Forum Discussion
WDAC Lightly managed devices policy
In case you missed it, Microsoft stated in a previous post about Windows 11 22H2 that Smart App policies would only deploy to a device that was a fresh install. At the same time, I haven't checked in either case (though also not present in my directories (here: C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml). Likely, the policy does not exist because I am not on a fresh install. Are you looking for a device that has a fresh install of Win11 22H2?
Regardless, you don't need that one. If you have some form of management or can use Intune's WDAC policy (currently in preview) with its managed installer, you could implement it without worrying about getting the policy onto devices. Another approach is to run a PowerShell script that echoes the content into a file in the appropriate directly. To make it easier, you should encode the contents into Base64 as a variable and then have the script decode it as it echoes into the file.
Back to the policy. Suppose you don't have SmartAppControl.xml; the good news is that all that policy contains is a profile you can make with the WDAC wizard. You can find the app provided by Microsoft below:
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard
Just in case it disappears from that page and you find a 404 in the future, here is a direct link below:
https://webapp-wdac-wizard.azurewebsites.net/
Further, here is a list of the sources for the WDAC Wizard repo:
https://github.com/MicrosoftDocs/WDAC-Toolkit
Finally, the Smart App XML policy is nearly identical to the policy generated using the WDAC wizard and selecting the "Signed and Reputable Mode." I wish I added a picture. I can edit. I will check after I post.) Play around with it and have fun.
I hope my reply meets your expectations.
Stay safe, and good luck!
In case you missed it, Microsoft stated in a previous post about Windows 11 22H2 that Smart App policies would only deploy to a device that was a fresh install. At the same time, I haven't checked in either case (though also not present in my directories (here: C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml). Likely, the policy does not exist because I am not on a fresh install. Are you looking for a device that has a fresh install of Win11 22H2?
Regardless, you don't need that one. If you have some form of management or can use Intune's WDAC policy (currently in preview) with its managed installer, you could implement it without worrying about getting the policy onto devices. Another approach is to run a PowerShell script that echoes the content into a file in the appropriate directly. To make it easier, you should encode the contents into Base64 as a variable and then have the script decode it as it echoes into the file.
Back to the policy. Suppose you don't have SmartAppControl.xml; the good news is that all that policy contains is a profile you can make with the WDAC wizard. You can find the app provided by Microsoft below:
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard
Just in case it disappears from that page and you find a 404 in the future, here is a direct link below:
https://webapp-wdac-wizard.azurewebsites.net/
Further, here is a list of the sources for the WDAC Wizard repo:
https://github.com/MicrosoftDocs/WDAC-Toolkit
Finally, the Smart App XML policy is nearly identical to the policy generated using the WDAC wizard and selecting the "Signed and Reputable Mode." I wish I added a picture. I can edit. I will check after I post.) Play around with it and have fun.
I hope my reply meets your expectations.
Stay safe, and good luck!
- Hello Jonathan, thank you very much for taking time to write all these information.
To give you some background, yes I did my tests on several fresh installed w11 and W10 and all them were the very last version. Creating the test client in Azure assure also you are running W11 22 H2.
And yes we after that used the wizard and we probably have what we needed. I posted the question since our customer is a bit disappointed about it and they thinking this a solution Microsoft is not really maintaining.
Anyway we needed a policy that allows to run executables only from Program files folders and from windir, blocking everything else that is not a windows/office component. We did it with the wizard.
Since you have experience, let me ask you two questions please. The first one is: how you distribute the policy, our plan is to use Intune.
The second question is: did you find a way to disable a policy on demand without un-installing it using the script provided in the documentation.
My plan was to create a policy in audit mode and one in no-audit mode, and distribute the no-audit. Once the helpdesk needs to disable it for any need, they should install the audit mode policy over the existing one.
Thank you!Audit x 1000.
To be successful, you need:
1.) An MDM - To manage the policies.
2.) A way to remote audit WDAC Events - To verify that your new policies have been added, monitor rule audits and blocks.
3.) Golden images or the ability to intervene quickly in the event of a problem. Stick to audit profiles until your logs verify it is ready for a block.
Regarding disabling WDAC policy, the script provided in the documentation works best. Intune, on its best days, is hit or miss. Even where you sync multiple times, in both the Intune portal and locally, devices struggle to update or communicate.
Consider a managed (by you) local automation that triggers every 24 hours or so (less if need be) to download the latest policy, unload the existing one, and load the new policy to receive changes. Wherever you host the policy, ensure it is well-guarded, and I recommend requiring a verifiable method of MFA to access updates, such as a YubiKey.
Start small, grow over time. The greatest asset is having the ability to know when an executable is running that shouldn't be. Expect that rules won't work as expected.- Thank you for you additional information. Lucky for us we need to deploy a very simple policy and probably we'll not change it very frequently.
The only big problem for the moment is that we have different behaviours between w10 and w11. We created a very simple policy using the default windows mode as a basis. We added exclusion for three paths (program files, program files x86 and windir).
We distributed the policy with Intune and yes, sometimes we need to force a couple of refreshes, but the policy is deployed quite fast. The only problem, on W10 it works as expected, on W11 it ignores the exlusion and blocks everything that is not microsoft signed.
The strange thing is that an identical W11 machine where we deploy the policy manually (from group policy loading directly the .bin) it works, but if we distribute with Intune it does not.
maybe we'll find something looking the audit logs.