Skip to content

Releases: HotCakeX/Harden-Windows-Security

Harden Windows Security v.0.7.0

13 Dec 12:19
961d40a
Compare
Choose a tag to compare

What's New

  • Added Encryption Percentage, Protection Status, Key Protector and Encryption Method properties to the BitLocker tab's Backup section. Those properties are now displayed in the data grid for each drive and will be included in the backup file that you create. This is very useful when you need to view detailed info about the BitLocker protected drives on your system.

  • Made Audit policy checks available for all System cultures instead of only supporting English-US. This is for the compliance checking feature.

  • Improved buttons and their positions in BitLocker and Exclusions tabs.

  • Added a short description to the Exclusions tab.

  • Slightly improved the performance and speed of compliance checking.

  • Made lots of performance, quality and security related improvements to the code base.

  • Fixed this issue -> #449

  • Added Long path support policy to the Miscellaneous Category's Intune JSON configuration.

  • Added the following 3 new policies to the User Account Control Intune JSON configuration:

    • Behavior Of The Elevation Prompt For Administrator Protection: Prompt for credentials on the secure desktop
    • Type Of Admin Approval Mode: Admin Approval Mode with Administrator protection
    • Use Admin Approval Mode: Enabled
  • Changed this policy in the User Account Control Intune JSON configuration:

    • Changed this from automatically Deny to "Prompt for credentials on the secure desktop": Behavior Of The Elevation Prompt For Standard Users Prompt for credentials on the secure desktop
  • Updated the required PowerShell version from 7.4.4 to 7.4.5. The latest available version is 7.4.6 at the moment, which was released over a month ago.


PR: #453


AppControl Manager 1.6.0.0

10 Dec 10:16
04f6b12
Compare
Choose a tag to compare

What's New


Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

  • The file and folder scans across the application now support parallel processing.

  • The "Allow New Apps" page's progress ring will accurately display the progress of the selected folders' scan.

  • Added a new radial gauge to the Supplemental policy creation page that lets you to choose the scalability of the scan which defines how many concurrent threads it can use to complete the scan. It also has a progress bar showing you the scan progress in real time.

  • A new page has been added to the AppControl Manager, allowing you to merge multiple App Control policies into a single, unified policy. This feature has been custom-built exclusively for this application and it completely follows the Code Integrity schema's rules. The merging process ensures that the resulting policy is free of duplicate rules. Additionally, you have the option to deploy the merged policy immediately after the merge is complete. Read more about this feature in here.

  • Added link to the source code which is in this repository to the end of the About section.

  • Added link to the Icons8 website as credit to the end of the About section.

  • Now you can select multiple folders at the same time when browsing for folders in "Allow New Apps" page and the list of the selected folders will show unique folders only.

  • The automatic AppControlManagerSupplementalPolicy supplemental policy now also allows SignTool.exe via FilePublisher rule. This is necessary so that when the DefaultWindows base policy is deployed, SignTool.exe will be able to run to perform necessary signing operations.

  • The automaticAppControlManagerSupplementalPolicy is no longer displayed by default in the System Information page. You can include it in the displayed policies by checking a box if you still want to see them, just like system policies. The reason is that it will be removed automatically when its associated base policy is removed so user doesn't need to take extra action anymore. This further simplifies policy management using the AppControl Manager app. Find more information about it in here

Technical Changes

  • Main namespace rename.

  • FilePicker Dialogs now use NativeAOT and Trim compatible code.

  • CsWin32 no longer uses marshaling, necessary logic are implemented manually.

  • Implemented lots of new code analyzers related to style and security.

  • Switched to the new version 7 GUID generation in every part of the code.

  • Removed an unnecessary package CommunityToolkit.WinUI.Behaviors from the app.


PR: #445


Please go back to the top of the release notes to see how to install AppControl Manager


AppControl Manager 1.5.2.0

02 Dec 16:27
e334771
Compare
Choose a tag to compare

What's New


Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

  • Added support for Windows 11 build 23H2. This is in response to multiple community feedbacks that are always helpful and welcome. Closes #435
    • Now AppControl Manager is fully supported on Windows 11 23H2, 24H2 and Windows Server 2025
  • Completely switched to source-generated LibraryImports, improving performance. => #433
  • Implemented several new code analyzers that ensure a cleaner, safer, high performance and better code.
  • Improved the scanned data result DataGrid in Supplemental policy creation page. Removed 3 unused columns that don't apply to local file scans, added 1 new column to display each scanned file's Opus data.

