(109) Microsoft Intune - Windows Defender Application Control (WDAC)

From what I have learnt with WDAC is start with the basics, don't ever overcomplicate it and keep it simple. For this, I have set it up with a Base Policy and a supplementary policy. In this blog, I will be using "Allow Microsoft Mode"

What is WDAC?

WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the servicing criteria, defined by the Microsoft Security Response Center (MSRC).

Application control (or Application Whitelisting) is a security approach designed to protect against malicious code (also known as malware) executing on systems. When implemented correctly, it ensures only approved applications (e.g. executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets and drivers) can be executed.

While application control is primarily designed to prevent the execution and spread of malicious code, it can also prevent the installation or use of unapproved applications.

How do I get started with WDAC?

Navigate to https://webapp-wdac-wizard.azurewebsites.net/ and select Download the installer.

What are the Microsoft Baseline Policies?

The "Default Windows Mode"  allows all digitally signed Microsoft OS components, and drivers to be allowed except signed applications.

The “Allow Microsoft Mode” in essence allows all digitally signed Microsoft OS components, applications and drivers to be allowed.

The “Signed and Reputable” baseline adds an additional option to automatically allow applications with good reputation using the Intelligent Security Graph.

Prerequisite

Before this is deployed, navigate to https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/appControl and select Add to get the "Managed Installer" deployed automatically to all devices.

Instructions:

Open up WDAC Wizard, then bottom left hand side select Settings.

Select the Policy Creator.

Select the following highlighted in red.

Select Multiple Policy Format and Base Policy as we will need to create the policy.

Select "Allow Microsoft Mode", rename the Policy Name and Policy File Location.

First you want to create an audit policy before you enforce as you don't want things to break.

In this blog, I will set it as Enforced (meaning that Audit mode is disabled). Then select Next.

Next tick both "Merge with Recommended User Mode Block Rules" and "Merge with Recommended Kernel Block Rules"

By selecting "+ Add Custom", you enter in a number of allow rules.

As examples, I will simply add the following into the allow list.

Note: Ideally you would only want to whitelist applications that users will tend to access.

C:\Windows\*

C:\Program Files\*

C:\Program Files (x86)\*

If you plan to add a subfolder\* make sure tick "Use Custom Path"

It will show up like this once that is all done, select Next.

The WDAC Wizard will generate an .XML and .CIP

As we want to create a supplementary policy, select Home and select Policy Creator.

Select Supplementary Policy, then enter the name of the Policy and Policy File Location then select the Base Policy Path (by navigating to where the original base is saved).

Select Next, the options you see greyed out, cannot be turned back on.

It will show upwith no files rules, which is an empty list which needs to be filled out.

When adding a custom in supplementary policy, you can update this policy to "Allow". For all deny entries, you will need to update the base policy.

When creating a custom rule condition, Usermode rule which be unticked, when enabling it, you will be prompted, select Yes. Then untick Kernel rule.

For the Supplementary policy example, I will be adding the following in:

C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\*

C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\DataCollection\*

The end result will look like this.

After clicking Next, it will provide a .XML and a .CIP.

End result, it will look like this.

By using Visual Studio Code, do a compare between both policies, highlighted in Yellow you will see that both base policy ID is the same.

On the left of the screenshot, Base Policy is on the left while Supplementary Policy is on the right.

Then by dragging the bar at the bottom, you can see that left hand side is Base Policy while right hand side is Supplementary.

As we want to upload this file to Intune, we will need to convert the files to a .bin format.

Run PowerShell as Administrator

Then CD to the path file for where the WDAC policies exist, so in this it is C:\WDAC-Demo

Then run the following in PowerShell:

For Base:

ConvertFrom-CIPolicy -XmlFilePath ".\WDAC-Demo-Base.xml" -BinaryFilePath "WDAC-Demo-Base.bin"

For Supplementary:

ConvertFrom-CIPolicy -XmlFilePath ".\WDAC-Demo-Supplementary.xml" -BinaryFilePath "WDAC-Demo-Supplementary.bin"

In the saved location, it looks like this.

In Microsoft Intune, select the following:

Platform: Windows 10 and later

Profile type: Templates then Custom

Where my Policy ID for Base is: 08633881-EB06-41E7-9B60-988C1751B8E2

OMA-URI settings:

Name: Base

Description: Not configured

OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/08633881-EB06-41E7-9B60-988C1751B8E2/Policy

Data Type: Base64 (file)

Certificate Type: Upload WDAC-Demo-Base.bin

Where my Policy ID for Supplementary is: DE491EF3-716C-48C6-88F2-D1B3D33BE48D

OMA-URI settings:

Name: Supplementary

Description: Not configured

OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/DE491EF3-716C-48C6-88F2-D1B3D33BE48D/Policy

Data Type: Base64 (file)

Certificate Type: Upload WDAC-Demo-Supplementary.bin

Select Review and Create.

Note: I would generally create two separate WDAC policies, one for Base policy and the other for Supplementary policy.

End result will look like this:

To view the events for the WDAC policy, navigate to Event Viewer > Applications and Services Log > Microsoft > Windows > CodeIntegrity.

Also navigating in Defender 365 Advanced Hunting:

DeviceEvents

| where ActionType startswith "AppControl"

| where FileName  !startswith "__PSSCRIPTPOLICYTEST_"

| where ActionType contains "Block"

Then view the logs over the next 30 days, update the supplementary policy as you discover any blocks