This is a PowerShell script that configures Windows Defender Application Control (WDAC) on a Windows machine. The script requires elevated privileges to run and continues even if errors are encountered. It creates a new "Temp" directory in the C:\ drive and copies necessary Windows Defender configuration files to it. The script then enables WDAC by importing policies and adding necessary services. The script also enables the Intelligent Security Graph (ISG) and Managed Installer (MI) diagnostic events for troubleshooting. The script ends with a prompt to the user to restart the computer to make changes effective.
- Windows Server 2016/2019 or anything before version 1903 only support a single legacy policy at a time.
- Windows Server Core edition supports WDAC but some components that depend on AppLocker won’t work
- Please read the Recommended Reading before implementing or even testing.
- Microsoft - Recommended block rules
- Microsoft - Recommended driver block rules
- Microsoft - Windows Defender Application Control
- Simply put, the "XML" policies are for applying to a machine locally and the "BIN" files are for enforcing them with either Group Policy or Microsoft Intune. While you can use XML, BIN, or CIP policies in a local deployment, generally speaking you should stick to XML where possible and especially so while auditing or troubleshooting.
- Default Policies:
- The "Default" policies use only the default features available in the WDAC-Toolkit.
- Recommended Policies:
- The "Recommended" policies use the default features as well as Microsoft's recommended blocks and driver block rules.
- Audit Policies:
- The "Audit" policies, just log exceptions to the rules. This is for testing in your environment, so that you may modify the policies, at will, to fit your environments needs.
- Enforced Policies:
- The "Enforced" policies will not allow any exceptions to the rules, applications, drivers, dlls, etc. will be blocked if they do not comply.
- XML:
- Audit Only:
WDAC_V1_Default_Audit.xmlWDAC_V1_Recommended_Audit.xml
- Enforced:
WDAC_V1_Default_Enforced.xmlWDAC_V1_Recommended_Enforced.xml
- Audit Only:
- BIN:
- Audit Only:
WDAC_V1_Default_Audit.binWDAC_V1_Recommended_Audit.bin
- Enforced:
WDAC_V1_Default_Enforced.binWDAC_V1_Recommended_Enforced.bin
- Audit Only:
- CIP:
- Audit Only:
WDAC_V1_Default_Audit\{uid}.cipWDAC_V1_Recommended_Audit\{uid}.cip
- Enforced:
WDAC_V1_Default_Enforced\{uid}.cipWDAC_V1_Recommended_Enforced\{uid}.cip
- Audit Only:
Update the following line in the script to use the policy that you desire locally:
$PolicyPath = "C:\temp\Windows Defender\CIP\WDAC_V1_Recommended_Enforced\*.cip"
#https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script
ForEach ($Policy in (Get-ChildItem -Recurse $PolicyPath).Fullname) {
$PolicyBinary = "$Policy"
$DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
$RefreshPolicyTool = "./Files/EXECUTABLES/RefreshPolicy(AMD64).exe"
Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
& $RefreshPolicyTool
}Alternatively, you may use Group Policy or Microsoft Intune to enforce the WDAC policies.
You can view the WDAC event logs in event viewer under:
Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational
- Argonsys - Deploying Windows 10 Application Control Policy
- Microsoft - Audit Windows Defender Application Control Policies
- Microsoft - Create a WDAC policy for fixed-workload devices using a reference computer
- Microsoft - Deploy Windows Defender Application Control policies by using Group Policy
- Microsoft - Deploy Windows Defender Application Control policies by using Microsoft Intune
- Microsoft - Deploy WDAC policies using script
- Microsoft - Enforce Windows Defencer Application Control Policies
- Microsoft - Guidance on Creating WDAC Deny Policies
- Microsoft - Use multiple Windows Defender Application Control Policies
If manually downloaded, the script must be launched from an administrative powershell in the directory containing all the files from the GitHub Repository
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
.\sos-wdachardening.ps1