WDACConfig module update v0.3.9

What's New

This is by far the biggest update to the WDACConfig module. It brings a lot of new features, improvements, and changes to the cmdlets. The main focus of this update is to make the workflow of the cmdlets more user-friendly, faster, and more efficient. There are some inevitable breaking changes along with new features and improvements that are all listed below.

• ✅ Lots of new guides have been added
• ✅Previous guides have been all updated to reflect the new changes
• 📽️ New videos with voice overs have been provided

Introducing Sandboxing-like Capability For The Installed Programs

The vast majority of programs incorporate Dynamic Link Libraries (DLLs) and additional dependencies such as .com, .rll, .ocx, .msp, .mst, .bin, .hxs, .mui, .lex, .mof etc., which are replicated into their designated installation directory throughout the setup phase. These critical files may harbor security flaws susceptible to exploitation by malware. To counteract this, the innovative feature establishes a sandbox-like perimeter encircling the application's dependencies. This ensures that solely the application's own executables have the privilege to interact with the DLLs and dependency files, effectively barring all other executables from accessing them.

This feature is available in the Edit-WDACConfig and Edit-SignedWDACConfig cmdlets. It can be activated using the -BoostedSecurity parameter.

This feature might be added to other cmdlets as well after further evaluations.

New Video Guides

Video Link	Description
	Sandboxing-like capabilities in the WDAC Policies
	Create, Deploy & Audit WDAC Policies
	How To Set And Query Secure Settings in WDAC Policies
	How To Create And Deploy Signed WDAC Policies

Cmdlet Changes

Edit-WDACConfig and Edit-SignedWDACConfig

• Removed -AllowNewAppsAuditEvents parameters from both cmdlets, its job has been merged with -AllowNewApps parameter. This simplifies the workflow as you no longer have to make a decision between which parameter to use when you need to allow apps or files.

• The -AllowNewApps parameter now automatically detects the files run during audit mode from event logs and display them to you in a GUI, offering you the option to include them in the supplemental policy by providing comprehensive details about every detected file and empowering you to make informed decision about them. It also checks for kernel-protected files in the logs you select, such as the main executable of the Xbox games, and allows them in the supplemental policy based on PFN (Package Family Name).

• The SnapBack security mechanism is triggered sooner, restoring the base policy that is in audit mode back to enforced mode as soon as possible.

• Using parallel processing methods, the workflow of the cmdlet has been optimized for faster execution.

• You can now use the -AllowNewApps parameter either by selecting directories to scan, purely rely on audit event logs or both. Previously, the workflow would require you to select directories to scan and would fail otherwise. Now you can solely rely on audit event logs to allow new apps or files, or if you want to allow a new file but you don't know its exact location.

• The -UpdateBasePolicy parameter has been upgraded. It now intelligently increases the version number of the base policy, ensuring that the new version is always one version higher than the previous one. The version change considers all semantic versioning rules such as revision, build, minor and major numbers and their maximum allowed values.

Set-CiRuleOptions

• It's a new cmdlet, consider it an improved version of the built-in cmdlet Set-RuleOption. It offers more features and improvements such as removing or adding rules at the same time in bulk.

• Completely internalized policy rule option modifications, no longer using built-in cmdlets. This change results in much faster policy creation.

New-WDACConfig

Complete Overhaul

All of this cmdlets's parameters have been replaced with more user-friendly and efficient ones. No functionality has been lost. The goal is to offer the end-user the ability to quickly and easily choose the desired settings with 0 ambiguity. As a result, the following changes have been made:

• Removed the -MakePolicyFromAuditLogs parameter from the cmdlet. Its job can now be done with the -AllowNewApps parameter in the Edit-WDACConfig and Edit-SignedWDACConfig cmdlets, or by the New-SupplementalWDACConfig cmdlet.

• New parameter -PolicyType: Use it to create base policies, it offers 3 options: 'DefaultWindows', 'AllowMicrosoft', 'SignedAndReputable'.

