This post covers how to test a Windows Defender Application Control (WDAC) policy.
WDAC is the native Windows 10 security feature to control what files can be executed. The background to using WDAC is in another post, About Windows Defender Application Control. This post is part of a series about how to deploy a practical MDAC policy containing file path rules: Getting Started with WDAC.
Testing a WDAC policy is surprisingly easy although, as far as I can find, it is not described explicitly in the Microsoft documentation.
After creating a policy as an XML file, the next step is to convert it to a binary file using the ConvertFrom-CIPolicy cmdlet. Let’s say for the moment that we save it with a .bin file extension.
When you convert an XML policy to binary format, it gives a warning message:
"Warning: Please use new policy format which has PolicyID and BasePolicyID, but no PolicyTypeID. You can use -MultiplePolicyFormat with New-CIPolicy or use -Reset with Set-CIPolicyIdInfo."
Just to explain this:
- Unless you intend to use Base and Supplemental policies, you don’t need to change the format. You can just continue.
- As it says, you can convert a policy to the new format with:
Set-CIPolicyIdInfo -FilePath [path to xml] –ResetPolicyID
- Or you can avoid the warning by creating the policy in the new format in the first place. You do this by adding the –MultiplePolicyFormat switch to the New-CIPolicy cmdlet when creating the policy. This is not documented in the Microsoft PowerShell cmdlet documentation, or in Get-Help for the cmdlet.
After converting the policy, copy the binary file to C:\Windows\System32\CodeIntegrity and rename it as “SIPolicy.p7b”. After a restart, the policy will take effect.
By default, a new WDAC policy is in Audit mode. This is Option 3. In the Code Integrity log (Applications and Services Logs/Microsoft/Windows/CodeIntegrity/Operational) you will see that a new policy is recognised, and that audit events are logged if a file is executed that would have been blocked.
DON’T be fooled if everything seems to run. It could be because the policy is not taking effect. Make sure you test that an application does NOT run. A simple way to do this is to download something like 7-Zip to a user folder. Check in the Code Integrity log that it is blocked.