WDAC policy for Fully Managed device - Variant 1¶
Base policy type | Method used | Signed | Protection score 1-5 |
---|---|---|---|
Allow Microsoft / Default Windows | WDACConfig module | No | 4 |
Video Guide¶
-
This variant helps you create and deploy a WDAC policy for fully managed device using only Event Viewer audit logs.
-
This scenario includes using explicit Allow rules for files and certificates/signers, anything not allowed by the policies we are going to make are automatically denied/blocked.
Prepare a Virtual Machine¶
Install Hyper-V role from optional Windows features if you haven't already.
Download the latest Windows .ISO
file from Microsoft website, create a new VM with it, install Windows and log in. Fully update Windows and then restart to apply the updates. You can create a Hyper-V checkpoint at this point so that you can return back to this clean state later on if you need to.
Prepare a Base policy¶
There are 2 types of base policies you can choose from.
-
Allow Microsoft: Allows only files and apps that are signed by Microsoft's trusted root certificates.
-
Default Windows: Allows only files and apps that come pre-installed by Windows.
Deploy the Allow Microsoft Prep mode base policy¶
Deploy the Default Windows Prep mode base policy¶
Depending on whichever of the option you choose, it deploys the base policy in audit mode. No reboot required.
Generate Audit Event Logs on the System¶
Install all of the programs that you want to allow in the WDAC policy, on the VM. These are the programs that you want to allow to run and be installed on the target system once you've deployed the WDAC policy.
-
Installing or running 3rd party non-Microsoft programs, while Allow Microsoft policy in Audit mode is deployed on the VM, generates event logs for each of the programs and their files.
-
Installing or running any program that doesn't come pre-installed by default with Windows, while Default Windows policy in Audit mode is deployed on the VM, generates event logs for each of the programs and their files.
These event logs are exactly what we need to identify and create Allow rules for the detected files.
Only files that are executed during Prep mode phase generate event logs, so by simply installing a program using its installer, we can't trigger event log generation for each of the components and executables that each program has. So, after installing the programs, run them, use them a bit as you normally would so that all of the programs' components are executed and event logs generated for them.
Generate Supplemental Policy From the Audit Event Logs¶
If you chose the Allow Microsoft path¶
If you chose the Default Windows path¶
If you use the -Deploy
optional switch parameter with the commands above, 3 things will automatically happen:
- The deployed Prep mode base policy will be removed.
- The actual base policy will be deployed depending on whichever you choose.
- The Supplemental policy generated from Audit logs will be deployed.
If you don't use the -Deploy
switch, you can deploy the .cip
binary files manually using CITool.
Information about how to Sign and Deploy a Signed WDAC policy.
flowchart TD
A(Deploy Allow Microsoft base policy) -->B(Start running your programs)
B --> C[An App is getting blocked?]
C --> D[Is it a normal app?]
D --> E[Create Supplemental policy based on App's directory]
E --> F[New-SupplementalWDACConfig -Normal]
E --> G[Edit-WDACConfig -AllowNewApps]
C --> H[Is it a game Installed using Xbox app?]
H --> I[Is it an app that installs drivers outside app's directory?]
I --> J[Use Event viewer logs + game/app's directory scan]
J --> K[Edit-WDACConfig -AllowNewAppsAuditEvents]
C --> L[Want to allow an entire folder?]
L --> M[Use folder path with one or more Wildcards]
M --> N[New-SupplementalWDACConfig -FilePathWildCards]
flowchart TD
A(Deploy Default Windows base policy) -->B(Identify Important apps that need Supplemental policy)
B --> C(Create and Deploy Supplemental policies for them)
C --> D[Another App is getting blocked?]
D --> E[Is it a normal app?]
E --> F[Create Supplemental policy based on App's directory]
D --> G[Is it a game Installed using Xbox app?]
G --> H[Is it an app that installs drivers outside app's directory?]
H --> I[Use Event viewer logs + game/app's directory scan]
I --> J[Edit-WDACConfig -AllowNewAppsAuditEvents]
D --> L[Want to allow an entire folder?]
L --> M[Use folder path with one or more Wildcards]
M --> N[New-SupplementalWDACConfig -FilePathWildCards]
F --> O[Edit-WDACConfig -AllowNewApps]
F --> Q[New-SupplementalWDACConfig -Normal]