Overall, this is a relatively small update. Big changes are coming in version 1.6 with many new features!


In case you missed it, i posted a new video demoing AppControl Manager, check it out here
https://www.youtube.com/watch?v=SzMs13n7elE

PR: #441


AppControl Manager 1.5.1.0

28 Nov 14:26
d7f1028
Compare
Choose a tag to compare

What's New


Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

  • Enhanced Parsing Logic for MDE Advanced Hunting: The CSV parsing process no longer relies on static column positions. Instead, it dynamically identifies the location of each field, ensuring accurate parsing regardless of column order changes in the CSV file, improving robustness for any future changes. Fixed -> #423

  • Default Windows Template Policy: A new feature has been added to the policy creation page, enabling the creation of a default Windows template policy with ease.

  • Integrated Documentation Links: Links to the latest AppControl Manager documentation have been added across relevant pages. Users can now quickly access step-by-step guides by clicking a dedicated button whenever guidance is needed.

  • Fixed menu item text for MDE Advanced Hunting, it wasn't showing the full content.

  • Made the navigation buttons in documentation pages more responsive.

  • Improved the UX when using the log size and audit mode options in the Create Policy page.


PR: #424


AppControl Manager 1.5.0.0

26 Nov 20:29
51c2a58
Compare
Choose a tag to compare

What's New

AppControl Manager preview


Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

  • 🎉 Added a new page that lets you easily build a code signing certificate to be used for AppControl policy signing. It offers various options to configure the certificate such as key size, common name and validity.

  • 🎉 Added a new page to create Supplemental policies. With this update, you can create supplemental policies by scanning files and folders, or by selecting certificates. More methods will be added in the future such as installed packaged apps and file paths with wildcards. Closes #412

  • 🎉 Added a new page that lets you select XML files and CIP binary files to deploy on the system.

  • Added a new section to the Update page that will be displayed when a new version is available. It will display a link to the GitHub releases to show you the release notes.

  • Added a new option to the Update page that will offer hardened updating procedure. When this option is enabled, the temporary private key of the on-device generated certificate will be linked to the user's account, requiring confirmation of prompts before it can be used for signing.

  • 🎉 You can now select a MSIX file path in the Update page to use as the update source instead of downloaded it automatically. You could use this new section if you already downloaded the MSIX package from GitHub or you've built the app yourself from the source code.

  • AppControl Manager is now long path aware, it can use file paths longer than 260 characters.

  • Improved the user experience when interacting with settings cards UI elements.

  • When trying to enter a certificate common name in the settings page, the text box now automatically suggests you all the available common names to choose from. You no longer need to manually type anything. There is also a refresh button that fetches the latest changes to the certificates if you need to update the suggestions.

  • The system information page will now let you remove supplemental policies from the system with 1 click/tap of a button, just like unsigned policies.

  • 🎉 The app now remembers the window size (including maximized state) when closed, ensuring it reopens with the same size/state next time. Closes #414

  • Added a notice to the settings page -> Appearance section about Windows animations being disabled: #415

  • Set the default path for file and folder pickers to the "WDACConfig" folder in Program Files, instead of the Documents folder. This can reduce the number of clicks user have to use to browse for policies, certificates etc.

  • Added link to X in the about page's links section.


WDACConfig v.0.5.0

  • Removed -Normal and -Certificates parameters from the New-SupplementalWDACConfig function.
  • Removed the Build-WDACCertificate funtion.
  • Removed the -AllowNewApps parameter from the Edit-WDACConfig function.
  • Removed the ConvertTo-WDACConfig function.
  • Removed Get-CommonWDACConfig function.
  • Removed Get-CIPolicySetting function.

All of their jobs have been completely added to the AppControl Manager before removal.
https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager

PRs:

#413

#417


AppControl Manager 1.4.0.0

21 Nov 16:23
ef09b2f
Compare
Choose a tag to compare

What's New

AppControl Manager preview


Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

  • Added animated icons to the main navigation and some of the buttons. They respond to dark/light theme change as well. They aren't on by default, you can go to the Settings page => Appearance and turn them on. If enough users who would like to see it turned on by default comment it down below or let me know, then i can do so, but i respect some people might not like the extra animations so it's off by default.

    • Just like any other settings in the app, your changes will be saved and won't be lost after app restart or update.

    • Added new option to the appearance setting that allows you to choose an icons style. You can switch between the new animated icons, the default monochromatic icons and a default icons + Windows accent color.

