Forum Discussion
WDAC Lightly managed devices policy
Hello community, we are making some experience with WDAC policies from the basics.
I'm trying to follow the example mentioned in this article: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-lightly-managed-devices#create-a-custom-base-policy-using-an-example-wdac-base-policy
According to it, I would be able to use the example file named SmartAppControl.xml. This file has to be in the path C:\Windows\schemas\CodeIntegrity\ExamplePolicies with other policies documented also in this link: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies
The problem is, we do not have that xml file in that path or anywhere in any of the machines we are checking (windows 10/11 various versions, managed and not managed, created from scrath or old).
So, what am I missing considering that in the same path other documented .xml files are present ?
Anyone having the same experience ?
In case you missed it, Microsoft stated in a previous post about Windows 11 22H2 that Smart App policies would only deploy to a device that was a fresh install. At the same time, I haven't checked in either case (though also not present in my directories (here: C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml). Likely, the policy does not exist because I am not on a fresh install. Are you looking for a device that has a fresh install of Win11 22H2?
Regardless, you don't need that one. If you have some form of management or can use Intune's WDAC policy (currently in preview) with its managed installer, you could implement it without worrying about getting the policy onto devices. Another approach is to run a PowerShell script that echoes the content into a file in the appropriate directly. To make it easier, you should encode the contents into Base64 as a variable and then have the script decode it as it echoes into the file.
Back to the policy. Suppose you don't have SmartAppControl.xml; the good news is that all that policy contains is a profile you can make with the WDAC wizard. You can find the app provided by Microsoft below:
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard
Just in case it disappears from that page and you find a 404 in the future, here is a direct link below:
https://webapp-wdac-wizard.azurewebsites.net/
Further, here is a list of the sources for the WDAC Wizard repo:
https://github.com/MicrosoftDocs/WDAC-Toolkit
Finally, the Smart App XML policy is nearly identical to the policy generated using the WDAC wizard and selecting the "Signed and Reputable Mode." I wish I added a picture. I can edit. I will check after I post.) Play around with it and have fun.
I hope my reply meets your expectations.
Stay safe, and good luck!
6 Replies
- Hello, We use WDAC heavily on several thousand endpoints. How can I help?
- Nice to see nobody has an answer for this
In case you missed it, Microsoft stated in a previous post about Windows 11 22H2 that Smart App policies would only deploy to a device that was a fresh install. At the same time, I haven't checked in either case (though also not present in my directories (here: C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml). Likely, the policy does not exist because I am not on a fresh install. Are you looking for a device that has a fresh install of Win11 22H2?
Regardless, you don't need that one. If you have some form of management or can use Intune's WDAC policy (currently in preview) with its managed installer, you could implement it without worrying about getting the policy onto devices. Another approach is to run a PowerShell script that echoes the content into a file in the appropriate directly. To make it easier, you should encode the contents into Base64 as a variable and then have the script decode it as it echoes into the file.
Back to the policy. Suppose you don't have SmartAppControl.xml; the good news is that all that policy contains is a profile you can make with the WDAC wizard. You can find the app provided by Microsoft below:
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard
Just in case it disappears from that page and you find a 404 in the future, here is a direct link below:
https://webapp-wdac-wizard.azurewebsites.net/
Further, here is a list of the sources for the WDAC Wizard repo:
https://github.com/MicrosoftDocs/WDAC-Toolkit
Finally, the Smart App XML policy is nearly identical to the policy generated using the WDAC wizard and selecting the "Signed and Reputable Mode." I wish I added a picture. I can edit. I will check after I post.) Play around with it and have fun.
I hope my reply meets your expectations.
Stay safe, and good luck!- Hello Jonathan, thank you very much for taking time to write all these information.
To give you some background, yes I did my tests on several fresh installed w11 and W10 and all them were the very last version. Creating the test client in Azure assure also you are running W11 22 H2.
And yes we after that used the wizard and we probably have what we needed. I posted the question since our customer is a bit disappointed about it and they thinking this a solution Microsoft is not really maintaining.
Anyway we needed a policy that allows to run executables only from Program files folders and from windir, blocking everything else that is not a windows/office component. We did it with the wizard.
Since you have experience, let me ask you two questions please. The first one is: how you distribute the policy, our plan is to use Intune.
The second question is: did you find a way to disable a policy on demand without un-installing it using the script provided in the documentation.
My plan was to create a policy in audit mode and one in no-audit mode, and distribute the no-audit. Once the helpdesk needs to disable it for any need, they should install the audit mode policy over the existing one.
Thank you!
