Deploy App Control policies by using Microsoft Configuration Manager

Note

Some capabilities of App Control for Business are only available on specific Windows versions. Learn more about App Control feature availability.

You can use Microsoft Configuration Manager to configure App Control for Business on client machines.

Use Configuration Manager's built-in policies

Configuration Manager includes native support for App Control, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:

  • Windows components
  • Microsoft Store apps
  • Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer)
  • (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG)
  • (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.

Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable App Control for Business altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.

Create an App Control Policy in Configuration Manager

  1. Select Asset and Compliance > Endpoint Protection > App Control for Business > Create Application Control Policy

    Create an App Control policy in Configuration Manager.

  2. Enter the name of the policy > Next

  3. Enable Enforce a restart of devices so that this policy can be enforced for all processes

  4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)

  5. Select Next

    Create an enforced App Control policy in Configuration Manager.

  6. Select Add to begin creating rules for trusted software

    Create an App Control path rule in Configuration Manager.

  7. Select File or Folder to create a path rule > Browse

    Select a file or folder to create a path rule.

  8. Select the executable or folder for your path rule > OK

    Select the executable file or folder.

  9. Select OK to add the rule to the table of trusted files or folder

  10. Select Next to navigate to the summary page > Close

    Confirm the App Control path rule in Configuration Manager.

Deploy the App Control policy in Configuration Manager

  1. Right-click the newly created policy > Deploy Application Control Policy

    Deploy App Control via Configuration Manager.

  2. Select Browse

    Select Browse.

  3. Select the Device Collection you created earlier > OK

    Select the device collection.

  4. Change the schedule > OK

    Change the App Control deployment schedule.

For more information on using Configuration Manager's native App Control policies, see App Control for Business management with Configuration Manager.

Download the entire App Control in Configuration Manager lab paper.

Deploy custom App Control policies using Packages/Programs or Task Sequences

Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom App Control policies using script-based deployment via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.