Windows 10: Disable script enforcement for all policies WDAC

Hello We would like to forbid the usage of the "Mail - microsoft.windowscommunicationsapps" App via WDAC applied by Intune. We also use the "psappdeploytoolkit", but the exection of the device is not possible because of the "Constrained Language Mode"Problem Described here: https://discourse.psappdeploytoolkit.com/t/appdeploytoolkitmain-cs-could-not-be-opened/2962/7We used this script to generate the Policy: # Set the Policy Name $PolicyName = "ucm_WDAC_v1"# Policy Files$DenyPolicyFile = "C:\Temp\ucm_WDAC_v1.xml"$BinaryFilePath = "C:\Temp\ucm_WDAC_v1.cip"# Basis Ppolic $AllowAl

:)

 

Unable to sign WDAC policy file(bin or p7b) file.

Hi,

To sign our WDAC policy file we are following Microsoft article Use signed policies to protect Windows Defender Application Control. In order to sign SIPolicy file we need to have code signing certificate. We need few clarifications which are described below:

1) As per above mentioned link, it specifically needs ContosoSigningCert code signing certificate to sign the WDAC policy, below is the mentioned command. As we are unable to get this certificate, can you please provide us this certificate. Or in case we can sign it with some other certificate, please share information regarding that.

<Path to signtool.exe> sign -v -n "ContosoSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin

2) We also checked about Device Guard Signing Service v2 (DGSS) is a code signing service. But information available over the web is too generic to apply for our case. In order to sign our WDAC policy file can we get some concrete steps wise information or any other related information regarding this.

Regards,

Vikram

 

Is there a way to disable the WDAC blocked application message boxes?

I have a WDAC policy running and have been testing out enforced mode. The machines this will eventually go on cannot have notifications going to the user as this will be a single purpose machine and we can't potentially have notifications disrupting users.

We are currently blocking all desktop notifications and windows defender notifications through GPO but this doesn't seem to apply to either type.

 

WDAC powershell policy using import-climl for policy rules error

I've used the Microsoft documentation example code to create a powershell script that takes a Microsoft Base WDAC policy and adds filepaths rules and policy options. This is great as I can store the small powershell script in source control and easily make changes & reproduce updated WDAC policies when needed.

However, I can't do this when using publisher level rules as I need direct access to those files each time to scan the file to run "New-CIPolicyRule -Level Publisher". I can't have all these files & apps on my authoring computer, nor can I get network access to them all.

I'm hoping I can scan the file then use export-clixml to save the results of the scan, then save this in my code repo and use import-clixml to get that object back later. I'm getting the error:

Merge-CIPolicy : Cannot bind parameter 'Rules'. Cannot convert value "Microsoft.SecureBoot.UserConfig.Rule" to type "Microsoft.SecureBoot.UserConfig.Rule". Error: "Cannot convert the "Microsoft.SecureBoot.UserConfig.Rule" value

of type "Deserialized.Microsoft.SecureBoot.UserConfig.Rule" to type "Microsoft.SecureBoot.UserConfig.Rule"."

any tips?