy with the same security and\r\ncompatibility as Smart App Control that also trusts the line-of-business (LOB) apps your organization needs. The\r\nservice Smart App Control uses to predict what code is safe to run is also available in App Control for Business\r\nand called the Intelligent Security Graph (ISG).\r\nSmart App Control starts in evaluation mode and switches off within 48 hours for enterprise managed devices\r\nunless the user turns it on first. If you want to proactively turn off Smart App Control across your organization's\r\nendpoints, set the VerifiedAndReputablePolicyState (DWORD) registry value under\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy as shown in the following table. After you change the\r\nregistry value, you must run CiTool.exe -r for the change to take effect.\r\nValue Description\r\n0 Off\r\n1 Enforce\r\n2 Evaluation\r\nImportant\r\nOnce you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.\r\nThe App Control policy used for Smart App Control comes bundled with the App Control Wizard policy authoring\r\ntool and is also found as an example policy at\r\n%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml. To use this example policy as a\r\nstarting point for your own policy, see Use the Smart App Control Policy to build your own base policy. When\r\nusing the Smart App Control example policy as the basis for your own custom policy, you must remove the option\r\nEnabled:Conditional Windows Lockdown Policy so it's ready for use as an App Control for Business policy.\r\nWindows edition and licensing requirements\r\nThe following table lists the Windows editions that support App Control for Business:\r\nWindows Pro Windows Enterprise Windows Pro Education/SE Windows Education\r\nYes Yes Yes Yes\r\nApp Control license entitlements are granted by the following licenses:\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control\r\nPage 2 of 3\n\nWindows Pro/Pro\r\nEducation/SE\r\nWindows\r\nEnterprise E3\r\nWindows\r\nEnterprise E5\r\nWindows\r\nEducation A3\r\nWindows\r\nEducation A5\r\nYes Yes Yes Yes Yes\r\nFor more information about Windows licensing, see Windows licensing overview.\r\nWhat you should read next\r\nTo learn more about the two application control technologies available in Windows, read App Control for\r\nBusiness and AppLocker Overview.\r\nTo jump right in and get started creating policies, go revisit Smart App Control and Use the Smart App\r\nControl policy to build your own starter policy.\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-applica\r\ntion-control\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control"
	],
	"report_names": [
		"windows-defender-application-control"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434412,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec60d51eb726562cbaba5f1193860e22fb66bb3c.pdf",
		"text": "https://archive.orkl.eu/ec60d51eb726562cbaba5f1193860e22fb66bb3c.txt",
		"img": "https://archive.orkl.eu/ec60d51eb726562cbaba5f1193860e22fb66bb3c.jpg"
	}
}