Defender WDAC
2 Topics- Announcing App Control for Business (aka WDAC) with OsConfigAnnouncing App Control for Business (aka WDAC) with OsConfig Windows Defender Application Control (WDAC) for business is a software-based security layer that reduces attack surface by enforcing an explicit list of software that is allowed to run. For Windows Server 2025, we have provided Microsoft defined ‘default policy’ which can be applied to the server via PowerShell cmdlets, powered by our ‘Security configuration platform called ‘OSconfig’. For more detailed information, please refer here. App control feature provides two main operation modes, Audit mode and Enforcement mode. In Audit mode, untrusted code is allowed to run, and events are recorded. In Enforcement mode, untrusted code is blocked, and events are recorded. To learn more about Application Control for Business-related events, see List of Events. As part of WS 2025, we want to make it easier for customers to deploy Application control policies in audit mode and facilitate enforcement mode via local tooling/PowerShell experience. There will be no Application Control policy in audit mode which will be enabled by default in WS 2025. The only way to add Application Control for business is via OSconfig tool. Base policies are integrated in OSconfig (unsigned). Using these policies, users will be able to add supplemental policies to existing base policies (to customize the default base policy. Caution -- Production signed Windows Server 2025 build is needed since the App Control for Business policy doesn't allow flight signing binaries. Prior to general availability, please download the production signed preview by visiting the Microsoft Eval Center to try out the new features and experiences that Windows Server has to offer. 1.1 Application Control for Business – Apply Pre-requisites: You have installed ‘OSconfig Powershell Module’ to configure Application Control for Business. Install the package providers by running the following commands in an elevated PowerShell window: Install-PackageProvider -Name NuGet -Force Install-Module PowerShellGet -AllowClobber -Force Close powershell window. Open a new elevated PowerShell window and run the commands below to install the OSConfig PowerShell module: Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Force 1.2 Application Control for Business – Apply default polices: Next step is to install the default policies in audit mode: Set-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\DefaultPolicy\Audit -Default Set-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\AppBlockList\Audit -Default 1.3 Application Control for Business – Post apply check policies are present in your machine: Run the citool to confirm the policies are in place. Hit enter twice after running the command below: citool -lp | findstr /I "WS2025" You should see ‘policies named’ in the list: BlockUMCI_Microsoft_WS2025_Audit AllowMicrosoft_WS2025_Audit 1.4 Application Control for Business – After applying ensure policies are present in your machine: Run a 3rd party application of your choice, verify that a block event was emitted for the 3rd party app you ran, and no block event was emitted for any 1st party apps you ran. Check in Event Viewer >> Filter Current log >> Filter Audit events 3076 >>Check event for the 3rd party app. 1.5 Application Control for Business – Apply supplemental policies: Reset filter: In the right panel, click on Filter Current Log... and click clear to remove the previously applied filters. In Event Viewer, still under "Applications and Services Logs" -> Microsoft -> Windows -> CodeIntegrity -> Operational, select the Save All Events As... option in the right panel and save the evtx file to the location of your choice. Share the evtx file to a Windows client device. On the Windows client device, install and start the WDAC Wizard. Note: The WDAC wizard installer will download .NET 8.0 if you don't have it already In the WDAC Wizard, select Policy Editor -> Convert Event Log to a WDAC Policy, then click on the Parse Log File(s) button under Parse Event Log evtx Files to Policy. Select the evtx file and click Next. Click on +Add Allow for all items you want to add to the policy, then Next. The WDAC Wizard will share the location of the XML file on the next page. Copy the XML file to your server device. On the server device, run the following commands: $policyPath = "<path to the XML file>" # Reset GUID (best practice) Set-CIPolicyIdInfo -FilePath $policyPath -ResetPolicyID # Set Policy Version (VersionEx in the XML file) $policyVersion = "1.0.0.1" Set-CIPolicyVersion -FilePath $policyPath -Version $policyVersion # Set Policy Info (PolicyName, PolicyID in the XML file) Set-CIPolicyIdInfo -FilePath $policyPath -PolicyID "<App name>-Policy_$policyVersion" -PolicyName "<App name>-Policy" # E.g. Set-CIPolicyIdInfo -FilePath $policyPath -PolicyID "Chrome-Policy_$policyVersion" -PolicyName "Chrome-Policy" $base = "{9214D8EE-9B0F-4972-9073-A04E917D7989}" Set-CIPolicyIdInfo -FilePath $policyPath -SupplementsBasePolicyID $base #Set the new policy into the system Set-OSConfigDesiredConfiguration -Scenario AppControl -Name Policies -Value $policyPath Go through step 2 again. This time, there shouldn't be any new audit events for the application you ran. 1.6 Application Control for Business – Query the list of active and non-active policies 1. Run the following command to see the current policies in effect: (Get-OSConfigDesiredConfiguration -Scenario AppControl).Value.PolicyInfo | Where-Object { $_.IsEffective -eq $true } 2. Run the following command to see the policies that are not active: (Get-OSConfigDesiredConfiguration -Scenario AppControl).Value.PolicyInfo | Where-Object { $_.IsEffective -eq $false } 1.7 Application Control for Business – Remove the policies via OSConfig 1. Remove the Application control policies by running the commands below: Remove-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\DefaultPolicy\Audit Remove-OSConfigDesiredConfiguration -Scenario AppControl\WS2025\AppBlockList\Audit 2. Verify that the policies are no longer effective. Hit enter twice after running the command below. You should NOT see the following: Friendly Name: BlockUMCI_Microsoft_WS2025_Audit Friendly Name: AllowMicrosoft_WS2025_Audit Warning: We recommend using OSconfig to remove the policies otherwise the drift control will be in still in effect and it will re-apply. 1.8 Azure Monitor - Application Control for Business We have created a new Azure Monitor workbook to alleviate the burden of reviewing Audit or Block events being emitted by the Operating System when Application Control for Business is activated. This workbook can help you get insights on file audit and block activity, as well as policies activity. Here is a comprehensive list of usages for this workbook: Collect and send to Log analytics workspace Windows Event logs for App Control for business. Identify file and policy events activities, providing various dashboards, charts, filter and export capabilities to help customers analyze and troubleshoot App Control policies effects and status. Refine your App Control for business policies, by exporting the workbook data and ingesting it in WDAC Wizards. For more information, see WDAC Wizard documentation. To start using the Azure Monitor workbook for Application Control for Business (Preview) please go to the GitHub repo in the Azure Monitor here. We value your feedback! Please provide feedback as to what is working and what needs to be improved as your feedback is extremely valued to make the product experience better. Please use Feedback Hub app for Windows Server 2025. Category: Windows Server->Security Configuration Management. You can also reach us via email heseccon@microsoft.com (Edge Security Connect).4.5KViews4likes0Comments
- Microsoft Application Control WDAC and AdobeAfternoon all, I am posting this as advise. I found an initial answer via a comprehensive search was to turn off secure boot on the affected machine (not what I consider the best solution) However I resolved the problem by accident whilst I was fixing my Edge Chromium update policies in Endpoint manager to work properly and allow the Beta version on Windows 10 endpoints whilst denying the other 2 variants. My test machine was still locked down in Defender Endpoint with app restriction turned on after I was testing my skills over the weekend. I quickly released this, and Adobe Reader DC installed just fine afterwards on the endpoint All machines are managed exclusively via Intune, NO group policy controls applied. Some poor sod had this problem over 300+ machines. Sorry for you bro. I did however make an adjustment to Intune for WDAC. Hopefully it will help others. Thanks.