- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
WDAC provides rules-based application security, allowing rules to restrict the execution of binaries. So, using WDAC, we can implement a blacklist or whitelist to block applications. The recommended block rules are a list of applications that attackers commonly use to bypass Windows Defender Application Control. Unless you need these applications, Microsoft recommends disabling them.
The recommended driver block rules are designed to harden systems against third-party-developed drivers used across the Windows landscape that contain the following:
- Known vulnerabilities—Skilled attackers easily exploit drivers that have known vulnerabilities for privilege escalation.
- Malware—Drivers that demonstrate malicious behavior or are associated with certificates known to sign malicious code.
- Security compromising behaviors—Any drivers that exhibit behaviors known to circumvent the Windows security model can be used by attackers for privilege escalation and compromising the Windows kernel.
Implement Microsoft-recommended block rules
The two most common ways to apply WDAC policy rules are by using an MDM solution, such as Microsoft Intune, or the traditional policy enforcement approach of Active Directory Group Policies. However, you can also use Microsoft Endpoint Manager Configuration Manager (MEMCM), using the on-premises management solution to manage desktops and servers, or a configuration script to roll out the WDAC rules deployment.
You can obtain the XML version of the policy block rules here:
On both pages, you will see the XML code you can copy and save to a file on your administrative workstation.
Navigating to Microsoft Endpoint Manager and Intune, we select Device > configuration profile to create a profile that allows us to use the XML files for both the recommended block rules and the driver block rules for WDAC.
On the Create a profile blade, populate the following settings:
- Platform—Windows 10 and later
- Profile type—Templates
- Template name—Custom
This launches a new custom device configuration profile wizard. The first step is to name the new configuration profile.
The second page of the new configuration profile wizard is the one to pay attention to. It contains information about the custom device configuration profile. Populate the name and description field as well as the OMA-URI. This is a string filled with information you get from the policy text you download from Microsoft:
For the custom template, we use the OMA-URI base string of ./Vendor/MSFT/ApplicationControl/Policies/{Policy ID}/Policy according to the documentation from Microsoft.
- Replace the policy ID in the braces above with the PolicyTypeID in the policy file downloaded from Microsoft.
- The completed string will look like this: ./Vendor/MSFT/ApplicationControl/Policies/A244370E-44C9-4C06-B551-F6016E563076/Policy
- Data type—Since the policy text downloaded from Microsoft is in XML format, we choose String (XML file).
Use the information above to complete the OMA-URI Settings page.
The OMA-URI settings are now entered on the configuration settings screen.
On the Assignments screen, choose the users, groups, or devices to which you want to assign the new WDAC configuration profile.
You can just click Next on the Applicability Rules screen.
Finally, on the Review + create screen, review the configuration settings and click the Create button.
The WDAC configuration profile is now listed on the device Configuration profiles screen.
Using this method, you can import both the recommended block rules and driver block rules and apply the WDAC rules through the device configuration profiles.
Wrapping up
Windows Defender Application Control (WDAC) is a solution built into Windows 10 and 11. It allows organizations to control the trust level of applications users can execute on their end-user clients.
Subscribe to 4sysops newsletter!
Using modern endpoint management, such as Microsoft Endpoint Manager with Intune, you can easily apply the WDAC rules using device configuration profiles. Learn more about Windows Defender Application Control (WDAC) here.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Interesting article.
It appears the Windows open operating system is going the direction of the Mac and many commercial firewalls. It is moving away from Promiscuous mode to Restricted. I’m not a Mac guy, but I can understand the value of a closed system, same as a closed firewall, to keep the bad actors at bay.
hi there. I am following these instructions verbatim but cannot get this to work on my Intune test machine. The error code given in Intune is 0x87d10190, any ideas? Thanks