Happy WDAC Wednesday! Application Control for Business (ACFB) is a very powerful solution that enhances security by greatly reducing the risk of malware being able to infect an organisation, however given the nature of ACFB it will block any software that is not included in the policy.
This can be very impactful to the business, potentially preventing them from using applications critical to their daily duties, resulting in lost productivity and frustration. These risks are especially high during the phase where the transition from audit to enforcement mode is occurring.
Organisation change management is key, but the focus today is planning to fail by expecting the worst and ensuring that your rollback plan works in the scenarios where it may be required to make the transition and any bumps in the journey are as smooth as possible.
Audit mode advantage
The use of audit mode is the first step in that process, and there was an entire WDAC Wednesday dedicate to this topic . But as a short summary the use of audit mode allows you to deploy a policy and monitor software executions without actively blocking any. Whilst in audit mode you can continue to refine the policy and reduce the impact over time before transitioning into enforcement mode.
Only move to enforcement mode when you are ready, and if necessary roll back to audit mode!
Enforcement mode impact
In any IT implementation things can and do go wrong with varying levels of impact to end users, and in the case of application control that impact is that applications may stop working. Enforcement mode is generally the first time where end users will be impacted for reasons such as missed applications or policy misconfiguration.
User impacting changes are generally rolled out via staged release rings, starting with a small number of users first and this especially relevant with application control solutions. Rolling out to too many users at a time could cause widespread impact and potentially overwhelm IT support teams ability to support the business.
Updating the policy and “rolling forward” to fix the issues is certainly an option, but if the impact on the business is too great or the number of fixes required is overwhelming you need to be able to rollback knowing that the process works and can be performed under pressure.
Rolling back ACFB policies
Being able to rollback from enforcement to audit mode, if required, can remediate the impact to users and knowing that the rollback works and can be done rapidly is important to reduce impact.
Microsoft provides documentation on deploying policies, which can be used to re-deploy an audit mode policy, and also provides guidance to remove application control policies entirely. This process could be slightly different for your implementation and depend on the deployment solution you are using – such as Intune or MECM. That is why you should test it first as part of deploying so you know it works and what the process is – you don’t want to have to test it for the first time during a P1 or P2 incident.
Be aware – rolling back from enforcement to audit mode generally requires a reboot, and there are additional steps to be taken if you are rolling back digitally signed policies.