WDAC App Control Collect Data For App Control Manager
Query
DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
or ActionType startswith "AppControlCIScriptBlocked"
or ActionType startswith "AppControlCIScriptAudited"
//See https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Use-Microsoft-Defender-for-Endpoint-Advanced-Hunting-With-WDAC-App-Control#collecting-the-data-from-mde-advanced-huntingExplanation
This query is searching through a dataset called DeviceEvents to find specific types of security-related events. It filters the events to only include those where the ActionType begins with any of the following:
- "AppControlCodeIntegrity" - This likely refers to events related to application control and code integrity checks.
- "AppControlCIScriptBlocked" - This refers to events where scripts were blocked by application control.
- "AppControlCIScriptAudited" - This refers to events where scripts were audited by application control.
In simple terms, the query is looking for events related to application control and code integrity, specifically focusing on scripts that were either blocked or audited.
Details

Jay Kerai
Released: September 9, 2025
Tables
DeviceEvents
Keywords
DeviceEvents
Operators
|wherestartswithor