  • Improved "Allow new apps" scenario's logic by detecting ECC signed files across both event logs and local file scan results.

  • The "Allow new apps" page will now show small and subtle indicators that contain the total count of event logs and local scan results at the top of their respective navigation items. They're updated in real time.

  • Made all JSON serialization/deserializations source-generated for improved performance.

  • The MSIX package is now 40MBs smaller as a result of removing unnecessary packages: PowerShell.SDK, System.Management.Automation and Microsoft.Windows.SDK.BuildTools. This improves code security, reliability and predictability.

  • All the logics related to certificate creation/import/export and app installation/uninstallation have been natively implemented in C#.

  • Improved the update process's security. It no longer creates a PFX file and the on-device generated certificate's private key is non-exportable.

  • Improved the update process. Now it first checks if SignTool.exe path exists in the user configurations file and if it does then uses it, otherwise proceeds with downloading it from Microsoft NuGet repository as before.


PR: #410


AppControl Manager 1.3.0.0 and WDACConfig 0.4.9

16 Nov 16:22
8dff2c9
Compare
Choose a tag to compare

What's New

AppControl Manager preview


Excited to announce another major update for the AppControl Manager app, introducing enhanced features that bring more capabilities to a modern, GUI-based experience.

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Note

Every new feature introduced in AppControl Manager is significantly faster than its counterpart in the WDACConfig module, thanks to optimized algorithms and improved logic. For instance, if scanning hundreds of thousands of event logs would previously take 5 minutes in the module, now completes in just 30~ seconds with AppControl Manager. The same thing is true for local file scans, and MDE Advanced Hunting log scans.


Tip

If you already have the AppControl Manager installed, simply go to the Update section and press the button to auto update to the latest version. Read more about the process in here


Brand new documents, videos and tutorials will be added to the repository and YouTube channel for the AppControl Manager in the near future.


New Features in AppControl Manager

  • Easily create policies directly from local event logs, enhanced with advanced filtering and search capabilities.

  • Import EVTX log files to create policies, also featuring advanced filtering and search capabilities.

  • Generate policies using MDE Advanced Hunting logs with powerful filtering and search options.

  • Effortlessly allow files or apps blocked by the system. This functionality mirrors the Edit-WDACConfig -AllowNewApps command previously available in the WDACConfig module.

  • Switch the app's theme independently of the system theme.

  • Choose between Mica, MicaAlt, or Acrylic for the app's backdrop to tailor the overall visual experience.

  • Introduced a darker background option for a striking aesthetic, particularly when paired with MicaAlt.

  • Enable sound effects for navigation and regular app interactions, adding an immersive experience.

  • Your app settings are now saved, so you won't need to reconfigure them every time you launch the app.

  • Redesigned the Simulation page for a better user experience.

  • Added concise descriptions to each page for quick contextual understanding.

  • Implemented a search bar with auto-suggestions to streamline main navigation.

  • New navigation customization in settings: switch between left and top navigation styles.

Note

It's probably worth mentioning that all of the methods and algorithms used for scans, either MDE AH, event logs or Local file scans, are unique and built specifically for AppControl Manager, more on that later.


Technical Changes

  • Replaced most DLLImports with LibraryImports as part of the initiative to support Native AOT (Ahead-of-Time Compilation). This transition enhances compatibility with Arbitrary Code Guard (ACG) exploit protection.

  • Bumped .NET to version 9 stable.

  • Implemented and enforced additional code security and style guidelines.

  • Transitioned certain Windows API calls from AdvApi32 to modern Bcrypt and CNG Crypto APIs for better security and performance.

  • Changed the way AppIdentity service would be started to use a more native method, again in order to make the app more compatible with Native AOT requirements.

  • Switched all in-line regex expressions to source-generated compiled ones for improved performance.


Changes to the WDACConfig Module

The jobs of the following parameters or cmdlets have been removed. If you attempt to use them, you will see a notice and a link to the AppControl Manager app. The new app offers so much more capabilities that simply cannot be implemented in PowerShell.

  • ConvertTo-WDACPolicy
  • Edit-WDACConfig -AllowNewApps

Upcoming changes to the WDACConfig Module

The following cmdlets/functions will be completely removed as their jobs will be integrated with the AppControl Manager for a superior experience. This change happens in the next version, currently targeting version 1.4.0.0. Be sure that all of their features will be completely implemented in the AppControl Manager before they are removed, so you will not experience any absence of feature.

