New-DenyWDACConfig available parameters¶
New-DenyWDACConfig -Normal¶
Syntax¶
New-DenyWDACConfig
[-Normal]
-PolicyName <String>
[-ScanLocations <DirectoryInfo[]>]
[-Deploy]
[-Level <String>]
[-Fallbacks <String[]>]
[-SpecificFileNameLevel <String>]
[-NoUserPEs]
[-NoScript]
[-SkipVersionCheck]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description¶
Creates a Deny base policy by scanning a directory. The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.
Parameters¶
-PolicyName¶
Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanLocations¶
Accepts one or more comma separated folder paths. Supports argument completion, when you press tab, folder picker GUI will open allowing you to easily select a folder, you can then add a comma , and press tab again to select another folder path or paste a folder path manually, works both ways.
| Type: | DirectoryInfo[] |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deploy¶
Indicates that the module will automatically deploy the Deny base policy after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Levels¶
Offers the same official Levels to scan the specified directory path(s).
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | WHQLFilePublisher |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Fallbacks¶
Offers the same official Fallbacks to scan the specified directory path(s).
| Type: | String[] |
|---|---|
| Position: | Named |
| Default value: | FilePublisher,Hash |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SpecificFileNameLevel¶
You can choose one of the following options:
- OriginalFileName
- InternalName
- FileDescription
- ProductName
- PackageFamilyName
- FilePath
More info available on Microsoft Learn
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NoUserPEs¶
By default the module includes user PEs in the scan, but when you use this switch parameter, they won't be included. More info available on Microsoft Learn
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NoScript¶
More info available on Microsoft Learn
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-DenyWDACConfig -Drivers¶
Syntax¶
New-DenyWDACConfig
[-Drivers]
-PolicyName <String>
[-ScanLocations <DirectoryInfo[]>]
[-Deploy]
[-SkipVersionCheck]
[-Confirm]
[<CommonParameters>]
Description¶
Creates a Deny base policy by scanning a directory, this parameter uses DriverFile objects so it's best suitable for driver files. The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.
Note
The scan uses WHQLFilePublisher level without any fallbacks, and includes both usermode and kernel mode drivers.
Parameters¶
-PolicyName¶
Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanLocations¶
Accepts one or more comma separated folder paths. Supports argument completion, when you press tab, folder picker GUI will open allowing you to easily select a folder, you can then add a comma , and press tab again to select another folder path or paste a folder path manually, works both ways.
| Type: | DirectoryInfo[] |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deploy¶
Indicates that the module will automatically deploy the Deny base policy after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-DenyWDACConfig -InstalledAppXPackages¶
Syntax¶
New-DenyWDACConfig
[-InstalledAppXPackages]
-PackageName <String>
-PolicyName <String>
[-Deploy]
[-Force]
[-SkipVersionCheck]
[-Confirm]
[<CommonParameters>]
Description¶
Creates a Deny base policy for one or more installed Windows Apps (Appx) based on their PFN (Package Family Name). The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.
Parameters¶
-PackageName¶
Enter the package name of an installed app. Supports wildcard * character. e.g, *Edge* or "*Microsoft*".
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | True |
-PolicyName¶
Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deploy¶
Indicates that the module will automatically deploy the Deny base policy after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force¶
Indicates that the cmdlet won't ask for confirmation and will proceed with creating the deny policy.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-DenyWDACConfig -PathWildCards¶
Syntax¶
New-DenyWDACConfig
[-PathWildCards]
-PolicyName <String>
-FolderPath <DirectoryInfo>
[-Deploy]
[-SkipVersionCheck]
[-Confirm]
[<CommonParameters>]
Description¶
Creates a Deny standalone base policy for a folder using wildcards. The base policy created by this parameter can be deployed side by side any other base/supplemental policy.
Note
This feature is also used internally by the Harden Windows Security Module.
Parameters¶
-PolicyName¶
Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-FolderPath¶
A folder path that includes at least one wildcard * character. Press TAB to open the folder picker GUI. Once you selected a folder, you will see the path will have \* at the end of it. You can modify the selected path by adding/removing wildcards * to it before proceeding.
| Type: | DirectoryInfo |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | True |
-Deploy¶
Indicates that the module will automatically deploy the Deny base policy after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |