# windows/wdac

WDAC (App Control for Business) policy — the **primary**, kernel-enforced
application-control engine for SilverMetal Enhanced — Windows. AppLocker is the
documented fallback only.

**Workflow (design-principle: balanced / audit-first):**
1. **M1** — author `silvermetal-base.xml` and deploy in **AUDIT** mode on the prototype unit; run real workloads; collect `CodeIntegrity` audit events.
2. **M2** — regenerate the policy from audit events (Windows + Stack + approved dev tools signed/allowed), compile to `.cip`, and **PROMOTE to ENFORCE**.

The base policy ships pre-authored in the SKU; the prototype builds it from its own audit logs. See [`../hardening-spec.md`](../hardening-spec.md) Domain E.