  • Edit-WDACConfig
  • Edit-SignedWDACConfig
  • New-SupplementalWDACConfig
  • New-DenyWDACConfig
  • Get-CiFileHashes
  • Get-CIPolicySetting
  • ConvertTo-WDACPolicy
  • Set-CommonWDACConfig
  • Remove-CommonWDACConfig
  • Get-CommonWDACConfig
  • New-KernelModeWDACConfig
  • Invoke-WDACSimulation

If you wish to stay on version 0.4.8.2 or 0.4.9, you can disable auto update check in WDACConfig module using the following command:

Set-CommonWDACConfig -AutoUpdate $false

Closes #394


PR: #398

GitHub action workflow responsible for generating the MSIX: https://github.com/HotCakeX/Harden-Windows-Security/actions/runs/11871430457/job/33083932693


Have any questions or suggestions? Please open a new discussion or issue. Will be happy to help and answer any questions.


WDACConfig 0.4.8.2

04 Nov 20:47
51e06c9
Compare
Choose a tag to compare

What's New

This is a small update and as a result only updates the last digit of the version which is the minor version number. It contains the changes listed below:

  • Using SHA2-512 instead of SHA3-512 for hashing module files in order to be compatible with Windows 11 build 23H2.

  • Fixed an issue where if you used the Set-commonWDACConfig function to set a user config and you didn't specify the -AutoUpdate parameter, the AutoUpdate property in user config JSON file would be set to false if it was true due to how PowerShell treats boolean parameters by default. That would lead to auto check for update to not happen unless you used the Set-commonWDACConfig -AutoUpdate $true command to turn it on again. It's been taken care of in this version. If that's the case for you and if you desire, please use the Set-commonWDACConfig -AutoUpdate $true to enable auto update again.


PR: #393


Harden Windows Security v.0.6.9

04 Nov 14:48
3216011
Compare
Choose a tag to compare

What's New

  • New optional sub-category for the Device Guard category: Mandatory mode for VBS (Virtualization based security) and Memory Integrity.

  • New Optional sub-category for the Miscellaneous category: Enable support for long paths for programs in Windows.

  • New Optional sub-category for the Miscellaneous category: Force strong key protection for user keys stored on the computer. User is prompted when the key is first used.

  • Updated wiki posts to reflect the recent changes in WDACConfig and Harden Windows Security module.

  • During unprotection process, the logon/logoff audits that turn on in the Miscellaneous category are now reverted.

  • Added process mitigations for the AppControl manager. They protect it against external threats.


Important

A few security related facts:

A file or program bearing a valid digital signature should never be considered inherently secure. While it would be ideal if verifying a signature could conclusively indicate safety, the reality is far more nuanced and complex. A digital signature is an excellent preventive measure, but when it comes to exploiting or infiltrating high-value targets, numerous techniques exist to circumvent this layer of defense. Also, the security of a digital signature is only as strong as the integrity and vigilance of the individual responsible for safeguarding it.

In recent years, many certificate authorities have implemented stricter policies requiring individuals requesting a code-signing certificate to store it within a Hardware Security Module (HSM). This specialized device provides an added layer of physical security for cryptographic keys. However, like any piece of hardware, an HSM can still be stolen, making the physical security of the device—where it is stored, whether it's kept in a high-grade safe, and the security of the person's residence—critical factors in preventing unauthorized access.

Equally important is the security of the code-signing process itself. Does the certificate holder use a dedicated, isolated environment exclusively for signing? Is it meticulously maintained to be free from malware and potential compromises? Or do they insert the HSM into a system that also serves daily, multipurpose functions? In the latter scenario, where the same device is used for browsing the internet or downloading software, the risk of infection rises dramatically. A malware infection on this system could allow malicious software to access private keys from the HSM during the signing process, effectively bypassing the HSM's intended protection. From the outside, as users, we have no practical way to verify or scrutinize these practices. We are fundamentally in the dark about whether an organization or individual has taken rigorous precautions or if they are following minimal security protocols. This lack of transparency introduces an additional layer of risk; users are left trusting in a process they cannot observe or evaluate.

