Skip to content

How To Create and Maintain Strict Kernel-Mode App Control Policy

A Strict Kernel-mode App Control policy is a special kind of policy that only enforces Kernel-mode drivers without affecting user-mode files. The AppControl Manager fully supports this unique policy and allows you to create and maintain it effortlessly.


Creating the Base Policy

Navigate to the Create App Control policy page and scroll down to the Create Strict Kernel-Mode Policy section.

creating new base strict kernel mode policy



  • Toggle the Audit switch. We need to deploy the base policy in Audit mode first in order to generate audit logs that we will use later.

  • Toggle the No flight root certificates switch if you don't plan to use this policy on the insider builds of Windows on (Dev or Canary channels). Those builds are signed with a different certificate. Release Preview and Beta builds are signed with production certificates and they will work either way.

  • Toggle the Deploy button and finally press the Create button. In few seconds, the policy will be created and deployed in Audit mode on the system.

Important

Restart your computer after deploying the policy. The reason we deploy it in Audit mode is that we need audit logs to be generated for kernel-mode drivers that belong to your hardware devices so we can create a supplemental policy for them to allow them to run.


Creating the Supplemental Policy

After restarting the system and relaunching the AppControl Manager, navigate to the System Information page. Press the Retrieve Policies button, locate the Strict kernel-mode base policy, and remove it from the system.


Removing app control policy using AppControl Manager



Once removed, redeploy the same base policy using the Create App Control policy page, but this time ensure that Audit Mode is disabled.


redeploy strict kernel mode base policy in enforced mode



Now navigate to the Create Supplemental Policy page. Scroll down to the Kernel-mode policy section.


Creating strict kernel mode supplemental policy



Press the Scan for Kernel-mode Logs Since Last Reboot button. It will begin fetching all kernel-mode Code Integrity logs that were generated since the last reboot that belong to signed files and will display the results in a data grid that is accessible by clicking/tapping on the View detected kernel-mode files section.


Scan for drivers since last reboot



While reviewing the detected kernel-mode drivers, you can right-click or tap + hold on a row to open a context menu that allows you to remove the driver from the list and it will be excluded from the supplemental policy.


kernel mode drivers results review



After reviewing and confirming the results, return to the Supplemental Policy creation page. Locate the strict kernel-mode base policy XML file you created earlier by using the file browser. Enable the Deploy After Creation toggle, then click/tap the Create Supplemental Policy button. This will generate the Supplemental Policy and automatically deploy it to the system.

In the future, you can follow the same steps to allow additional kernel-mode files in your base policy by creating separate Supplemental Policies as needed. Additionally, you can explore other powerful features of AppControl Manager, such as scanning the system for logs or authorizing new applications and drivers for streamlined policy management.