WDAC is Microsofts Allow-listing technology that is built-in into the Windows operating system. Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. More details can be found here

App Control was created out of the need for proper tooling in WDAC projects. Back in 2015, when the founders started digging into this technology, they quickly realized that without proper tooling it would be challenging to bring a WDAC project to a successful ending. Out of this need, the App control project was born. Get a more in-depth answer at our blog.

Yes ! We understand that in most environments there are multiple admins dealing with day to day WDAC operations. Select the your environment' button at the top left in the AppControl.Ai portal, just under your company name and navigate to the invite tab. Click the 'Invite User' button and provide a valid email address for additional admin you want in the portal. After clicking the Invite button, and email will be sent out to that account inviting that user to register themselves on the portal.

Out invite links stay valid for 7 days. If, for some reason, you were unable to complete the registration process within the given timeframe, you can re-send the invite link by selecting the expired email account from the Invites tab and clicking on the 'Resend invites' button.

After successful installation of the server agent, whenever an application is added to your Configmgr environment, it will automatically be processed by AppControl. This is handled by a Status Filter Rule. A trigger is configured to monitor new applications. Whenever a new application is detected, a commandline is launched to send your application to AppControl for processing.

After successful installation of the server agent, whenever an application modified in your Configmgr environment, it will automatically be processed by AppControl. This is handled by a Status Filter Rule. A trigger is configured to monitor application modification. Whenever a modification is detected, a commandline is launched to send your modified application to AppControl for processing.

AppControl uses Azure Blob Storage as an intermediate storage solution for transferring data from your environment to our processing back-end. As a result of this, the network requirements are the same as for regular azure blob storage usage : Firewall port : 443 (TCP) Firewall destination : *.blob.core.windows.net

The AppAnalyzer tool will generate entries to a logfile for each time an application is added or modified. This logfile can be found here : "C:\Windows\temp\appanalyser.log" on your primary site server. The picture below shows that an application is uploading to our back-end storage for processing. This is the first thing to validate. If sources are uploaded successfully, they will be processed at our and. It can take up to 3 hours before processed applications will be visible in the portal. If, after multiple hours, no applications are visible, you should reach out to us for further analysis. (A contact form is found at the bottom this FAQ page) If only some applications are visible in the portal, it probably means that we could not automatically process the applications that are not showing up. Please reach out to us so we can verify what could be the cause for this issue.

Microsoft provides a few options on finding back your Azure Tenant ID. For the latest information, please check this link for the Microsoft documentation.

A Support ID is a unique ID that was generated when your Configuration Manager environment got setup. App Control uses this support ID to link your environment to our back-end database. You can retrieve the support ID in the following 2 ways. 1) Get your support ID from the Configuration Manager console. Select the arrow in the upper left corner of the ribbon, and then choose About Configuration Manager. You can select and copy the support ID from the window that opens. 2) Run the following powershell script on your primary site server. Don't forget to replace the site-code with your actual site-code : Get-CimInstance -Namespace root\sms\site_<site-code> -ClassName sms_identification | select supportid

After the installation of the server agent, any application that is added or modified will automatically be processed. However, you probably have already multiple applications configured in your ConfigMgr environment that you would like to be processed by AppControl. We provide a powershell script that allows you to do just that. In the installation folder of your AdminUi you will find a subfolder called "AppAnalyzer". In this subfolder is a script called "BulkSelectApplications.ps1" Run this script with any user that has at least application admin rights within ConfigMgr. The script will launch a UI that lists all of the applications from your environment. Select the apps that you wish to have processed and click OK to kick-off the process. The "Add Criteria" button allows you to filter the applications on multiple criteria if you do not wish to select all applications. A logfile will be created in the tempfolder of the user that launches the bulkselectapplication.ps1 You can find the logfile in this location : C:\Users\<YourUser>\Appdata\Local\Temp\AppAnalyzer.log

The installation package of the Server Agent is based on the popular framework "Powershell App Deployment Toolkit" as this allows the most transparency in what happens during the installation. The installation performs 2 actions. It copies all the necessary binaries under a subfolder of your AdminUI installation folder. This subfolder is called "AppAnalyser" It creates a Status Filter Rule called "WDAC AppControl Application Analyser" to automatically process any new or modified applications. To Install the Server agent, perform the following tasks : Extract the binaries in a temporary folder on your Primary Site Server. Launch an admin powershell prompt from within that prompt, navigate to the folder you extracted the agent in Run the following commandline : Invoke-AppDeployToolkit.ps1 -DeploymentType 'install' The installation should only take a short time to complete. After the installation is completed, new or modified applications will automatically be processed by AppControl. We suggest you modify a simple application by adding a small comment to it to test the functionality of the agent. A logfile will be generated under "c:\windows\temp\appanalyser.log"

Click the "Download Server Agent" under the download section of the portal.

Yes. If for some reason you want to disable access to the portal for someone, navigate to the Users section by clicking on the 'Your environment' button. Clicking the Suspend button next to a user will disable immediate access for that user. This action can also be undone by enabling the account again if needed.

When creating a new environment for your company on the AppControl.AI portal, you can select 3 different options. Click the 'Select Application Management solution' dropdown and choose the most appropriate option for you : - Configuration Manager - Intune - Other management solution Depending on the chose option you will have to provide a SupportID for Configuration Manager or an Azure Tenant ID for Intune. We will provide you with a specific ID for the 'Other management solution'. These unique ID's allow us to link your applications back to your environment. After selecting the appropriate option, provide a meaningful name to identify your environment. Click the Save button to finalize your environment creation.

The installation/configuration of the client agent is based on the popular Powershell App Deployment Type (v4) framework. In order to configure the agent for your environment, you have to edit the 'Invoke-AppDeployToolkit.ps1' file. Go to the Variables section that starts around line 90 and edit the variables according to your liking. The essential variables to configure are : - Grouptag : This allows you group devices based on a self-chosen ID. For more information, click here. - Log_Analytics_WorkspaceID : Our agent can be used to send data to both your own Log Analytics workspace and our AppControl.AI Portal. Provide a proper Workspace ID for this to work. This can be found in the Agents options under the settings section in Log Analytics. The Workspace ID entry goes here. - Log_Analytics_SharedKey : For data to flow to Log Analytics, also a SharedKey is needed. This can be found in the Agents options under the settings section in Log Analytics. The Primary Key entry goes here. - AppControl_AI_DeviceLoggingKey : Here goes the API key that you can generate on the AppControl.AI Portal. See this FAQ for more information. - WDACLoggingEndpoints : This variable accepts a decimal value of 1, 2 or 3 that will control where the data is being uploaded to. Value 1 means that data is only sent to the Appcontrol.ai Portal. Value 2 sends the data only to Log Analytics and value 3 sends the data to both back-ends.

A group-tag is a way to assign devices to categories. This allows you to slice and dice our dashboards and WDAC results data to reflect only the data for certain categories, allowing you to focus on what is important at a specific point in time. If you want to assign different group-tags to different sets of devices, you need to create multiple installation packages that you then assign those sets of devices. The AppControl.AI Portal allows you to assign additional tags to a device so it can belong to multiple categories.

In order for your devices to talk to our back-end, you need to generate an API key. Click the 'Your Environments' button at the top left of the portal and navigate to the Environment tab. - Click on the Padlock Icon in the Actions column for the environment you wish to register devices to. - Click on the Generate button to generate a new API Key. Copy this key as you will need it in the configuration of the Client agent. Under the Downloads section of the portal, download the Client agent. Extract it and edit the Invoke-AppDeployToolkit.ps1 file to include the API key you just generated.