Windows 10: Signing an audit App Control for Business WDAC Policy Doesn't Log Events?

Discus and support Signing an audit App Control for Business WDAC Policy Doesn't Log Events? in Windows 10 Software and Apps to solve the problem; Hello,We have several App Control for Business policies deployed on our fleet of machines, several of them are signed and enforced.We had one policy in... Discussion in 'Windows 10 Software and Apps' started by The Cyber Warden, Nov 7, 2024.

  1. Signing an audit App Control for Business WDAC Policy Doesn't Log Events?


    Hello,We have several App Control for Business policies deployed on our fleet of machines, several of them are signed and enforced.We had one policy in audit mode unsigned, and the Code Integrity logs for this policy came in just fine. No issues for months.We decided to sign it and leave it in audit mode -- however, signing the audit policy caused events to not be logged anymore.We've verified that the policy is "signed","authorized", and "enforced" using the CiTool.Can someone confirm that signed, audit, app control policies should be logging things?Thanks!

    :)
     
    The Cyber Warden, Nov 7, 2024
    #1
  2. pavan_446 Win User

    Unable to sign WDAC policy file(bin or p7b) file.

    Hi,

    To sign our WDAC policy file we are following Microsoft article Use signed policies to protect Windows Defender Application Control. In order to sign SIPolicy file we need to have code signing certificate. We need few clarifications which are described below:

    1) As per above mentioned link, it specifically needs ContosoSigningCert code signing certificate to sign the WDAC policy, below is the mentioned command. As we are unable to get this certificate, can you please provide us this certificate. Or in case we can sign it with some other certificate, please share information regarding that.

    <Path to signtool.exe> sign -v -n "ContosoSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin

    2) We also checked about Device Guard Signing Service v2 (DGSS) is a code signing service. But information available over the web is too generic to apply for our case. In order to sign our WDAC policy file can we get some concrete steps wise information or any other related information regarding this.

    Regards,

    Vikram
     
    pavan_446, Nov 7, 2024
    #2
  3. Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph

    Hi,



    Thank you for writing to Microsoft Community Forums.



    In order to enable trust for executables based on classifications in the ISG, the
    Enabled:Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the
    Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG.



    Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate
    trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to
    build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.



    Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. It is straightforward to authorize modern apps with
    signer rules in the WDAC policy.



    Enabled:Intelligent Security Graph Authorization -> Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG).



    Enabled:Invalidate EAs on Reboot -> When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically
    re-validate the reputation for files that were authorized by the ISG.



    For more information, you may refer the below articles.





    If you still have questions, then I suggest you to post your query in
    IT Pro TechNet Forums
    , where we have support
    professionals who are well equipped with the knowledge on Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.



    Please feel free to contact us back, in case you have any other questions/issues with Windows in future.
     
    Shafeeq_Khan, Nov 7, 2024
    #3
  4. Kaj_1337 Win User

    Signing an audit App Control for Business WDAC Policy Doesn't Log Events?

    Disable script enforcement for all policies (WDAC)

    Hello

    We would like to prohibit the use of the app “Mail – microsoft.windowscommunicationsapps” via a WDAC policy distributed by Intune.

    We also use the "psappdeploytoolkit", but the execution of the device is not possible because of the "Constrained Language Mode"

    Problem Described here: AppDeployToolkitMain.cs could not be opened

    We used this script to generate the WDAC Policy:

    We added based on the AllowAll.xml Policy some deny rules for the "windowscommunicationsapps" App and removed the Script Enforcement.

    The "windowscommunicationsapps" App is getting blocked, but we are now in the "ConstrainedLanguage"Powershell Mode.

    The Documentation of the "Script Enforcement" there is writte:

    WDAC puts interactive PowerShell into Constrained Language Mode if any WDAC UMCI policy is enforced and any active WDAC policy enables script enforcement,, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for all policies. Understand App Control script enforcement

    My Question is, How to disable script enforcement for all policies?
     
    Kaj_1337, Nov 7, 2024
    #4
Thema:

Signing an audit App Control for Business WDAC Policy Doesn't Log Events?

Loading...
  1. Signing an audit App Control for Business WDAC Policy Doesn't Log Events? - Similar Threads - Signing audit App

  2. Signing an audit App Control for Business WDAC Policy Doesn't Log Events?

    in Windows 10 Gaming
    Signing an audit App Control for Business WDAC Policy Doesn't Log Events?: Hello,We have several App Control for Business policies deployed on our fleet of machines, several of them are signed and enforced.We had one policy in audit mode unsigned, and the Code Integrity logs for this policy came in just fine. No issues for months.We decided to sign...
  3. Unable to sign WDAC policy filebin or p7b file.

    in Windows 10 Gaming
    Unable to sign WDAC policy filebin or p7b file.: Hi,To sign our WDAC policy file we are following Microsoft article Use signed policies to protect Windows Defender Application Control. In order to sign SIPolicy file we need to have code signing certificate. We need few clarifications which are described below:1 As per above...
  4. Unable to sign WDAC policy filebin or p7b file.

    in Windows 10 Software and Apps
    Unable to sign WDAC policy filebin or p7b file.: Hi,To sign our WDAC policy file we are following Microsoft article Use signed policies to protect Windows Defender Application Control. In order to sign SIPolicy file we need to have code signing certificate. We need few clarifications which are described below:1 As per above...
  5. Event logs Audit Failure tracking

    in Windows 10 Gaming
    Event logs Audit Failure tracking: Hi guys,Today when i was inspecting security event logs at active directory server i realised we are recieving constant password brute force attacks from different user accounts.Usernames were seeming to be coming from a rainbow table as; Jessie, Jaxon, Clare...so onSource...
  6. Event logs Audit Failure tracking

    in Windows 10 Software and Apps
    Event logs Audit Failure tracking: Hi guys,Today when i was inspecting security event logs at active directory server i realised we are recieving constant password brute force attacks from different user accounts.Usernames were seeming to be coming from a rainbow table as; Jessie, Jaxon, Clare...so onSource...
  7. Audit policy

    in Windows 10 Gaming
    Audit policy: Hi! I want to monitor user activities of each user, and I'm using winlogbeat on windows server VM to collect audit log. I enabled recommended policy following this link...
  8. Audit policy

    in Windows 10 Software and Apps
    Audit policy: Hi! I want to monitor user activities of each user, and I'm using winlogbeat on windows server VM to collect audit log. I enabled recommended policy following this link...
  9. Audit policy

    in AntiVirus, Firewalls and System Security
    Audit policy: Hi! I want to monitor user activities of each user, and I'm using winlogbeat on windows server VM to collect audit log. I enabled recommended policy following this link...
  10. Microsoft Audit policy event viewer performance

    in Windows 10 BSOD Crashes and Debugging
    Microsoft Audit policy event viewer performance: Hello, we want to open the parameters under Audit local policy in our windows server systems, but we are afraid that it will bring too much load on the system side.Does it cause too much swelling on the event viewer? This situation keeps the log as 20mb to you by default...