Another vital aspect to consider is the trustworthiness of the individual applying for the certificate. If the applicant is a malicious actor, the signature itself becomes a tool for potential harm. Unfortunately, most certificate authorities issuing code-signing or Extended Validation (EV) certificates do not conduct extensive vetting of applicants. Factors such as an applicant's criminal history, associations, travel history, or broader trustworthiness are seldom, if ever, scrutinized. This lack of rigorous background checks leaves the door open for bad actors to obtain certificates under the guise of legitimacy, turning a critical security feature into a potential vulnerability.

This article was created by me to address these vulnerabilities directly. Windows Defender Application Control (WDAC) or Application Control for Business exists precisely for this reason—it transforms the security paradigm for both attackers and defenders by embracing a real zero-trust approach. Zero trust removes assumptions from the equation, requiring that every executable be explicitly validated before being allowed to run.

In environments with highly sensitive devices or workspaces, relying solely on certificate authorities to secure your systems can be dangerously misguided. Trusting that a certificate authority has conducted rigorous due diligence when issuing code-signing certificates is a risky assumption. App Control provides a critical alternative: it enables you to define your own standards of trust, rather than leaving the responsibility in the hands of external entities who may have different criteria for assessing reliability.

Application Control is empowering. It places the control squarely in your hands, allowing you to determine precisely which files, applications, or processes are authorized to execute on your device. By leveraging this approach, you gain comprehensive oversight and a new level of security confidence, knowing that only files meeting your strict criteria are permitted to run. In an era where threats are increasingly sophisticated, this individualized control over your digital environment is not only prudent but essential.

Exercise extreme caution with programs granted administrator privileges on your system. The User Account Control (UAC) prompt that appears, requesting permission, is more than a minor screen—it serves as a critical security checkpoint. If you inadvertently grant a malicious program administrator access, reversing the damage can be extraordinarily challenging.

When administrator privileges are granted, the program gains more than a one-time permission; it can establish persistent access by embedding itself deeply into the system. Malicious programs can create "hooks", allowing them to access your device and resources on demand. They might configure scheduled tasks to ensure persistence, execute commands with SYSTEM-level privileges, modify registry keys to enable startup scripts, or establish Windows services to maintain their foothold.

Take, for example, the legitimate use case of the Steam game client. Upon installation and initial launch, Steam requests administrator privileges to set up a necessary service that has very high privileges. Although it doesn't ask for elevated permissions again with subsequent launches, this is because it has created that service during the initial setup that allows it to run with elevated privileges even after restarts or shutdowns. While Steam's case is benign, malware can exploit the same mechanisms and others for far more harmful purposes, achieving ongoing control over your device.

In conclusion, Digital signatures are a strong security standard for most use cases, but in high-risk, high-value environments, they are merely not enough. In those situations where the stakes are highest, Application Control is the most effective way to ensure that only trusted, authorized executables are allowed to run. By defining your own standards of trust, you can protect your systems from the most sophisticated threats. Also, exercise caution when granting administrator privileges to programs, as this can lead to persistent access and it's not a one-time permission.


Closes #358
Closes #379


PR: #391


AppControl Manager 1.2.0.0 and WDACConfig 0.4.8

02 Nov 21:15
5bca727
Compare
Choose a tag to compare

What's New

AppControl Manager App

  • Improved the policy viewing page. Now there is a complete data grid with sortable and relocatable columns, offering very nice experience for managing and viewing the deployed policies and searching through them.

  • The AppControl Manager now has a new option in the Update page where you can turn on (it is off by default), and that option will make it check for updates on app startup and then if a new version is available, will display a small dot on the navigation menu next to the update page's icon, letting you know there is a new version available and if you want, you can go to the update page, click/tap on the update button to update it. It respects user's choice and is a non-intrusive and subtle notification method.


WDACConfig Module

  • It works on Windows 11 build 23H2 again.

  • Removed the -SkipVersionCheck from all cmdlets, instead added a new setting to the user configurations, named AutoUpdate, you can configure it once and the built-in update checker will use that value to determine whether check for new version should happen or not. This improves user experience as you no longer have to pass the -SkipVersionCheck for every cmdlet if you wish to stay on a specific version of the WDACConfig despite newer versions being available.

    • The check for update happens every 1 hour.

    • To completely disable automatic check for update, you can use the following command: set-commonWDACConfig -AutoUpdate $false.

    • To enable automatic check for update, you can use the following command: set-commonWDACConfig -AutoUpdate $true.

  • Significantly improved the performance of the merge operations during policy creation tasks.


PR: #382



WDACConfig update v.0.4.8.1

Small update to adjust the new auto-update experience for first time use. Changes in the following PR => #389