Windows 10: WDAC powershell policy using import-climl for policy rules error

I've used the Microsoft documentation example code to create a powershell script that takes a Microsoft Base WDAC policy and adds filepaths rules and policy options. This is great as I can store the small powershell script in source control and easily make changes & reproduce updated WDAC policies when needed. However, I can't do this when using publisher level rules as I need direct access to those files each time to scan the file to run "New-CIPolicyRule -Level Publisher". I can't have all these files & apps on my authoring computer, nor can I get network access to them all. I'm ho

:)

 

Allow WDAC application Control policy to allow Microsoft patches to run

Hello All,

I have created WDAC policy on Windows 10 enterprise. I created the WDAC policy in the following method:

I used the following files to merged and created the .BIN file

1. AllowMicrosoft.xml(default Microsoft example files that comes with he OS- to allow Microsoft program to run)

2.Program Files.xml(scanned the program Files for installed applications)

3.Program Filesx86.xml(scanned the program Filesx86 for installed applications)

4 BlockRules.xml(Microsoft recommended block rules for WDAC)

Merged the above 4 files and created the Mypolicy.xml and convertd to .bin files and copy to SIPolicy.p7b

However I can see Microsoft office patches(.MSP) downloaded from WSUs violated the code integrity.

I would like to know how to bypass the patch files in CI policy.I believe I cant scan the folder and merge with the existing policy as patch files would be different for different period?

one of the error msg :

code integriy module \windows\installer\MSI8448.tmp against policy

anybody can shed some light would be appreciated.

Thank you,

Regards,

Alles

 

Set Execution Policy in Powershell

I set the Execution Policy in Powershell to unrestricted to run a couple of command lines and then set the policy back to restricted. Does setting the policy to unrestricted for a small period of time harm Windows 10? Does one have to set the policy back
to restricted or does closing Powershell and relaunching Powershell put the policy back to restricted?

 

Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph

Hi,



Thank you for writing to Microsoft Community Forums.



In order to enable trust for executables based on classifications in the ISG, the
Enabled:Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the
Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG.



Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate
trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to
build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.



Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. It is straightforward to authorize modern apps with
signer rules in the WDAC policy.



Enabled:Intelligent Security Graph Authorization -> Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG).



Enabled:Invalidate EAs on Reboot -> When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically
re-validate the reputation for files that were authorized by the ISG.



For more information, you may refer the below articles.

• Use
  Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.
  
• Deploy Windows
  Defender Application Control policy rules and file rules.
  
• Use
  signed policies to protect Windows Defender Application Control against tampering.
  

If you still have questions, then I suggest you to post your query in
IT Pro TechNet Forums, where we have support
professionals who are well equipped with the knowledge on Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.



Please feel free to contact us back, in case you have any other questions/issues with Windows in future.