• New parameter -GetUserModeBlockRules: Use it to download or deploy the latest User Mode Block rules from the Microsoft GitHub repository. The User Mode block rules are no longer coupled with the base policy, they are now deployed as a standalone policy separately, offering greater control over them and their life cycle. This is due to the fact that Windows no longer has a limit on how many WDAC policies can be deployed on the system. Previously the limit was 32 policies.

• New parameter -GetDriverBlockRules: Use it to download or deploy the latest Kernel Mode drivers Block rules from the Microsoft website.

• New parameter -Audit: Used to turn on audit mode in the base policy. Only available when -PolicyType parameter is used.

• New parameter -AutoUpdate: Only available when -GetDriverBlockRules parameter is used. It will automatically update the driver block rules when a new version is available using scheduled task.

Get-CIPolicySetting

Gets the secure settings value from the deployed CI policies using the Windows APIs.
Refer to the following documents for more info:

• Set-CIPolicySetting
• Understanding WDAC Policy Settings

Confirm-WDACConfig

• New parameter OnlySystemPolicies: It will display only the system policies when used.
• The version number of the policies are now converted to proper semantic versioning format.

Assert-WDACConfigIntegrity

• Added support for the SHA3-512 hashing algorithm that is available beginning Windows 11 24H2.

Other Changes

• The ConvertTo-WDACPolicy cmdlet when using local logs as the source, has become faster using high performance functions.

• Kernel-protected files are now faster to detect and rules for them are created in better ways.

• Sub-modules in each cmdlet are now loaded faster.

• Cmdlet outputs are now more streamlined and consistent.

• During the module preload phase, certain immutable global variables are established, remaining unalterable for the duration of the session. Previously, these variables were instantiated only if they did not already exist within the session's scope with the same name. Now, the values of these pre-existing variables are scrutinized against those defined within the module. Should a discrepancy arise, an error is triggered. This rigorous validation mechanism ensures the integrity of critical variables, safeguarding them from any potential malicious alterations prior to the module's loading.

• Whenever using cmdlets that require interaction with Code Integrity and AppLocker event logs, such as Edit-WDACConfig, Edit-SignedWDACConfig or New-WDACConfig -Audit, the Code Integrity Operational's event log size is evaluated. If the current free capacity is less than 1MB and its maximum size is less than 10MB, its size is increased by 1MB. This is a controlled automated workflow that is introduced in this version that aims to prevent the overwrite of the event logs. You can always use the -LogSize parameter with the cmdlets that support it to set the desired max size for the Code Integrity Operational logs.

• Increased the minimum required OS build version from 22621.2428 to 22621.3447. In this [build](https://support.microsoft.com/en-us/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5...

Harden Windows Security Module v.0.4.3

What's New

• TPM is no longer a hard requirement for using the hardening script or running the Protect-WindowsSecurity cmdlet. Now if the system is detected to not have TPM, only the BitLocker category will become automatically unavailable to run.
• Reduced the number of times the Get-MpComputerStatus cmdlet is called, now saving the results to a variable and using it for subsequent queries.

PR: #262

Harden Windows Security Module v.0.4.2

What's New

• Added an -offline parameter for the Confirm-SystemCompliance cmdlet, it will skip the online update check when used. => related issue
• Changed the way Controlled Folder Access's status is detected. This change will also detect if it was applied through Intune policies. => related issue
• Improved the GUI experience. Now when the hardening commands are running, the categories and subcategories are no longer disabled, allowing you to plan your next run while commands are running in the background.

PR: #256

Harden Windows Security Module v.0.4.1

What's New

Improved Multi-Threading in GUI

• Completely reworked the multi-threading aspects of the GUI. Now it's high performance, resilient and no longer freezes the GUI when long or heavy tasks run in the background. This allows you to move the GUI window around or resize it at any time just like you would on any native application.
• Applied code optimizations that resulted in using a lot less code than before to achieve even more.
• The Microsoft Defender category now checks for the availability of the ConfigDefender module's parameters before using them and informs the user that there is a system restart pending if they are unavailable. See this and this for more info.
• Increased PowerShell version requirement from 7.4.1 to 7.4.2.

As always, the module automatically updates when you run any of its cmdlets/commands and when there is a new version available on PowerShell Gallery, so you don't have to manually update it.

