Windows 10: Is there a way to disable the WDAC blocked application message boxes?

I have a WDAC policy running and have been testing out enforced mode. The machines this will eventually go on cannot have notifications going to the user as this will be a single purpose machine and we can't potentially have notifications disrupting users.We are currently blocking all desktop notifications and windows defender notifications through GPO but this doesn't seem to apply to either type.

:)

 

Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph

Hi,



Thank you for writing to Microsoft Community Forums.



In order to enable trust for executables based on classifications in the ISG, the
Enabled:Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the
Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG.



Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate
trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to
build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.



Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. It is straightforward to authorize modern apps with
signer rules in the WDAC policy.



Enabled:Intelligent Security Graph Authorization -> Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG).



Enabled:Invalidate EAs on Reboot -> When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically
re-validate the reputation for files that were authorized by the ISG.



For more information, you may refer the below articles.

• Use
  Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.
  
• Deploy Windows
  Defender Application Control policy rules and file rules.
  
• Use
  signed policies to protect Windows Defender Application Control against tampering.
  

If you still have questions, then I suggest you to post your query in
IT Pro TechNet Forums, where we have support
professionals who are well equipped with the knowledge on Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.



Please feel free to contact us back, in case you have any other questions/issues with Windows in future.

 

blocked applications

Hi Eileen,

Windows Defender or another antivirus software will sometimes block a certain app or file from running or being installed. With this, you can check the
quarantine section of the antivirus program you are using to see which program is being blocked. To better assist you, we need the answers to the following questions:

• What is the exact error message did you receive after launching or running the app?
• Which antivirus program are you using?

In the meantime, we suggest disabling the Windows Defender SmartScreen and see if the app will run. To do this, simply follow the steps below:

• Type Windows Defender on the search box and click on the first option.
• On the left side of the window, click on the Window icon (App & browser control).
• On the SmartScreen for Windows
  Store apps column, select Off.

We are looking forward to your response.

 

WDAC How to allow .tmp.node file by Electron app?

Hi all,

I'm facing an issue with .tmp.node file that executed by an application called Ledger Live and written by Electron.

This application generated a temporary file with random filename in user's Temp folder and then executed.

I tried to allow the application's folder (C:\Program Files\Ledger Live\*) and even whitelist *.tmp.node in the WDAC policy XML.

But the WDAC was still blocked this .temp.node file execute as the below screenshot.





Is there a way to allow it to run or skip the Enterprise signing level check?

Thanks.