In a previous post I described creating a WDAC policy with the new file path rules. But this, alone, would not be enough for a desktop. We need to add rules to allow other files to run. To get a complete policy ready for production, we need to merge the file path rules with other policies.
Background
This post is one of a series about creating a working Windows Defender Application Control (WDAC) policy for the desktop, using the new file path rules in Windows 1903, and delivering it with Intune. In another post, I covered creating the basic file path rules policy. This allows applications to run from the Windows or Program Files folders. But this is not enough for production. We also need to allow:
- Drivers
- MSI installers
- Scripts
- Applications in user-writable locations, like AppData Local.
Finally, we also need to block applications with known vulnerabilities that would otherwise be allowed.
Rather than make a scan of everything, or combine different scans, the approach I am using is to combine different types of rules and options into something that covers most of what is needed for the desktop. The approach is to merge:
- A policy that allows all Microsoft products
- The file path rules policy
- A policy that blocks applications with known vulnerabilities.
Then we will add options, for example Intelligent Security Graph (ISG) Authorization, using Microsoft cloud analytics to make a dynamic reputation-based assessment of third party applications.
With this composite policy, the only thing we would need to add is third party applications and drivers that:
- are not authorized by ISG
- are not allowed by the file path rules.
Merge Policies
- The Microsoft policy in C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
- The file path rules policy from a separate post: MDAC and File Path Rules
- The policy to block known vulnerabilities from the Microsoft recommended block rules.
The process to merge these policies is very simple, using the Merge-CIPolicy cmdlet: Merge-CIPolicy –PolicyPaths [path to policy 1], [path to policy 2], {path to policy 3] –OutputFilePath [path to output policy].
The command to allow ISG is: Set-RuleOption –FilePath [path to policy file] –Option 14
This gives us a policy that is usable for the desktop in production. To make the policy Enforced, instead of Audit, just run: Set-RuleOption [path to policy file] –Option 3 –Delete
Multiple Policy Format
Instead of merging policies into one, starting with Windows 1903 you can implement multiple policies that are merged dynamically by the system. When you create a policy in the new Multiple Policy Format, it has both a Policy ID and the ID of the base policy. The process is described here: Deploy multiple Windows Defender Application Control Policies.
Next: Set WDAC Policy Options.