Windows 10: Allow WDAC application Control policy to allow Microsoft patches to run

Alles Fernando · Nov 3, 2020

Hello All,

I have created WDAC policy on Windows 10 enterprise. I created the WDAC policy in the following method:

I used the following files to merged and created the .BIN file

1. AllowMicrosoft.xmldefault Microsoft example files that comes with he OS- to allow Microsoft program to run

2.Program Files.xmlscanned the program Files for installed applications

3.Program Filesx86.xmlscanned the program Filesx86 for installed applications

4 BlockRules.xmlMicrosoft recommended block rules for WDAC

Merged the above 4 files and created the Mypolicy.xml and convertd to .bin files and copy to SIPolicy.p7b

However I can see Microsoft office patches.MSP downloaded from WSUs violated the code integrity.

I would like to know how to bypass the patch files in CI policy.I believe I cant scan the folder and merge with the existing policy as patch files would be different for different period?

one of the error msg :

code integriy module \windows\installer\MSI8448.tmp against policy

anybody can shed some light would be appreciated.

Thank you,

Regards,

Alles

:)

Shafeeq_Khan · Nov 3, 2020

Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph

Hi,

Thank you for writing to Microsoft Community Forums.

In order to enable trust for executables based on classifications in the ISG, the
Enabled:Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the
Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG.

Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate
trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to
build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.

Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. It is straightforward to authorize modern apps with
signer rules in the WDAC policy.

Enabled:Intelligent Security Graph Authorization -> Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG).

Enabled:Invalidate EAs on Reboot -> When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically
re-validate the reputation for files that were authorized by the ISG.

For more information, you may refer the below articles.

Use
Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.

Deploy Windows
Defender Application Control policy rules and file rules.

Use
signed policies to protect Windows Defender Application Control against tampering.

If you still have questions, then I suggest you to post your query in
IT Pro TechNet Forums, where we have support
professionals who are well equipped with the knowledge on Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.

Please feel free to contact us back, in case you have any other questions/issues with Windows in future.

Brink · Nov 3, 2020

Windows Defender Application Control enhancements in Windows 10 v1903

With the Windows 10 May 2019 Update we delivered several important features for Windows Defender Application Control (WDAC), which was originally introduced to Windows as part of a scenario called Device Guard. WDAC works in conjunction with features like Windows Defender Application Guard, which provides hardware-based isolation of Microsoft Edge for enterprise-defined untrusted sites, to strengthen the security posture of Windows 10 systems.

*Arrow How to Turn On or Off Windows Defender Application Guard for Microsoft Edge in Windows 10

*Arrow How to Enable or Disable Device Guard in Windows 10

Our focus for this release was responding to some longstanding feedback on manageability improvements. We’re excited to introduce the following new capabilities in Windows Defender Application Control:

File path rules, including optional runtime admin protection checks

Multiple policy file support with composability

Application Control CSP to provide a new, richer MDM policy management capability

COM object registration support in policy

Disabling script enforcement rule option

Application control is frequently identified as one of the most effective mitigations against modern security threats, because anything that’s not allowed by policy is blocked from running. Even striving towards a simple policy like mandating that only signed code is allowed to execute can be incredibly impactful: in a recent analysis of Windows Defender ATP data, we saw that 96% of malware encountered is unsigned. Systems like Windows 10 in S mode, which uses WDAC technology to enforce that all code must be signed by Windows and Microsoft Store code signing certificates, have no malware infection issues.

The new capabilities are designed to ease the journey for customers adopting application control in real-world environments with large numbers of applications, users, and devices.

File path rules, including optional runtime admin protection checks

For many customers looking to adopt application execution control while balancing IT overhead, rules based on file paths on managed client systems provide a useful model. The Windows 10 May 2019 Update introduces support for both allow and deny rules based on file path in Windows Defender Application Control.

File path rules had been one of the few features available in AppLocker, the older native application control technology, that were not available to WDAC; deployment tools and methodologies built on top of AppLocker like AaronLocker have relied on these rules as an important simplifying option for policy management. As we sought to close that gap, we wanted to preserve the stronger security posture available with WDAC that customers have come to expect. To this end, WDAC applies, by default, an option to check at runtime that apps and executables allowed based on file path rules must come from a file path that’s only writable by administrator or higher privileged accounts. This runtime check provides an additional safeguard for file path rules that are otherwise inherently weaker than other identifiers like hash or signer rules, which rely on cryptographically verifiable attributes.

This runtime capability can be controlled with the “Disabled:Runtime FilePath Rule Protection” rule option.

The following example shows how to easily create rules for anything allowed under “Program Files” and “Program Files (x86)”, and then merge them with the sample policy that allows all Windows signed code (available under C:\Windows\schemas\CodeIntegrity\ExamplePolicies). The resulting merged policy file allows all Windows signed code and applications installed under “Program Files” and “Program Files (x86)” with the runtime protection that checks that anything executing under those paths is coming from a location only writable by administrator or higher privileged accounts.