PR: #251

Harden Windows Security Module v.0.4.0

What's New

• Complete remake of the GUI
  • Feedback is welcome

PR: #249

WDACConfig module update v0.3.8

What's New

• Introduced functionality to create a Supplemental policy based on certificate files. This enhancement enables administrators to select .cer certificate files and authorize them within a policy. Consequently, any files signed with these certificates will be permitted to execute. The primary motivation behind this feature is to streamline the deployment and utilization of Script Enforcement scenarios.

  • This capability has been added to the New-SupplementalWDACConfig cmdlet.

• Developed comprehensive and user-friendly documentation aimed at system administrators seeking to leverage the Script Enforcement feature within Application Control policies (WDAC). This documentation provides clear guidelines for establishing stringent boundaries around script engines, including PowerShell and similar tools.

• Improved the resiliency of log parsing functions.

• Added new parameter called EnableScriptEnforcement to the New-WDACConfig cmdlet which will enable script enforcement for the base policies it creates.

• Enhanced the robustness of certificate details retrieval functions for WDAC Simulation.

PR: #245

Harden Windows Security Module v.0.3.9

What's New

• Added support for Windows Home edition, this means the module and script can run on Windows home editions but the categories are applied in best effort fashion and not all of them are available since many features such as group policy or attack surface reduction rules are simply not available in the home edition. More features might be specialized and implemented for home editions only, in the future.
• You can now choose which categories to check compliance for using the Confirm-SystemCompliance cmdlet. Previously it would check all categories. If no category is selected, all categories are checked.
• Overall code improvements and refactoring.

PR: #244

WDACConfig module update v0.3.7

What's New

• Added support for EVTX logs file parsing. Now, you can quickly create Application Control (WDAC) policies using EVTX logs from any computer. Just export the Code Integrity and/or AppLocker logs and use the WDACConfig module to turn them into WDAC policies. This feature provides a consistent and user-friendly experience similar to what’s available for MDE Advanced Hunting logs and Local logs, utilizing the ConvertTo-WDACPolicy cmdlet for streamlined policy creation.
• Overall code improvements

PR: #241

WDACConfig module update v0.3.6

What's New

Microsoft Defender for Endpoint - Advanced Hunting

You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.

Demo Video

The systematic approach to converting the query results to WDAC policy is as follows:

• If a file is unsigned then a hash rule will be created for it.
• If a file is signed then there are multiple possibilities:
  • If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
  • If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.

These levels are selected based on their security. You can read more about the levels security comparison in this article.

Simple Yet Comprehensive

What WDACConfig requires for MDE Advanced Hunting

DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
    or ActionType startswith "AppControlCIScriptBlocked"
    or ActionType startswith "AppControlCIScriptAudited"

As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.

Comparison

Supported Features	WDACConfig	WDAC Wizard
Log types	Code Integrity + AppLocker	Code Integrity
Generated Rules	File Publisher, Publisher, Leaf Certificate, Hash	Publisher, Hash
Requires Custom CSV Formatting	No - Accepts RAW data	Yes
Required Query Size	Small	Large

Important

WDAC Wizard is a great tool, it offers a GUI and can be downloaded from here

Other Changes

• Significantly Improved the performance when parsing the Code Integrity related event logs.
• In addition to the Code Integrity logs, now AppLocker logs are also processed by the WDACConfig module. This allows it to capture and create rules for blocked/audited MSI files as well.
• Bumped the required PowerShell version from 7.4.1 to 7.4.2 because it has WDAC related improvements.
• Fixed this issue: #225

PR: #218

Harden Windows Security Module v.0.3.8

What's New

• Toast Notification is now displayed upon completion of operation when using the GUI to operate the Harden Windows Security module and script.
• Improved the logging style when using the GUI, both in the log file and the displayed logs on the GUI.
• Added a new parameter -OnlyCountryIPBlockingFirewallRules to the Unprotect-WindowsSecurity cmdlet. It allows you to only remove the country IP blocking firewall rules without removing anything else.
• Overall code improvements

PR: #235