New-WDACConfig available parameters¶
New-WDACConfig -GetBlockRules¶
Syntax¶
Description¶
Creates a WDAC policy file called Microsoft recommended block rules.xml from the official source for Microsoft recommended block rules, with AllowAll rules and audit mode rule option removed. The policy sets HVCI to strict.
Parameters¶
-Deploy¶
Deploys the latest Microsoft recommended block rules (For User Mode binaries). It has the 2 default AllowAll rules so it can be deployed as a standalone base policy. Uses Strict HVCI.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-WDACConfig -GetDriverBlockRules¶
Syntax¶
Description¶
Creates a WDAC policy file called Microsoft recommended driver block rules.xml from the official source for Microsoft recommended driver block rules, with AllowAll rules and audit mode rule option removed. The policy sets HVCI to strict. Extra information regarding the version and last updated date of the GitHub document containing block rules will also be displayed.
Parameters¶
-Deploy¶
With the help of PowerShell, uses the official method to deploy the latest version of Microsoft recommended driver block rules.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-WDACConfig -MakeAllowMSFTWithBlockRules¶
Syntax¶
New-WDACConfig
[-MakeAllowMSFTWithBlockRules]
[-Deploy]
[-TestMode]
[-RequireEVSigners]
[-SkipVersionCheck]
[-EnableScriptEnforcement]
[<CommonParameters>]
Description¶
Calls the -GetBlockRules parameter to get the Microsoft recommended block rules, and merges them with AllowMicrosoft default policy. The Policy uses strict HVCI and has the following rule options:
| Rule number | Rule option |
|---|---|
| 0 | Enabled:UMCI |
| 2 | Required:WHQL |
| 5 | Enabled:Inherit Default Policy |
| 6 | Enabled:Unsigned System Integrity Policy |
| 11 | Disabled:Script Enforcement |
| 12 | Required:Enforce Store Applications |
| 16 | Enabled:Update Policy No Reboot |
| 17 | Enabled:Allow Supplemental Policies |
| 19 | Enabled:Dynamic Code Security |
| 20 | Enabled:Revoked Expired As Unsigned |
Parameters¶
-Deploy¶
Indicates that the module will automatically deploy the AllowMicrosoftPlusBlockRules policy after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TestMode¶
Indicates that the created/deployed policy will have Enabled:Boot Audit on Failure and Enabled:Advanced Boot Options Menu policy rule options.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequireEVSigners¶
Indicates that the created/deployed policy will have Require EV Signers policy rule option.
- In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableScriptEnforcement¶
Enables script enforcement in the created policy.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The outputs of the parameter are¶
- AllowMicrosoftPlusBlockRules.xml policy file
- {GUID}.cip for the policy above
New-WDACConfig -SetAutoUpdateDriverBlockRules¶
Syntax¶
Description¶
Creates a scheduled task that runs every 7 days to automatically perform the official method for updating Microsoft recommended driver block rules.
New-WDACConfig -PrepMSFTOnlyAudit¶
Syntax¶
New-WDACConfig
[-PrepMSFTOnlyAudit]
[-Deploy]
[-LogSize <UInt64>]
[-SkipVersionCheck]
[-EnableScriptEnforcement]
[<CommonParameters>]
Description¶
Creates a WDAC policy using the default AllowMicrosoft policy in Audit mode that once deployed, prepares the system for generating Audit event logs for a fully managed device. No reboot required.
After deployment, audit event logs will start to be created for any file that is run but wouldn't be allowed to if the AllowMicrosoft policy was deployed in enforced mode.
It's recommended to use the optional parameter below to increase the log size of Code Integrity events category so that new events won't overwrite the older ones and everything will be captured.
Parameters¶
-LogSize¶
Specifies the log size for Microsoft-Windows-CodeIntegrity/Operational events. The values must be in the form of <Digit + Data measurement unit>. e.g., 2MB, 10MB, 1GB, 1TB. The minimum accepted value is 1MB which is the default.
| Type: | UInt64 |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deploy¶
Deploys the policy instead of just creating it.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableScriptEnforcement¶
Enables script enforcement in the created policy.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-WDACConfig -PrepDefaultWindowsAudit¶
Syntax¶
New-WDACConfig
[-PrepDefaultWindowsAudit]
[-Deploy]
[-LogSize <UInt64>]
[-SkipVersionCheck]
[-EnableScriptEnforcement]
[<CommonParameters>]
Description¶
Creates a WDAC policy that once deployed, prepares the system for Default Windows auditing. It will trigger audit logs to be created for any file that is run but is not part of the Windows; Unlike -PrepMSFTOnlyAudit parameter that triggers audit logs for any file that is not signed by Microsoft's trusted root certificate.
This parameter also scans the WDACConfig module files and PowerShell core files, adds them to the Prep audit mode base policy that it deploys, so that the final Supplemental policy generated from Event viewer audit logs won't include those files.
It's recommended to use the optional parameter below to increase the log size of Code Integrity events category so that new events won't overwrite the older ones, and everything will be captured.
Parameters¶
-LogSize¶
Specifies the log size for Microsoft-Windows-CodeIntegrity/Operational events. The values must be in the form of <Digit + Data measurement unit>. e.g., 2MB, 10MB, 1GB, 1TB. The minimum accepted value is 1MB which is the default.
| Type: | UInt64 |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deploy¶
Deploys the policy instead of just creating it.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableScriptEnforcement¶
Enables script enforcement in the created policy.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
New-WDACConfig -MakePolicyFromAuditLogs¶
Syntax¶
New-WDACConfig
[-MakePolicyFromAuditLogs]
[-BasePolicyType <String>]
[-Deploy]
[-TestMode]
[-RequireEVSigners]
[-SpecificFileNameLevel <String>]
[-NoDeletedFiles]
[-NoUserPEs]
[-NoScript]
[-Level <String>]
[-Fallbacks <String[]>]
[-LogSize <UInt64>]
[-SkipVersionCheck]
[<CommonParameters>]
Description¶
Creates a WDAC policy using the Audit event logs generated for a fully managed device.
