Windows Defender Application Control (WDAC): Secure Windows 10 / 11 against malicious apps and rogue drivers with recommended WDAC block rules

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• Windows doesn’t start: Recover partitions, copy files, and reset password with SystemRescue - Tue, Mar 28 2023
• ManageEngine OpManager: Comprehensive monitoring for on-prem, cloud, and containers - Thu, Mar 23 2023
• Install K3s, a lightweight, production-grade Kubernetes distro - Mon, Mar 20 2023

WDAC provides rules-based application security, allowing rules to restrict the execution of binaries. So, using WDAC, we can implement a blacklist or whitelist to block applications. The recommended block rules are a list of applications that attackers commonly use to bypass Windows Defender Application Control. Unless you need these applications, Microsoft recommends disabling them.

The recommended driver block rules are designed to harden systems against third-party-developed drivers used across the Windows landscape that contain the following:

• Known vulnerabilities—Skilled attackers easily exploit drivers that have known vulnerabilities for privilege escalation.
• Malware—Drivers that demonstrate malicious behavior or are associated with certificates known to sign malicious code.
• Security compromising behaviors—Any drivers that exhibit behaviors known to circumvent the Windows security model can be used by attackers for privilege escalation and compromising the Windows kernel.

Implement Microsoft-recommended block rules

The two most common ways to apply WDAC policy rules are by using an MDM solution, such as Microsoft Intune, or the traditional policy enforcement approach of Active Directory Group Policies. However, you can also use Microsoft Endpoint Manager Configuration Manager (MEMCM), using the on-premises management solution to manage desktops and servers, or a configuration script to roll out the WDAC rules deployment.

You can obtain the XML version of the policy block rules here:

• Microsoft-recommended block rules
• Microsoft-recommended driver block rules

On both pages, you will see the XML code you can copy and save to a file on your administrative workstation.

Downloading the WDAC recommended block rules

Navigating to Microsoft Endpoint Manager and Intune, we select Device > configuration profile to create a profile that allows us to use the XML files for both the recommended block rules and the driver block rules for WDAC.

On the Create a profile blade, populate the following settings:

• Platform—Windows 10 and later
• Profile type—Templates
• Template name—Custom

Creating a new device configuration profile in Intune

This launches a new custom device configuration profile wizard. The first step is to name the new configuration profile.

Name the new device configuration profile

The second page of the new configuration profile wizard is the one to pay attention to. It contains information about the custom device configuration profile. Populate the name and description field as well as the OMA-URI. This is a string filled with information you get from the policy text you download from Microsoft:

For the custom template, we use the OMA-URI base string of ./Vendor/MSFT/ApplicationControl/Policies/{Policy ID}/Policy according to the documentation from Microsoft.

• Replace the policy ID in the braces above with the PolicyTypeID in the policy file downloaded from Microsoft.
  • The completed string will look like this: ./Vendor/MSFT/ApplicationControl/Policies/A244370E-44C9-4C06-B551-F6016E563076/Policy
• Data type—Since the policy text downloaded from Microsoft is in XML format, we choose String (XML file).

Getting the policy ID from the policy file

Use the information above to complete the OMA-URI Settings page.

Setting the new device configuration profile

The OMA-URI settings are now entered on the configuration settings screen.

The configuration settings with the OMA URI are now configured

On the Assignments screen, choose the users, groups, or devices to which you want to assign the new WDAC configuration profile.

Configure the assignment settings for the new device configuration profile

You can just click Next on the Applicability Rules screen.

Click Next on Applicability Rules

Finally, on the Review + create screen, review the configuration settings and click the Create button.

The WDAC configuration profile is now listed on the device Configuration profiles screen.

The new WADC configuration profile is listed among the device configuration profiles

Using this method, you can import both the recommended block rules and driver block rules and apply the WDAC rules through the device configuration profiles.

Wrapping up

Windows Defender Application Control (WDAC) is a solution built into Windows 10 and 11. It allows organizations to control the trust level of applications users can execute on their end-user clients.

Using modern endpoint management, such as Microsoft Endpoint Manager with Intune, you can easily apply the WDAC rules using device configuration profiles. Learn more about Windows Defender Application Control (WDAC) here.