Windows-Defender-Application-Control-Hardening

This is a PowerShell script that configures Windows Defender Application Control (WDAC) on a Windows machine. The script requires elevated privileges to run and continues even if errors are encountered. It creates a new "Temp" directory in the C:\ drive and copies necessary Windows Defender configuration files to it. The script then enables WDAC by importing policies and adding necessary services. The script also enables the Intelligent Security Graph (ISG) and Managed Installer (MI) diagnostic events for troubleshooting. The script ends with a prompt to the user to restart the computer to make changes effective.

Notes:

Windows Server 2016/2019 or anything before version 1903 only support a single legacy policy at a time.
Windows Server Core edition supports WDAC but some components that depend on AppLocker won’t work
Please read the Recommended Reading before implementing or even testing.

A list of scripts and tools this collection utilizes:

Additional configurations were considered from:

Explanation:

XML vs. BIN:

Simply put, the "XML" policies are for applying to a machine locally and the "BIN" files are for enforcing them with either Group Policy or Microsoft Intune. While you can use XML, BIN, or CIP policies in a local deployment, generally speaking you should stick to XML where possible and especially so while auditing or troubleshooting.

Policy Descriptions:

Default Policies:
- The "Default" policies use only the default features available in the WDAC-Toolkit.
Recommended Policies:
- The "Recommended" policies use the default features as well as Microsoft's recommended blocks and driver block rules.
Audit Policies:
- The "Audit" policies, just log exceptions to the rules. This is for testing in your environment, so that you may modify the policies, at will, to fit your environments needs.
Enforced Policies:
- The "Enforced" policies will not allow any exceptions to the rules, applications, drivers, dlls, etc. will be blocked if they do not comply.

Available Policies:

XML:
- Audit Only:
  - WDAC_V1_Default_Audit.xml
  - WDAC_V1_Recommended_Audit.xml
- Enforced:
  - WDAC_V1_Default_Enforced.xml
  - WDAC_V1_Recommended_Enforced.xml
BIN:
- Audit Only:
  - WDAC_V1_Default_Audit.bin
  - WDAC_V1_Recommended_Audit.bin
- Enforced:
  - WDAC_V1_Default_Enforced.bin
  - WDAC_V1_Recommended_Enforced.bin
CIP:
- Audit Only:
  - WDAC_V1_Default_Audit\{uid}.cip
  - WDAC_V1_Recommended_Audit\{uid}.cip
- Enforced:
  - WDAC_V1_Default_Enforced\{uid}.cip
  - WDAC_V1_Recommended_Enforced\{uid}.cip

Update the following line in the script to use the policy that you desire locally:

$PolicyPath = "C:\temp\Windows Defender\CIP\WDAC_V1_Recommended_Enforced\*.cip"
#https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script
ForEach ($Policy in (Get-ChildItem -Recurse $PolicyPath).Fullname) {
  $PolicyBinary = "$Policy"
  $DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
  $RefreshPolicyTool = "./Files/EXECUTABLES/RefreshPolicy(AMD64).exe"
  Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
  & $RefreshPolicyTool
}

Alternatively, you may use Group Policy or Microsoft Intune to enforce the WDAC policies.

Auditing:

You can view the WDAC event logs in event viewer under:

Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational

How to run the script:

Manual Install:

If manually downloaded, the script must be launched from an administrative powershell in the directory containing all the files from the GitHub Repository

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
.\sos-wdachardening.ps1

sulemanmanji / windows-defender-application-control-hardening Goto Github PK