Create Supplemental App Control Policy
Use AppControl Manager to create Supplemental App Control policies for your base policies. Use Supplemental policies to expand the scope of your base policies by allowing more files or applications.
This page has 2 modes of operation:
-
Create New Policy: In this mode, whenever you create a Supplemental policy, a new policy XML file will be created in the
AppControl Managerdirectory. -
Add to Existing Policy: In this mode, you will have to select an existing App Control XML policy file so that any policy you create will be directly and automatically added to this policy and no new policy file will be created.
- When this mode is active, elements related to
Policy NameandBase Policy Filewill be automatically hidden since they won't be needed anymore.
- When this mode is active, elements related to
With AppControl Manager, you can easily create a supplemental policy by scanning files or folders. If an application or file is being blocked by Application Control, use this feature to scan its files or installation directory. This process enables you to generate a supplemental policy that ensures the application or file can run seamlessly on your system.
-
Browse For Files: Use this button to browse for files on the system. Multiple files can be added at once.
-
Browse for Folders: Use this button to browse for folders on the system. Multiple folders can be added at once.
-
Policy Name: Enter a name for the Supplemental policy. You will be able to use this name to detect it after deployment in the System Information section of the AppControl Manager.
-
Base Policy File: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
-
Scalability: Use this gauge to set the number of concurrent threads for the scan. By default, 2 threads are used. Increasing this number will speed up the scan but will also consume more system resources.
-
Select Scan Level: You can choose from different scan levels. Refer to this page for all the information about them.
-
Deploy After Creation: If toggled, only the supplemental policy XML file will be available in the User Configuration directory at the end of the operation. If it's not toggled, the CIP file will also be made available. Both files will have the same name as the policy name that you choose.
Tip
Use the View Detected File Details section to view highly detailed results of the files and folders scans.
If you have certificate .cer files, you can use this feature to scan them and create a Supplemental App Control policy based on them. Once deployed, it will allow any file signed by those certificates to run on the system.
-
Browse For Certificates: Use this button to browse for certificate
.cerfiles on the system. Multiple files can be added at once. -
Policy Name: Enter a name for the Supplemental policy. You will be able to use this name to detect it after deployment in the System Information section of the AppControl Manager.
-
Base Policy File: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
-
Signing Scenario: Choose between User Mode or Kernel Mode signing scenarios. If you choose User Mode, the supplemental policy will only allow User Mode files signed by that certificate to run and Kernel mode files such as drivers will remain blocked.
-
Deploy After Creation: If toggled, only the supplemental policy XML file will be available in the User Configuration directory at the end of the operation. If it's not toggled, the CIP file will also be made available. Both files will have the same name as the policy name that you choose.
This supplemental policy does not explicitly permit any files or applications by default. Instead, it leverages the Intelligent Security Graph (ISG) to dynamically evaluate and automatically authorize trusted files and applications.
-
Policy Name: Enter a name for the Supplemental policy. You will be able to use this name to detect it after deployment in the System Information section of the AppControl Manager.
-
Base Policy File: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
-
Deploy After Creation: If toggled, only the supplemental policy XML file will be available in the User Configuration directory at the end of the operation. If it's not toggled, the CIP file will also be made available. Both files will have the same name as the policy name that you choose.
This supplemental policy can be created only for Kernel-mode files/drivers, typically after creating and deploying the Strict Kernel-mode base policy. When you press the Create Supplemental Policy button, any logs available in the View Detected Kernel-mode files section will be included in the policy. You can select and delete logs that you don't want to be included.
-
Auto Driver Detection: Use this feature to automatically detect all drivers on the system. The results will be available in the
View Detected Kernel-mode filessection at the bottom. -
Scan for All Kernel-mode logs: Use this button to scan the entire Code Integrity logs for Kernel-mode files and display the results in the
View Detected Kernel-mode filessection. -
Scan for All Kernel-mode logs Since Last Reboot: Use this button to scan the Code Integrity logs that were generated since the last computer reboot for Kernel-mode files and display the results in the
View Detected Kernel-mode filessection. -
Policy Name: Enter a name for the Supplemental policy. You will be able to use this name to detect it after deployment in the System Information section of the AppControl Manager.
-
Base Policy File: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
-
Deploy After Creation: If toggled, only the supplemental policy XML file will be available in the User Configuration directory at the end of the operation. If it's not toggled, the CIP file will also be made available. Both files will have the same name as the policy name that you choose.
You can create Supplemental policies for the installed packaged apps. These are modern apps packaged in MSIX files, such as the AppControl Manager itself, or many of the apps installed from the Microsoft Store.
-
Policy Name: Enter a name for the Supplemental policy.
-
Base Policy File: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
-
Package Family Names: In this section, you can view the list of all installed apps. Use the search bar to look for a specific app and after finding them, click/tap on them to select them.
