This week is a short post focussed on Windows Defender Application Control (WDAC). More specifically, this short post is focussed on the different policy rules that can be configured by using the Windows Defender Application Control Policy Wizard. That policy wizard is an an open-source Windows desktop application written in C# and bundled as an MSIX package. It provides IT administrators with a user-friendly method for creating, edditing and merging WDAC policies. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets and that makes sure that the output of the policy wizard is identical to using the cmdlets manually. WDAC is genarally used to control what runs on Windows 10 and Windows 11 devices. That is achieved by setting policies that specify whether a driver or application is trusted. One of the main components of WDAC policies are the policy options. Those options can be used to define the rules of the WDAC policy. The WDAC policy wizard provides a nice and simple method for configuring the policy options. This blog post will focus on the policy options, by showing the configuration options via PowerShell and the Wizard, and by providing an overview of how those configuration options relate.
Windows Defender Application Control policy options
The WDAC policy wizard is a great open-source Windows app that provides a very simple UI for creating a WDAC policy. That enables the IT administrator to create a great starting point without diving into PowerShell and XML. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets. That makes sure that the result will also be the same. A XML-file that can be used for configuring the WDAC policy on a Windows 10 or Windows 11 device. The main configurations are around the signing rules – the rules for signed files based on its publisher, path or hash value – and the policy rules. The policy rules determine the behavior of the WDAC policy. Currently there are 18 configurable policy rules available. All of these are configurable via the WDAC policy wizard (as shown below in Figure 1).
Enabling the different slides will basically achieve the same as running the Set-RuleOption cmdlet with the related policy rule option. An example for enabling the User Mode Code Integrity is shown below.
Set-RuleOption -FilePath <Path to policy XML> -Option 0
The different slides in the WDAC policy wizard can be simply translated to the actual WDAC policy rule options and the PowerShell options. The WDAC policy rule option is the actual configuration in the XML and the PowerShell option is the parameter that should be used with the Set-RuleOption cmdlet. The table below provides a quick overview of the different options and a quick explanation of the usage.
|WDAC policy rule slider||WDAC policy rule option||PowerShell option||Description|
|User Mode Code Integrity||Enabled:UMCI||0||This rule option can be used to also validate user mode executables and scripts.|
|–||Enabled:Boot Menu Protection||1||This rule option is not currently supported.|
|Require WHQL||Required:WHQL||2||This rule option can be used to require that every executed driver is WHQL signed and removes legacy driver support.|
|Audit Mode||Enabled:Audit Mode (Default)||3||This rule option can be used to identify the potential impact of a policy by enabling using audit mode.|
|Disable Flight Signing||Disabled:Flight Signing||4||This rule option can be used to prevent trusting flightroot-signed binaries (non pre-release Windows builds).|
|–||Enabled:Inherit Default Policy||5||This rule option is reserved for future use and currently has no effect.|
|Unsigned System Integrity Policy||Enabled:Unsigned System Integrity Policy (Default)||6||This rule option can be used to allow the policy to remain unsigned.|
|–||Allowed:Debug Policy Augmented||7||This rule option is not currently supported.|
|Require EV Signers||Required:EV Signers||8||This rule option can be used to require that drivers must be WHQL signed, and have been submitted by a partner with an Extended Verification (EV) certificate.|
|Advanced Boot Options Menu||Enabled:Advanced Boot Options Menu||9||This rule option can be used to allow the F8 menu to appear to physically present users.|
|Boot Audit on Failure||Enabled:Boot Audit on Failure||10||This rule option can be used to place the policy in audit mode so that Windows will load, when a driver fails during startup.|
|Disable Script Enforcement||Disabled:Script Enforcement||11||This rule option can be used to disable script enforcement.|
|Enforce Store Applications||Required:Enforce Store Applications||12||This rule option can be used to also apply the policy to Universal Windows applications.|
|Managed Installer||Enabled:Managed Installer||13||This rule option can be used to automatically allow applications installed by a managed installer.|
|Intelligent Security Graph||Enabled:Intelligent Security Graph Authorization||14||This rule option can be used to automatically allow applications with “known good” reputation as defined by Microsoft’s Intelligent Security Graph (ISG).|
|Invalidate EAS on Reboot||Enabled:Invalidate EAs on Reboot||15||This rule option can be used to cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG. Combination with rule option 15.|
|Update Policy without Rebooting||Enabled:Update Policy No Reboot||16||This rule option can be used to allow future policy updates to apply without requiring a system reboot (supported on Windows 10, version 1709 and later).|
|Allow Supplemental Policies||Enabled:Allow Supplemental Policies||17||This rule option can be used to allow supplemental policies on a base policy to expand it (supported on Windows 10, version 1903 and later).|
|Disable Runtime Filepath Rules||Disabled:Runtime FilePath Rule Protection||18||This rule option can be used to disable the default runtime check that only allows FilePath rules for paths that are only writable by an administrator (supported on Windows 10, version 1903 and later).|
|Dynamic Code Security||Enabled:Dynamic Code Security||19||This rule option can be used to enables policy enforcement for .NET applications and dynamically loaded libraries (supported on Windows 10, version 1803 and later).|
|Treat Revoked as Unsigned||Enabled:Revoked Expired As Unsigned||20||This rule option can be used to treat binaries signed with expired and/or revoked certificates as “Unsigned binaries” for user-mode process/components, under enterprise signing scenarios.|
|Hypervisor-Protected Code Integrity||–||–||This setting can be used to make sure that code integrity runs in a hypervisor protected container.|
Eventually the WDAC policy wizard is a great starting point for creating custom WDAC policies.
For more information about WDAC and the WDAC policy wizard, please refer to the following docs.
- Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) – Windows security | Microsoft Docs
- Windows Defender Application Control Wizard – Windows security | Microsoft Docs
- Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net)
- GitHub – MicrosoftDocs/WDAC-Toolkit: Documentation and tools to access Windows Defender Application Control (WDAC) technology.