Best application control without a kernel driver

Buyer’s guide for MSPs

Application control — the discipline of allowlisting only approved executables and blocking the rest — has historically required a kernel-mode driver. Kernel-mode drivers see every process spawn and every binary load, which is exactly what you need for high-fidelity blocking. They are also exactly the wrong place for software bugs: a kernel-mode bug is a bluescreen, a boot loop, or an entire fleet of endpoints offline at once.

Several MSPs have learned this the hard way. After a high-profile kernel-driver outage, "application control without a kernel driver" went from a niche preference to a serious procurement requirement.

Kernel-free application control trades a small amount of detection depth for substantially better operational reliability — no BSOD class of failure, no driver-signing dance when Microsoft renews certificate authorities, no Remote Desktop Session Host instability, and no requirement to call back to a cloud service to enforce policy.

What to look for

  1. No kernel driver. Look for products explicit about running entirely in user-mode or as a Microsoft-supplied built-in (AppLocker, Windows Defender Application Control). Some vendors describe themselves as "kernel-driver-free" while still installing a filter driver — read the technical documentation carefully.
  2. Pre-approval by signed installer. Allowlisting by file hash means every vendor update breaks your policy. Allowlisting by signing certificate (preferably with a publisher and product-name match) survives normal vendor updates without operator intervention.
  3. No mandatory cloud callback. For clients in remote, regulated, or air-gapped environments, the application-control product must enforce policy locally without requiring a cloud round-trip.
  4. Remote Desktop Session Host support. Kernel-mode agents have a long history of instability on RDS hosts because every session spawns processes that the kernel agent has to mediate. Kernel-free designs typically handle RDS far better.
  5. Coexistence with EDR / AV. Application control sits alongside Defender / Huntress / Sophos / SentinelOne / CrowdStrike. The product must coexist cleanly with whatever EDR / AV the customer already has.
  6. Audit-evidence integration. Allowlist events should flow into your CMMC / NIST 800-171 / CIS evidence automatically.
  7. Cross-platform coverage. Look for application control on macOS and Linux as well, particularly for regulated client tiers where ringfencing applies across the whole fleet.

Options to evaluate

Lavawall®Kernel-free application control bundled with the rest of the platform

Application control without a kernel driver — no BSOD risk, no driver-signing dance, works on Remote Desktop Session Hosts, runs standalone on any modern Windows fleet. Pre-approves by signed installer (not file hash), so vendor updates don't break the allowlist on Patch Tuesday. Works without callback to the cloud. Bundled into the Lavawall® platform with patching, GRC, M365 / Azure / Entra and Google Workspace breach detection, helpdesk, and remote support.

Best when: MSPs that want application control without the kernel-driver failure modes, bundled with the rest of their security and compliance stack.

Microsoft Windows Defender Application Control (WDAC)Microsoft-built kernel-free allowlisting

Built into Windows. Enforces policy at the kernel level via Code Integrity but does not require a third-party driver. Powerful but operationally complex — policy authoring is non-trivial and ecosystem tooling is thinner than commercial offerings.

Best when: Mature security teams with the engineering bandwidth to maintain WDAC policies and the discipline to test policies before broad rollout.

Microsoft AppLockerBuilt-in Windows allowlisting

Built into Windows. Easier to author than WDAC; less robust against modern bypass techniques. Useful as a starting point for organisations early on the application-control journey.

Best when: Smaller environments with simple application portfolios that just need a baseline allowlist.

ThreatLockerKernel-driver application control with ringfencing

Mature kernel-driver-based application control with deep ringfencing (network, registry, file, child-process). Highest detection depth. Trade-offs in BSOD risk, driver-signing maintenance, and RDS host stability are inherent to kernel-mode designs.

Best when: MSPs that have committed to a kernel-level zero-trust ringfencing model and have the engineering bandwidth to maintain it.

Airlock DigitalApplication allowlisting

Mature application control product common in Australian and ASD-aligned environments. Supports Essential Eight allowlisting maturity requirements.

Best when: Australian government contractors and Essential Eight Maturity Level 2+ environments.

How Lavawall® fits

Lavawall® was designed deliberately to deliver application control without a kernel driver. The pricing page describes the design goal directly: "Replace ThreatLocker and AutoElevate with a faster, lighter approach — built for MSPs who got burned by kernel-level agents."

The technical approach: pre-approve installers by signing certificate, enforce policy locally without requiring a cloud round-trip, run cleanly on Remote Desktop Session Hosts, and avoid the driver-signing dance entirely. The trade-off is a slightly shallower ringfencing model than the deepest kernel-driver products — Lavawall® controls execution and elevation rather than every network/registry/file syscall — but for the vast majority of MSP clients that trade-off is the right one.

Because Lavawall® is also the patching, configuration-assessment, GRC, and breach-detection platform, application-control events flow directly into compliance evidence (CMMC 2.0, NIST 800-171, CIS Controls v8 IG2/IG3, Australian Essential Eight) without a separate integration tax.

Frequently asked

Why does kernel-mode matter so much?
A kernel-mode driver runs in ring 0, with full access to memory and hardware. A bug in kernel code is a bluescreen (BSOD), a boot loop, or — at scale — an entire fleet of endpoints simultaneously unbootable. Kernel-mode also requires a vendor-signed driver, which means the certificate authority chain, the driver-signing process, and Microsoft's kernel-driver attestation all become operational dependencies. Kernel-free application control removes the entire failure class.
Does removing the kernel driver weaken the security model?
It removes some detection depth — specifically, the ability to mediate every individual syscall a process makes after it has been allowed to run. For typical MSP allowlisting goals (block unknown executables, control elevation, prevent off-the-shelf ransomware tools from running) the user-mode approach is more than sufficient. For deep ringfencing of permitted applications' subsequent behaviour, kernel-mode designs still have an advantage.
Can I run kernel-free application control alongside Defender or Huntress?
Yes. Application control and EDR are complementary layers. Lavawall® coexists with Defender, Huntress, Sophos, SentinelOne, CrowdStrike, and other EDR / AV products and surfaces their state alongside its own findings.
What happens when a vendor releases an update?
Because Lavawall® pre-approves by signed installer rather than by file hash, normal vendor updates from approved publishers continue to install without operator intervention. Hash-based allowlists, by contrast, require manual re-tagging on every Patch Tuesday — a major source of operational burden in kernel-driver-era application control.