-
Use the "Select All" and "Remove Selections" buttons to select/deselect all apps currently available in the list.
-
Use the Refresh button to refresh the list of installed apps in case you removed/installed any apps after the list was loaded.
-
-
Deploy After Creation: If toggled, only the supplemental policy XML file will be available in the User Configuration directory at the end of the operation. If it's not toggled, the CIP file will also be made available. Both files will have the same name as the policy name that you choose.
Use this section to create custom pattern-based file rules so that if a file or folder's path matches that pattern, it will be allowed. The pattern is based on regex and supports * and ? characters. You can use this feature to create sophisticated file path rules that can dynamically match multiple files or folders.
Keep in mind that file rules are only supported for user-mode files. Using file rules for kernel-mode files simply has no effect.
-
Policy Name: Enter a name for the Supplemental policy.
-
Base Policy File: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
-
Custom Pattern-based File Rule: Enter your pattern here. It will be used as is without any further modifications to it. What you enter here will be what you see in the XML file.
-
Deploy After Creation: If toggled, only the Supplemental policy XML file will be available in the User Configuration directory at the end of the operation. If it's not toggled, the CIP file will also be made available. Both files will have the same name as the policy name that you choose.
Tip
Use the More Information section to view examples and description of different patterns that you can use in this section.
- Create AppControl Policy
- Create Supplemental Policy
- System Information
- Configure Policy Rule Options
- Policy Editor
- Simulation
- Allow New Apps
- Build New Certificate
- Create Policy From Event Logs
- Create Policy From MDE Advanced Hunting
- Create Deny Policy
- Merge App Control Policies
- Deploy App Control Policy
- Get Code Integrity Hashes
- Get Secure Policy Settings
- Update
- Sidebar
- Validate Policies
- View File Certificates
- Microsoft Graph
- Protect
- Microsoft Security Baselines
- Microsoft Security Baselines Overrides
- Microsoft 365 Apps Security Baseline
- Microsoft Defender
- Attack Surface Reduction
- Bitlocker
- Device Guard
- TLS Security
- Lock Screen
- User Account Control
- Windows Firewall
- Optional Windows Features
- Windows Networking
- Miscellaneous Configurations
- Windows Update
- Edge Browser
- Certificate Checking
- Country IP Blocking
- Non Admin Measures
- Group Policy Editor
- Manage Installed Apps
- File Reputation
- Audit Policies
- Cryptographic Bill of Materials
- Introduction
- How To Generate Audit Logs via App Control Policies
- How To Create an App Control Supplemental Policy
- The Strength of Signed App Control Policies
- How To Upload App Control Policies To Intune Using AppControl Manager
- How To Create and Maintain Strict Kernel‐Mode App Control Policy
- How to Create an App Control Deny Policy
- App Control Notes
- How to use Windows Server to Create App Control Code Signing Certificate
- Fast and Automatic Microsoft Recommended Driver Block Rules updates
- App Control policy for BYOVD Kernel mode only protection
- EKUs in App Control for Business Policies
- App Control Rule Levels Comparison and Guide
- Script Enforcement and PowerShell Constrained Language Mode in App Control Policies
- How to Use Microsoft Defender for Endpoint Advanced Hunting With App Control
- App Control Frequently Asked Questions (FAQs)
- System Integrity Policy Transformations | XML to CIP and Back
- About Code Integrity Policy Signing
- Create Bootable USB flash drive with no 3rd party tools
- Event Viewer
- Group Policy
- How to compact your OS and free up extra space
- Hyper V
- Git GitHub Desktop and Mandatory ASLR
- Signed and Verified commits with GitHub desktop
- About TLS, DNS, Encryption and OPSEC concepts
- Things to do when clean installing Windows
- Comparison of security benchmarks
- BitLocker, TPM and Pluton | What Are They and How Do They Work
- How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
- Cloning Personal and Enterprise Repositories Using GitHub Desktop
- Only a Small Portion of The Windows OS Security Apparatus
- Rethinking Trust: Advanced Security Measures for High‐Stakes Systems
- Clean Source principle, Azure and Privileged Access Workstations
- How to Securely Connect to Azure VMs and Use RDP
- Basic PowerShell tricks and notes
- Basic PowerShell tricks and notes Part 2
- Basic PowerShell tricks and notes Part 3
- Basic PowerShell tricks and notes Part 4
- Basic PowerShell tricks and notes Part 5
- How To Access All Stream Outputs From Thread Jobs In PowerShell In Real Time
- PowerShell Best Practices To Follow When Coding
- How To Asynchronously Access All Stream Outputs From Background Jobs In PowerShell
- Powershell Dynamic Parameters and How to Add Them to the Get‐Help Syntax
- RunSpaces In PowerShell
- How To Use Reflection And Prevent Using Internal & Private C# Methods in PowerShell
