How to build and Deploy WDAC Policy Wizard

[dennyamarojr]

Hi everyone,

I'm new in WDAC and I decided to open this issue because I didn't find any detailed information about how to build and also the best way to deploy WDAC.

Here's my main questions:
1 - How can I create the WDAC Policy template, and deploy
2 - How can I create a WDAC Template and just allow the programs, games I add to the whitelist
3 - I try to build a template using WDAC Template, but it seems not blocking the executables files that I didn't whitelisted.
4 - How can I merge with Recommended Block Rules and Recommended Driver Block Rules without allowing all the programs

For better explanation, I have 2 SSD's and 2 HDD's, here's what I want to do:
1 - Allow the C:\Program Files and C:\Program Files (x86)
2 - Allow the F:\Program Files and F:\Program Files (x86)
3 - Allow the D:\Program Files and D:\Program Files (x86)
4 - Allow the games inside G:\ partition
5 - After test, I want to allow per file path, publisher the programs and games. So, I can run just the programs and games I whitelist

Here's the template I build:
SignedAndReputableWdacWizard_12-27-22.zip

And some feedback for the team:
1 - We don't have a folder with recommended rules for most users, for advanced users. If the team could make a folder with recommended templates for most users and advanced users will be useful.
2 - I didn't find any Wiki with building WDAC Template from scratch, if the team could create a Wiki and a guide to build WDAC Template whitelisting just the programs the users want to run and deny the others will be useful. And showing how to merge with Microsoft Recommended rules without allowing all the programs, and just the necessary drivers and programs whitelisted by the users will be useful.
3 - For the team behind WDAC Wizard, thanks. This program makes easy the creation of WDAC Templates.

[jgeurten]

Hi @dennyamarojr,

Glad you find the WDAC Wizard useful! This repo is for the Wizard so I recommend starting with the official WDAC Docs which are here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/ and our various how-to topics. There is a lot of useful information in them. If you still don't find what you are looking for, please open a bug against that repo and someone on the docs team, or I, will fix it in the docs.

As for your questions,

1. Use the Wizard to create a policy in audit mode starting with the Windows Works policy and add various custom rules, like the path rules you outlined above. Then follow the instructions here to deploy locally to test out your policy: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script

2. Similar guidance to step 1. I recommend creating Publisher (signer) rules since path rules are not as secure.

3. All of your rules are in enforcement mode so you should be seeing blocks for explicitly denied apps like wsl.exe, for instance. You need to follow the instructions in 1 to deploy the binary file and refresh it on your box.

4. You can keep the recommended block rules separate from your other policy allowing the above paths. More info on deny policies: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy. Or you can merge them all into one policy if you desire. You will need to remove the rules that have FilePath="*" from the FileRules and SigningScenarios section, though

The templates are all located in $env:WINDIR\schemas\CodeIntegrity\ExamplePolicies

[dennyamarojr]

Thanks for the info @jgeurten, I will try this here in my environment and I will come back here to give a feedback and close the issue. Hope this could help new users to find out a start point for WDAC.

[dennyamarojr]

Update: I try here and successfully apps and programs are being blocked! The whitelisted one is working, thanks @jgeurten for the help!

For the users, who wants I little step for create and deploy here's a little guide:
1 - Download and install WDAC Policy Wizard
2 - Click Policy Creator and make sure Multiple Policy Format and Base Policy is checked in Select a Policy type.
3 - Choose the base template for the policy, in the moment I choose the Signed and Reputable Mode. But Microsoft Mode should be good for all users. Since I want more protection and restrict the programs and apps that is running in the computer Signed and Reputable Mode is a perfect choice.
4 - Here you will need choose the Policy Rules, this is where you will need to get a reference otherwise you will probably choose the wrong ones.
For this step, I choose:
Advanced Boot Options Menu
Allow Supplemental Policies
Enforce Store Applications
Hypervisor-protected Code Integrity
Intelligent Security Graph
Managed Installer
Require WHQL
Update Policy without Rebooting
Unsigned System Integrity Policy
User Mode Code Integrity
Treat Revoked as Unsigned
Boot Audit on Failure
Dynamic Code Security
Invalidate EAs on Reboot
Obs: all these options I choose based on reference templates, but for each scenario require different policy rules.
After you pick the policy rules, make sure Audit mode is checked before you enforce in your system.
5 - In Policy Signing Rules list, create your whitelist by clicking in Add Custom Rule Option. The best method is allow by publisher and not by file path, but in some cases the only way is allow by file path since the publisher of the program is unavailable. But file path is not secure as by publisher.
6 - Add Recommended User Mode Block Rules and Recommended Kernel Block Rules, after that merge with your whitelist click next.
7 - To deploy the binary file, is simple open powershell as admin and type:
$PolicyBinary = ""
Ex: $PolicyBinary = "C:{AB51N653-R154-3251-8M4C-1E9HH123MN0M}.cip"
CiTool --update-policy $PolicyBinary or you can use CiTool -up $PolicyBinary
If this not work for you, simple type:
CiTool -up ""
Example: CiTool -up "C:{AB51N653-R154-3251-8M4C-1E9HH123MN0M}.cip"
8 - Test and use Windows Event Viewer to check reports and merge them to the actual template you create by using WDAC Policy Wizard. Add the executables that was previously blocked, review 3 times before enforce the WDAC and them back to WDAC Wizard and uncheck Audit Mode in Policy Rules and click next twice and deploy the updated template.
9 - Make sure you check event viewer for future blocked programs, games, apps to whitelist and update your own template.
10 - If you have any questions, issues don't forget to go to this repository and open an issue as I do and give all the possible information for your problem and them the team from WDAC Toolkit will answer your question as soon as possible.

[dennyamarojr]

And to remove the WDAC binary here's a documentation: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies

If you want, a simple step by step how to remove is simple:
1 - Copy the GUID from your binary file Ex: {AB51N653-R154-3251-8M4C-1E9HH123MN0M}
2 - Open Powershell as admin, and them paste this command:
CiTool -rp "{AB51N653-R154-3251-8M4C-1E9HH123MN0M}" and them press enter
3 - After remove the policy, make sure you refresh the settings with CiTool -r command
4 - Restart your computer.

[dennyamarojr]

And if you guys want update your binary file, is really simple.

1 - Remove the old binary file using the command CiTool -rp "<Binary File GUID without .cip>" and them press enter
Ex: CiTool -rp "{AB51N653-R154-3251-8M4C-1E9HH123MN0M}"
2 - And them type CiTool -r and press enter.
3 - After you just remove it, and refresh just type CiTool -up "<location for your the .cip file>"
Ex: CiTool -up "C:\V2_WDAC{AB51N653-R154-3251-8M4C-1E9HH123MN0M}.cip"
4 - And when you import the update policy binary file, just type CiTool -r to refresh the policy. If you didn't check Update Policy Without Reboot, you will need to reboot your system to changes take effect.