-
Notifications
You must be signed in to change notification settings - Fork 134
Introduction
Application control is a crucial line of defense for protecting computer systems given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run.
Devices where Windows Defender Application control (WDAC) policies are deployed on can either be centrally managed via MDM, Intune etc. or they can be home devices, devices that are private and don't belong to any organization, the computer of someone that you want to keep very much safe and secure so that even the device's owner can't willingly or forcefully compromise themselves, the possibilities are endless.
Important
The WDACConfig module is a one-stop shop for all your Application Control (WDAC) needs. It is scalable, easy to use, enterprise-ready, Azure VM ready and more importantly, it is free and always will be. Check it out here
- Introduction
- WDAC for Lightly managed device
- WDAC for Fully managed device - Variant 1
- WDAC for Fully managed device - Variant 2
- WDAC for Fully managed device - Variant 3
- WDAC for Fully managed device - Variant 4
- WDAC Notes
- How to Create and Deploy a Signed WDAC Policy
- Fast and Automatic Microsoft Recommended Driver Block Rules updates
- WDAC policy for BYOVD Kernel mode only protection
- EKUs in WDAC, App Control for Business, Policies
- WDAC Rule Levels Comparison and Guide
- Script Enforcement and PowerShell Constrained Language Mode in WDAC App Control Policies
- How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control
- Application Control (WDAC) Frequently Asked Questions (FAQs)
WDACConfig is an advanced PowerShell module designed with the aim of automating Application and File whitelisting in Windows using Windows Defender Application Control. It is available in PowerShell gallery.
There are many ways you can utilize Application Control features and here they are sorted by the level of restriction and protection they provide; From top (having the least restriction and protection) to bottom (having the most restriction and protection).
-
Use Microsoft recommended driver block rules.
- No user action required; The vulnerable driver blocklist is enabled by default for all devices using HVCI or Memory Integrity.
- The built-in driver blocklist is updated with each new major release of Windows, typically 1-2 times per year.
-
Update Microsoft recommended driver block rules outside of the twice a year schedule.
- The drivers block list itself is updated more frequently than twice a year schedule, use the WDACConfig Module to setup a scheduled task that keeps the list up-to-date.
-
Use Microsoft recommended block rules + Recommended driver block rules
- Use the WDACConfig Module to easily deploy the User-Mode Microsoft recommended block rules on your system.
-
Create WDAC policy for Lightly managed devices
-
- It's just a toggle in Windows Security under App & Browser control. It uses a special kind of WDAC policy that provides more protection than a lightly managed workstation but less protection than a fully managed workstation.
- It uses both of Microsoft's recommended block rules.
-
Use Smart App Control + Strict Kernel-Mode WDAC Policy
-
Create WDAC policy for Fully managed devices
- The following scenarios provide the highest protection against any threats from any sources when cryptographically signed and deployed and properly configured.
- WDAC for Fully managed device - Variant 1
- WDAC for Fully managed device - Variant 2
- WDAC for Fully managed device - Variant 3
- WDAC for Fully managed device - Variant 4
- Microsoft's guide: Create a WDAC policy for fully managed devices
- Microsoft's guide: Create a WDAC policy for fixed-workload devices (reference computer)
- Microsoft's guide: Use audit events to create WDAC policy rules
- Using PowerShell cmdlets
- Using WDACConfig PowerShell module - Recommended
- Using WDAC Policy Wizard
Microsoft provides the following official document to understand the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. The rest of them are mentioned below at the Resources section.
There are a lot more WDAC resources and cmdlets available on Microsoft's websites.
- Application Control for Windows
- Understand Windows Defender Application Control policy design decisions
- Deploying Windows Defender Application Control (WDAC) policies
- Use multiple Windows Defender Application Control Policies
- Use audit events to create WDAC policy rules
- Merge Windows Defender Application Control (WDAC) policies
- Understand Windows Defender Application Control (WDAC) policy rules and file rules
- Testing and Debugging AppId Tagging Policies
- Editing existing base and supplemental WDAC policies with the Wizard
- Creating a new Supplemental Policy with the Wizard
- Generate Windows Defender Application Control (WDAC) policies Online
- Windows Defender Application Control (WDAC) example base policies
- Configure the Application Identity service
- Microsoft recommended driver block rules
- Microsoft recommended block rules
- Create a WDAC policy using a reference computer (for fixed-workload devices)
- Create a WDAC policy for fully managed devices
- Create a WDAC policy for lightly managed devices
- Guidance on Creating WDAC Deny Policies
- Hypervisor-protected Code Integrity enablement
- New-WDACConfig
- New-SupplementalWDACConfig
- Remove-WDACConfig
- Edit-WDACConfig
- Edit-SignedWDACConfig
- Deploy-SignedWDACConfig
- Confirm-WDACConfig
- New-DenyWDACConfig
- Set-CommonWDACConfig
- New-KernelModeWDACConfig
- Get-CommonWDACConfig
- Invoke-WDACSimulation
- Remove-CommonWDACConfig
- Assert-WDACConfigIntegrity
- Build-WDACCertificate
- Test-CiPolicy
- Get-CiFileHashes
- ConvertTo-WDACPolicy
- Set-CiRuleOptions
- Get-CIPolicySetting
- Introduction
- WDAC for Lightly Managed Devices
- WDAC for Fully managed device - Variant 1
- WDAC for Fully managed device - Variant 2
- WDAC for Fully managed device - Variant 3
- WDAC for Fully managed device - Variant 4
- WDAC Notes
- How to Create and Deploy a Signed WDAC Policy
- Fast and Automatic Microsoft Recommended Driver Block Rules updates
- WDAC policy for BYOVD Kernel mode only protection
- EKUs in WDAC, App Control for Business, Policies
- WDAC Rule Levels Comparison and Guide
- Script Enforcement and PowerShell Constrained Language
- How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control
- Application Control (WDAC) Frequently Asked Questions (FAQs)
- Create Bootable USB flash drive with no 3rd party tools
- Event Viewer
- Group Policy
- How to compact your OS and free up extra space
- Hyper V
- Overrides for Microsoft Security Baseline
- Git GitHub Desktop and Mandatory ASLR
- Signed and Verified commits with GitHub desktop
- About TLS, DNS, Encryption and OPSEC concepts
- Things to do when clean installing Windows
- Comparison of security benchmarks
- BitLocker, TPM and Pluton | What Are They and How Do They Work
- How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
- Cloning Personal and Enterprise Repositories Using GitHub Desktop
- Only a Small Portion of The Windows OS Security Apparatus
- Clean Source principle, Azure and Privileged Access Workstations
- How to Securely Connect to Azure VMs and Use RDP
- Basic PowerShell tricks and notes
- Basic PowerShell tricks and notes Part 2
- Basic PowerShell tricks and notes Part 3
- Basic PowerShell tricks and notes Part 4
- Basic PowerShell tricks and notes Part 5
- How To Access All Stream Outputs From Thread Jobs In PowerShell In Real Time
- PowerShell Best Practices To Follow When Coding
- How To Asynchronously Access All Stream Outputs From Background Jobs In PowerShell
- Powershell Dynamic Parameters and How to Add Them to the Get‐Help Syntax
- RunSpaces In PowerShell
- How To Use Reflection And Prevent Using Internal & Private C# Methods in PowerShell