Multiple policy file support with composability

Limiting support to a single policy file means that a variety of app control scenarios from potentially different stakeholders or business groups need to be maintained in one place. This comes with an associated overhead: the coordination required to converge on the appropriate rules encapsulated in a single policy file.

With the Windows 10 May 2019 Update multiple policy files are supported for WDAC. To facilitate composing behavior from multiple policy files, we have introduced the concept of base and supplemental policies:

Base policies – For any execution to be allowed, the application must pass each base policy independently. Base policies are used together to further restrict what’s allowed. For example:
Let’s assume a system has two policies: Base Policy A and Base Policy B with their own sets of rules. For foo.exe to run, it must be allowed by the rules in Base Policy A and also the rules in Base Policy B. Windows Defender Application Control policies on prior Windows 10 systems will continue to work on the May 2019 Update and will be treated as base policies.

Supplemental policies – As the name suggests, supplemental policies complement base policies with additional rules to be considered as part of the base policies they correspond to. Supplemental policies are tied to a specific base policy with an ID; a base policy may have multiple supplemental policies. Supplemental policies expand what is allowed by any base policy, but deny rules specified in a supplemental policy will not be honored.

Application Control CSP

Customers have been able to deploy Windows Defender Application Control policies via MDM using the CodeIntegrity node of the AppLocker configuration service provider (CSP). The AppLocker CSP has a number of limitations, most notably the lack of awareness of rebootless policy deployment support.

The Windows 10 May 2019 Update now has a new Application Control CSP, which introduces much richer support for policy deployment over MDM and also provides support for:

Rebootless policy deployment (For policies that have the “Enabled:Update Policy No Reboot” option set, the new Application Control CSP will not schedule a reboot on client systems getting the policy)

Support for the new multiple policies

For device management software vendors, better error reporting

COM object registration support

Windows Defender Application Control enforces a built-in allow list of COM object registrations to reduce the risk introduced from certain powerful COM objects. Customers have reported that while this capability is desirable from a security perspective, there are specific cases in their environments where they’d like to allow the registration of additional COM objects required for their business.

With the Windows 10 May 2019 Update customers can now specify COM objects that need to be allowed in environments they’re managing with Windows Defender Application Control policies.

Disabled: Script Enforcement rule option support

The Windows 10 May 2019 Update with KB4497935 introduces proper support for the Disabled: Script Enforcement rule option.

Customers recognize the importance of having restrictions on script hosts but are often looking to break up their application control projects into smaller chunks to help with deployment feasibility. The “Disabled:Script Enforcement” rule option in the policy now turns off policy enforcement for MSIs, PowerShell scripts, and wsh-hosted scripts. This will allow IT departments to tackle EXE, DLL, and driver enforcement without needing to also simultaneously address script host control.

Try the new capabilities today

We invite everyone to try these new Windows Defender Application Control capabilities, alongside existing features like managed installer. For customers using Microsoft Defender ATP, consider using Advanced hunting to query the WDAC events centrally to understand and monitor the behavior of all these new policy controls on client machines in your environment. Learn about both new and existing functionalities with the Windows Defender Application Control deployment guide.

We’re also working on supplementing the documentation we have out now. Stay tuned for updates from our team for tools and guidance on GitHub that provide more practical examples and ready-to-use scripts.

Nazmus Sakib
Senior Program Manager, Windows Defender Application Control team
Click to expand...

Source: https://www.microsoft.com/security/b...y-2019-update/

Shafeeq_Khan · Nov 3, 2020

Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph

Hi,

Thank you for replying and I apologize for the delayed response.

I suggest you to post this query in IT Pro TechNet Forums, where we have support professionals, who will answer all your questions related to Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph and provide you more information
on this.

Windows 10: Allow WDAC application Control policy to allow Microsoft patches to run

Allow WDAC application Control policy to allow Microsoft patches to run

Allow WDAC application Control policy to allow Microsoft patches to run

Allow WDAC application Control policy to allow Microsoft patches to run

Allow WDAC application Control policy to allow Microsoft patches to run - Similar Threads - Allow WDAC application

Obfuscation of Code in Applications - Are Such Applications allowed on the Microsoft Store?

Obfuscation of Code in Applications - Are Such Applications allowed on the Microsoft Store?

WDAC How to allow .tmp.node file by Electron app?

WDAC How to allow .tmp.node file by Electron app?

WDAC How to allow .tmp.node file by Electron app?

Family Control Bugged - No application recorded to allow access

Unchecked Allow applications to take exclusive control of this device not working

How to allow a blocked application

Application allowed to use location