Windows Defender Application Control – Part 2
In this post, we’ll see how we can configure Windows Defender Application Control using Microsoft Intune custom policy.
Existing setup done:
- Two Local users created
- Azure AD Connect configured
- Seamless Single Sign-On (IE) configured
- Seamless Single Sign-On (Firefox) configured
- Hybrid Azure AD Join configured
- Intune enrollment – Domain Joined Windows 10 devices
- Azure AD Join
- Office 365 Pro Plus Application
- Sample SharePoint Team Site
- OneDrive Known Folder Migration and SharePoint library sync
- Copy necessary files (Win32 App)
- Set Desktop Background, Lock Screen and Screensaver
- Adding applications to StartUp folder
- Adding some 3rd Party applications (Browsers)
- Microsoft Store for Business configuration and integration and Store Apps.
- Windows Defender Application Guard configuration
- Extend Application Guard to Mozilla Firefox and Google Chrome
- Configure Windows Defender Antivirus
- Windows Defender Credential Guard
- Windows Defender Exploit Guard – Attack Surface Reduction
- Windows Defender Exploit Guard – CFA, NP, EP
- Windows Defender Application Control Part 1
- SkyDC: Machine with ADDS, DNS, DHCP role
- SkyCON: Machine where we will install Azure AD Connect
- SkyCM: Machine with Configuration Manager Current Branch
- SkyTEN1: Domain Joined Windows 10 machine
- SkyTEN2: Domain Joined Windows 10 machine
- SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
- SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
This post talks on what to do if we have a LOB application also in an Application Control environment. For example, I have a LOB application Sky366App1.exe as shown below.
Let’s try to open it.
We see that WDAC blocks that application as it is not evaluated as trusted by Intelligent Security Graph. To have such applications execute, we can create a custom policy.
Note: We are going to take a very simple scenario. If needed then a complex scenario can also be used, like code signing, signed policies, controlling specific plug-ins, add-ins, modules.
Suggested additional read:
Take a Gold machine
In this case I am using Sky366Ten3i
Copy the LOB Application.
When we double click the application, it opens.
Create WDAC policy
Earlier, we used to scan entire computer to create a WDAC policy and then used to enforce the binary equivalent of the policy on target devices.
Windows 10 now includes several example policies which can be used as a base policy and build on top of that.
We see all the example policies at location: C:\Windows\schemas\CodeIntegrity\ExamplePolicies.
Create above PowerShell script and execute it.
The script does below activities:
Copies an existing example script
Resets the policyID and sets version
Enables Intelligent Security Graph evaluation in the policy
Scans a folder where LOB application is already copied and creates a policy out of it
Merges both the policies
Enforces the policy (removes Audit)
Converts the script into Binary format.
#Create a copy of a Base Policy. I have used DefaultWindows_Audit.xml
cp $OriginalPolicy $Sky366Policy
#Reset the PolicyID and Version of the copied policy
Set-CIPolicyIdInfo -FilePath $Sky366Policy -PolicyName $PolicyName -ResetPolicyID
Set-CIPolicyVersion -FilePath $Sky366Policy -Version “126.96.36.199”
#Enable intelligent Security Graph option
Set-RuleOption -FilePath $Sky366Policy -Option 14 # ISG
#Scan and create a new policy for LOB Application
New-CIPolicy -Level FilePublisher -FilePath $AppPolicy -ScanPath $AppPath –UserPEs -Fallback Hash 3> CIPolicyLog.txt
#Merge both the policies
Merge-CIPolicy -PolicyPaths $Sky366Policy,$AppPolicy -OutputFilePath $MergedSky366Policy
#Enforce the Policy
Set-RuleOption -FilePath $MergedSky366Policy -Option 3 -Delete
#Convert the policy to Binary format
ConvertFrom-CIPolicy $MergedSky366Policy $MergedSky366PolicyBinEnforced
After executing above PowerShell cmdlets, we get merged WDAC policy in XML format as well as binary format.
Right click on the merged XML policy and click Edit.
Scroll down and check for PolicyID. Copy the Policy ID, without brackets. In my case:
Policy ID: 389D37A5-5708-479F-8EB6-C07073D8BB8B
We need this policy ID when we create our WDAC policy.
Login to Azure Portal
Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.
Enter appropriate Name and Description. I have entered:
Name: Win 10 WDAC Policy Custom
Description: Windows 10 : Microsoft Defender Application Control custom Policy
In Platform, select Windows 10 and later.
In Profile type, select Custom.
Enter appropriate Name and Description. I have entered:
Name: WDAC Custom policy
Description: WDAC Custom policy
In OMA-URI, enter ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy, where Policy GUID is the PolicyID of the policy copied earlier. I have entered:
In Data type, select Base64 (file)
Note: the above OMA-URI is valid for Windows 10 1903 and above.
Click on the folder icon and select the binary file created earlier.
Select appropriate option.
I have deployed the policy to a group.
Click Save when done.
The policy is created and assigned.
In client machine, sync the policy
Navigate to C:\Windows\System32\CodeIntegrity\CiPolicies\Active. We see that a file is there which has the PolicyID in the filename.
Execute any known application. Here 7-Zip opens without any issues.
Execute the LOB application that was part of gold machine. We see that the application opens without any issues.
Execute any other application that was not part of gold machine. We see that such application if not trusted by ISG will be blocked.