{"id":410,"date":"2021-04-09T09:15:53","date_gmt":"2021-04-09T09:15:53","guid":{"rendered":"https:\/\/jadijkstra.nl\/?p=410"},"modified":"2021-04-09T09:15:56","modified_gmt":"2021-04-09T09:15:56","slug":"microsoft-wdac","status":"publish","type":"post","link":"https:\/\/jadijkstra.nl\/index.php\/2021\/04\/09\/microsoft-wdac\/","title":{"rendered":"Microsoft WDAC"},"content":{"rendered":"\n<p>In this Post I will go through implementing Microsoft WDAC<br>WDAC is Windows Defender Application Control.<\/p>\n\n\n\n<p>It is more effective then Microsoft AppLocker.<br>I am implementing this for a customer environment.<\/p>\n\n\n\n<p>Let&#8217;s go and WDAC!<\/p>\n\n\n\n<p>First, you need to have a reference machine which you use to create the base policy. Important to know is that all the applications you want to allow, needs to be installed prior to start the Policy Creation proces.<\/p>\n\n\n\n<p>Luckily there is a GUI for creating a policy which can be downloaded here : <a href=\"https:\/\/bit.ly\/3koHwYs\">Microsoft WDAC Wizard<\/a><\/p>\n\n\n\n<p>This file you can download is an MSIX, which you (obviously) need to install with PowerShell. Really easy:<\/p>\n\n\n\n<p>Go to the reference machine where you download the Microsoft WDAC Wizards MSIX and put it in a directory where you want and open a PowerShell:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"778\" height=\"272\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image.png\" alt=\"\" class=\"wp-image-411\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image.png 778w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-300x105.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-768x269.png 768w\" sizes=\"(max-width: 778px) 100vw, 778px\" \/><\/figure>\n\n\n\n<p>Run the following command to install the WDAC Wizard:<\/p>\n\n\n\n<p><em>Add-AppPackage -path &#8220;C:\\temp\\WDACWizard_1.6.3.0_x64_8wekyb3d8bbwe.MSIX&#8221;<\/em><\/p>\n\n\n\n<p>Ofcourse, make sure everything after -path should match your environment and MSIX file!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"758\" height=\"95\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-1.png\" alt=\"\" class=\"wp-image-412\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-1.png 758w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-1-300x38.png 300w\" sizes=\"(max-width: 758px) 100vw, 758px\" \/><\/figure>\n\n\n\n<p>When installed, it is there in the start menu<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"405\" height=\"134\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-2.png\" alt=\"\" class=\"wp-image-413\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-2.png 405w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-2-300x99.png 300w\" sizes=\"(max-width: 405px) 100vw, 405px\" \/><\/figure>\n\n\n\n<p>When starting the WDAC Wizard:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"614\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-3-1024x614.png\" alt=\"\" class=\"wp-image-414\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-3-1024x614.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-3-300x180.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-3-768x461.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-3.png 1235w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>You can immediatly start creating a new policy or edit an existing policy or merge two existing policies into one.<br>I am going to create a new policy from my reference machine<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"659\" height=\"521\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-4.png\" alt=\"\" class=\"wp-image-415\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-4.png 659w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-4-300x237.png 300w\" sizes=\"(max-width: 659px) 100vw, 659px\" \/><\/figure>\n\n\n\n<p>I am going to create a Multiple Policy Format and select Base policy as this is my first policy to create:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"616\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-5-1024x616.png\" alt=\"\" class=\"wp-image-416\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-5-1024x616.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-5-300x181.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-5-768x462.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-5.png 1231w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Next, we can choose Default Windows Mode, Allow Microsoft Mode and Signed and Reputable Mode.<br>Default is only allowing the applications stated and not more, the second allows all Microsoft Applications and the third allow applications to allow automatically if they have a good reputation using ISG (<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/use-windows-defender-application-control-with-intelligent-security-graph\">Intelligent Security Graph<\/a>)<\/p>\n\n\n\n<p>I will choose the Allow MIcrosoft Mode as the applications won&#8217;t be delivered through a portal or some kind. The applications being used in the company are static.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"618\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-6-1024x618.png\" alt=\"\" class=\"wp-image-417\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-6-1024x618.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-6-300x181.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-6-768x463.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-6.png 1233w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In the next screen, we are able to select the policy rules which should be set:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"619\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-7-1024x619.png\" alt=\"\" class=\"wp-image-418\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-7-1024x619.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-7-300x181.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-7-768x464.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-7.png 1236w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I have changed the settings to the following for customer specific needs:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"619\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-8-1024x619.png\" alt=\"\" class=\"wp-image-419\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-8-1024x619.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-8-300x181.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-8-768x464.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-8.png 1231w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I will leave the Policy in Audit Mode here, to see what the policy does<\/p>\n\n\n\n<p>There are additional Advanced Options available:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"617\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-9-1024x617.png\" alt=\"\" class=\"wp-image-421\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-9-1024x617.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-9-300x181.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-9-768x463.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-9.png 1235w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>But don&#8217;t using them right now.<\/p>\n\n\n\n<p>In the next screen, you are able to create allow or deny rules for applications, based on publisher, path or hash value.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"617\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-10-1024x617.png\" alt=\"\" class=\"wp-image-423\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-10-1024x617.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-10-300x181.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-10-768x463.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-10.png 1234w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We can create additional rules for applications here, I am going to create a rule for Google Chrome:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"766\" height=\"870\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-11.png\" alt=\"\" class=\"wp-image-424\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-11.png 766w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-11-264x300.png 264w\" sizes=\"(max-width: 766px) 100vw, 766px\" \/><\/figure>\n\n\n\n<p>You can even create Custom Rule Exceptions for this rule!:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"770\" height=\"871\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-12.png\" alt=\"\" class=\"wp-image-426\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-12.png 770w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-12-265x300.png 265w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-12-768x869.png 768w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<p>When added, it should be in the list<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"616\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-13-1024x616.png\" alt=\"\" class=\"wp-image-427\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-13-1024x616.png 1024w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-13-300x180.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-13-768x462.png 768w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-13.png 1234w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Do this for every application!<\/p>\n\n\n\n<p>When ready, click Next<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"933\" height=\"523\" src=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-14.png\" alt=\"\" class=\"wp-image-428\" srcset=\"https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-14.png 933w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-14-300x168.png 300w, https:\/\/jadijkstra.nl\/wp-content\/uploads\/2021\/04\/image-14-768x431.png 768w\" sizes=\"(max-width: 933px) 100vw, 933px\" \/><\/figure>\n\n\n\n<p><br>The policy is being created!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this Post I will go through implementing Microsoft WDACWDAC is Windows Defender Application Control. It is more effective then Microsoft AppLocker.I am implementing this for a customer environment. Let&#8217;s go and WDAC! First, you need to have a reference machine which you use to create the base policy. Important to know is that all [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/posts\/410"}],"collection":[{"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/comments?post=410"}],"version-history":[{"count":4,"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/posts\/410\/revisions"}],"predecessor-version":[{"id":429,"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/posts\/410\/revisions\/429"}],"wp:attachment":[{"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/media?parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/categories?post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jadijkstra.nl\/index.php\/wp-json\/wp\/v2\/tags?post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}