Parameters¶
-BasePolicyType¶
You need to select between Allow Microsoft Base and Default Windows Base, based on which prep audit mode base policy deployed on the system.
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deploy¶
Indicates that the module will automatically remove the WDAC policy deployed using either -PrepMSFTOnlyAudit or -PrepDefaultWindowsAudit parameters, then deploys the supplemental policy created from Audit event logs along with the selected base policy type, both in enforced mode.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TestMode¶
Indicates that the created/deployed policy will have Enabled:Boot Audit on Failure and Enabled:Advanced Boot Options Menu policy rule options.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequireEVSigners¶
Indicates that the created/deployed policy will have Require EV Signers policy rule option.
- In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Debug¶
Indicates that the module will output 3 additional files for debugging purposes:
- FileRulesAndFileRefs.txt - Contains the File Rules and Rule refs for the Hash of the files that no longer exist on the disk.
- DeletedFilesHashes.xml - Policy file that contains File Rules and Rule refs for the files that no longer exist on the disk.
- AuditLogsPolicy_NoDeletedFiles.xml - The policy file generated from Audit Event logs based on the specified Level and Fallback parameters.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LogSize¶
Specifies the log size for Microsoft-Windows-CodeIntegrity/Operational events. The values must be in the form of <Digit + Data measurement unit>. e.g., 2MB, 10MB, 1GB, 1TB. The minimum accepted value is 1MB which is the default.
| Type: | UInt64 |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Levels¶
Offers the same official Levels for scanning event logs.
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | WHQLFilePublisher |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Fallbacks¶
Offers the same official Fallbacks for scanning event logs.
| Type: | String[] |
|---|---|
| Position: | Named |
| Default value: | FilePublisher,Hash |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SpecificFileNameLevel¶
You can choose one of the following options:
- OriginalFileName
- InternalName
- FileDescription
- ProductName
- PackageFamilyName
- FilePath
More info available on Microsoft Learn
| Type: | String |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NoDeletedFiles¶
Indicates that files that were run during program installations but then were deleted and are no longer on the disk, won't be added to the supplemental policy. This can mean the programs you installed will be allowed to run but installation/reinstallation might not be allowed once the policies are deployed.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NoUserPEs¶
By default, the module includes user PEs in the scan. When you use this switch parameter, they won't be included. More info available on Microsoft Learn
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NoScript¶
More info available on Microsoft Learn
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The outputs of the parameter¶
-
The base policy XML file
-
The supplemental policy XML file
-
{GUID}.cipBinary file for the base Policy, ready for deployment. -
{GUID}.cipBinary file for the supplemental Policy, ready for deployment.
New-WDACConfig -MakeLightPolicy¶
Syntax¶
New-WDACConfig
[-MakeLightPolicy]
[-Deploy]
[-TestMode]
[-RequireEVSigners]
[-SkipVersionCheck]
[-EnableScriptEnforcement]
[<CommonParameters>]
Description¶
Creates a WDAC policy for a Lightly managed system. The Policy uses has the same specifications as -MakeAllowMSFTWithBlockRules, with the following additional rule options:
| Rule number | Rule option |
|---|---|
| 14 | Enabled:Intelligent Security Graph Authorization |
| 15 | Enabled:Invalidate EAs on Reboot |
Parameters¶
-Deploy¶
Indicates that the module will automatically deploy the SignedAndReputable.xml policy file after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TestMode¶
Indicates that the created/deployed policy will have Enabled:Boot Audit on Failure and Enabled:Advanced Boot Options Menu policy rule options.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequireEVSigners¶
Indicates that the created/deployed policy will have Require EV Signers policy rule option.
- In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableScriptEnforcement¶
Enables script enforcement in the created policy.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The outputs of the parameter are¶
- SignedAndReputable.xml
- {GUID}.cip
New-WDACConfig -MakeDefaultWindowsWithBlockRules¶
Syntax¶
New-WDACConfig
[-MakeDefaultWindowsWithBlockRules]
[-Deploy]
[-TestMode]
[-RequireEVSigners]
[-SkipVersionCheck]
[-EnableScriptEnforcement]
[<CommonParameters>]
Description¶
Calls the -GetBlockRules parameter to get the Microsoft recommended block rules, and merges them with DefaultWindows_Enforced policy. The Policy uses strict HVCI and uses the same policy rule options as -MakeAllowMSFTWithBlockRules parameter.
Note
Since the module uses PowerShell and not Windows PowerShell that is pre-installed in Windows, this parameter will automatically scan C:\Program Files\PowerShell directory (if it detects the PowerShell is not installed from Microsoft Store) and add PowerShell files to the DefaultWindowsPlusBlockRules.xml policy file so that you will be able to continue using the module after deploying the policy. The scan uses FilePublisher level and Hash fallback.
Parameters¶
-Deploy¶
Indicates that the module will automatically deploy the DefaultWindowsPlusBlockRules policy after creation.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TestMode¶
Indicates that the created/deployed policy will have Enabled:Boot Audit on Failure and Enabled:Advanced Boot Options Menu policy rule options.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequireEVSigners¶
Indicates that the created/deployed policy will have Require EV Signers policy rule option.
- In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableScriptEnforcement¶
Enables script enforcement in the created policy.
| Type: | SwitchParameter |
|---|---|
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The outputs of the parameter are¶
- DefaultWindowsPlusBlockRules.xml policy file
- {GUID}.cip for the policy above