Translating Windows Defender Application Control Policy Wizard sliders to Windows Defender Application Control policy options

This week is a short post focussed on Windows Defender Application Control (WDAC). More specifically, this short post is focussed on the different policy rules that can be configured by using the Windows Defender Application Control Policy Wizard. That policy wizard is an an open-source Windows desktop application written in C# and bundled as an MSIX package. It provides IT administrators with a user-friendly method for creating, edditing and merging WDAC policies. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets and that makes sure that the output of the policy wizard is identical to using the cmdlets manually. WDAC is genarally used to control what runs on Windows 10 and Windows 11 devices. That is achieved by setting policies that specify whether a driver or application is trusted. One of the main components of WDAC policies are the policy options. Those options can be used to define the rules of the WDAC policy. The WDAC policy wizard provides a nice and simple method for configuring the policy options. This blog post will focus on the policy options, by showing the configuration options via PowerShell and the Wizard, and by providing an overview of how those configuration options relate.

Windows Defender Application Control policy options

The WDAC policy wizard is a great open-source Windows app that provides a very simple UI for creating a WDAC policy. That enables the IT administrator to create a great starting point without diving into PowerShell and XML. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets. That makes sure that the result will also be the same. A XML-file that can be used for configuring the WDAC policy on a Windows 10 or Windows 11 device. The main configurations are around the signing rules – the rules for signed files based on its publisher, path or hash value – and the policy rules. The policy rules determine the behavior of the WDAC policy. Currently there are 18 configurable policy rules available. All of these are configurable via the WDAC policy wizard (as shown below in Figure 1).

Enabling the different slides will basically achieve the same as running the Set-RuleOption cmdlet with the related policy rule option. An example for enabling the User Mode Code Integrity is shown below.

Set-RuleOption -FilePath <Path to policy XML> -Option 0

The different slides in the WDAC policy wizard can be simply translated to the actual WDAC policy rule options and the PowerShell options. The WDAC policy rule option is the actual configuration in the XML and the PowerShell option is the parameter that should be used with the Set-RuleOption cmdlet. The table below provides a quick overview of the different options and a quick explanation of the usage.

WDAC policy rule sliderWDAC policy rule optionPowerShell optionDescription
User Mode Code IntegrityEnabled:UMCI0This rule option can be used to also validate user mode executables and scripts.
Enabled:Boot Menu Protection1This rule option is not currently supported.
Require WHQLRequired:WHQL2This rule option can be used to require that every executed driver is WHQL signed and removes legacy driver support.
Audit ModeEnabled:Audit Mode (Default)3This rule option can be used to identify the potential impact of a policy by enabling using audit mode.
Disable Flight SigningDisabled:Flight Signing4This rule option can be used to prevent trusting flightroot-signed binaries (non pre-release Windows builds).
Enabled:Inherit Default Policy5This rule option is reserved for future use and currently has no effect.
Unsigned System Integrity PolicyEnabled:Unsigned System Integrity Policy (Default)6This rule option can be used to allow the policy to remain unsigned.
Allowed:Debug Policy Augmented7This rule option is not currently supported.
Require EV SignersRequired:EV Signers8This rule option can be used to require that drivers must be WHQL signed, and have been submitted by a partner with an Extended Verification (EV) certificate.
Advanced Boot Options MenuEnabled:Advanced Boot Options Menu9This rule option can be used to allow the F8 menu to appear to physically present users.
Boot Audit on FailureEnabled:Boot Audit on Failure10This rule option can be used to place the policy in audit mode so that Windows will load, when a driver fails during startup.
Disable Script EnforcementDisabled:Script Enforcement11This rule option can be used to disable script enforcement.
Enforce Store ApplicationsRequired:Enforce Store Applications12This rule option can be used to also apply the policy to Universal Windows applications.
Managed InstallerEnabled:Managed Installer13This rule option can be used to automatically allow applications installed by a managed installer.
Intelligent Security GraphEnabled:Intelligent Security Graph Authorization14This rule option can be used to automatically allow applications with “known good” reputation as defined by Microsoft’s Intelligent Security Graph (ISG).
Invalidate EAS on RebootEnabled:Invalidate EAs on Reboot15This rule option can be used to cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG. Combination with rule option 15.
Update Policy without RebootingEnabled:Update Policy No Reboot16This rule option can be used to allow future policy updates to apply without requiring a system reboot (supported on Windows 10, version 1709 and later).
Allow Supplemental PoliciesEnabled:Allow Supplemental Policies17This rule option can be used to allow supplemental policies on a base policy to expand it (supported on Windows 10, version 1903 and later).
Disable Runtime Filepath RulesDisabled:Runtime FilePath Rule Protection18This rule option can be used to disable the default runtime check that only allows FilePath rules for paths that are only writable by an administrator (supported on Windows 10, version 1903 and later).
Dynamic Code SecurityEnabled:Dynamic Code Security19This rule option can be used to enables policy enforcement for .NET applications and dynamically loaded libraries (supported on Windows 10, version 1803 and later).
Treat Revoked as UnsignedEnabled:Revoked Expired As Unsigned20This rule option can be used to treat binaries signed with expired and/or revoked certificates as “Unsigned binaries” for user-mode process/components, under enterprise signing scenarios.
Hypervisor-Protected Code IntegrityThis setting can be used to make sure that code integrity runs in a hypervisor protected container.

Eventually the WDAC policy wizard is a great starting point for creating custom WDAC policies.

More information

For more information about WDAC and the WDAC policy wizard, please refer to the following docs.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.