Windows Defender Application Control – Part 2

In this post, we’ll see how we can configure Windows Defender Application Control using Microsoft Intune custom policy.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration
  17. Extend Application Guard to Mozilla Firefox and Google Chrome
  18. Configure Windows Defender Antivirus
  19. Windows Defender Credential Guard
  20. Windows Defender Exploit Guard – Attack Surface Reduction
  21. Windows Defender Exploit Guard – CFA, NP, EP
  22. Windows Defender Application Control Part 1

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

 

This post talks on what to do if we have a LOB application also in an Application Control environment. For example, I have a LOB application Sky366App1.exe as shown below.

Let’s try to open it.

We see that WDAC blocks that application as it is not evaluated as trusted by Intelligent Security Graph. To have such applications execute, we can create a custom policy.

Note: We are going to take a very simple scenario. If needed then a complex scenario can also be used, like code signing, signed policies, controlling specific plug-ins, add-ins, modules.

Suggested additional read:

Windows Defender Application Control deployment guide

Take a Gold machine

In this case I am using Sky366Ten3i

Copy the LOB Application.

When we double click the application, it opens.

Create WDAC policy

Earlier, we used to scan entire computer to create a WDAC policy and then used to enforce the binary equivalent of the policy on target devices.

Windows 10 now includes several example policies which can be used as a base policy and build on top of that.

We see all the example policies at location: C:\Windows\schemas\CodeIntegrity\ExamplePolicies.

Create above PowerShell script and execute it.

The script does below activities:

Copies an existing example script

Resets the policyID and sets version

Enables Intelligent Security Graph evaluation in the policy

Scans a folder where LOB application is already copied and creates a policy out of it

Merges both the policies

Enforces the policy (removes Audit)

Converts the script into Binary format.

Script:

$PolicyPath=$env:userprofile+”\Documents\”

#Create a copy of a Base Policy. I have used DefaultWindows_Audit.xml

$PolicyName= “Sky366_Audit”

$Sky366Policy=$PolicyPath+$PolicyName+”.xml”

$OriginalPolicy=$env:windir+”\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml”

cp $OriginalPolicy $Sky366Policy

#Reset the PolicyID and Version of the copied policy

Set-CIPolicyIdInfo -FilePath $Sky366Policy -PolicyName $PolicyName -ResetPolicyID

Set-CIPolicyVersion -FilePath $Sky366Policy -Version “1.0.0.0”

#Enable intelligent Security Graph option

Set-RuleOption -FilePath $Sky366Policy -Option 14 # ISG

#Scan and create a new policy for LOB Application

$AppPath= “C:\Lab\App”

$AppPolicy=$PolicyPath+”AppScan.xml”

New-CIPolicy -Level FilePublisher -FilePath $AppPolicy -ScanPath $AppPath –UserPEs -Fallback Hash 3> CIPolicyLog.txt

#Merge both the policies

$MergedSky366Policy=$PolicyPath+”MergedSky366Policy.xml”

Merge-CIPolicy -PolicyPaths $Sky366Policy,$AppPolicy -OutputFilePath $MergedSky366Policy

#Enforce the Policy

Set-RuleOption -FilePath $MergedSky366Policy -Option 3 -Delete

#Convert the policy to Binary format

$MergedSky366PolicyBinEnforced=$PolicyPath+”MergedSky366PolicyEnforced.bin”

ConvertFrom-CIPolicy $MergedSky366Policy $MergedSky366PolicyBinEnforced

After executing above PowerShell cmdlets, we get merged WDAC policy in XML format as well as binary format.

Right click on the merged XML policy and click Edit.

Scroll down and check for PolicyID. Copy the Policy ID, without brackets. In my case:

Policy ID: 389D37A5-5708-479F-8EB6-C07073D8BB8B

We need this policy ID when we create our WDAC policy.

Login to Azure Portal

Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.

Enter appropriate Name and Description. I have entered:

Name: Win 10 WDAC Policy Custom

Description: Windows 10 : Microsoft Defender Application Control custom Policy

In Platform, select Windows 10 and later.

In Profile type, select Custom.

Click Add.

Enter appropriate Name and Description. I have entered:

Name: WDAC Custom policy

Description: WDAC Custom policy

In OMA-URI, enter ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy, where Policy GUID is the PolicyID of the policy copied earlier. I have entered:

OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/389D37A5-5708-479F-8EB6-C07073D8BB8B/Policy

In Data type, select Base64 (file)

Note: the above OMA-URI is valid for Windows 10 1903 and above.

Click on the folder icon and select the binary file created earlier.

Click OK.

Click OK.

Click Create.

Select appropriate option.

I have deployed the policy to a group.

Click Save when done.

The policy is created and assigned.

In client machine, sync the policy

Navigate to C:\Windows\System32\CodeIntegrity\CiPolicies\Active. We see that a file is there which has the PolicyID in the filename.

Execute any known application. Here 7-Zip opens without any issues.

Execute the LOB application that was part of gold machine. We see that the application opens without any issues.

Execute any other application that was not part of gold machine. We see that such application if not trusted by ISG will be blocked.

Leave a comment

Your email address will not be published. Required fields are marked *