The new File Path rules in Windows Defender Application Control (WDAC) allow EXE and DLL files in the path, but not SYS, or MSI or script files. This is curious and, as far as I know, undocumented. And it means that we cannot simply allow all files in C:\Windows. If we do that, the system will not boot because the drivers will still be blocked. We will need to use another method to add drivers to a WDAC policy.
Continue readingCategory: Desktop
MDAC or WDAC
The Application Control feature in Windows 10 was originally called Device Guard Code Integrity. This was brought under the Defender umbrella of security technologies as Windows Defender Application Control (WDAC). Microsoft earlier this year announced that Windows Defender would become cross-platform (with a version of Defender antivirus for macOS) and be renamed Microsoft Defender.
In my blog posts I originally called it Microsoft Defender Application Control (MDAC). You can see in the screenshot below that all the Defender technologies for Windows 10 Endpoint Protection, in Intune, are now Microsoft Defender.
However, Microsoft now seems to have standardised on WDAC, so I have reverted to that (2021).
Set WDAC Policy Options
A Windows Defender Application Control (WDAC) policy uses Options to control aspects of how it works. The options are binary choices: Enabled or Disabled; Required or Not Required. This post explains the choices.
Merge WDAC Policies
In a previous post I described creating a WDAC policy with the new file path rules. But this, alone, would not be enough for a desktop. We need to add rules to allow other files to run. To get a complete policy ready for production, we need to merge the file path rules with other policies.
WDAC and File Path Rules
In Windows 1903, Microsoft has added support in Windows Defender Application Control (WDAC) for file path rules as a basis for whitelisting. This is how to create a WDAC policy with file path rules.
WDAC and Intune Blog Series
A series of posts about using Windows Defender Application Control (WDAC) with Intune.
Deliver a WDAC Policy with Intune
This post covers how to deliver a WDAC policy with Intune. It is part of a series about WDAC policies. To perform this step, we need to have previously created a policy and tested it manually. The Microsoft documentation on delivering a WDAC policy with Intune is confusing and incorrect. This is how to do it.
Test a WDAC Policy
This post covers how to test a Windows Defender Application Control (WDAC) policy.
Create a basic WDAC Policy
Windows Defender Application Control (WDAC) is a security feature that controls what is allowed to run on a Windows OS. This post describes creating a basic policy that allows Windows to boot and function. It is the first step in creating a WDAC policy for production.
Getting Started with WDAC
Windows Defender Application Control (WDAC) is the native Windows 10 security feature to control what files can be executed on the desktop. In Windows 1903, Microsoft has added support for file path rules as a basis for whitelisting. Before this, implementing a WDAC policy for the desktop in production was very difficult, almost impractical. File path rules allow applications in the Windows and Program Files folders to run without first specifying what they are. This is one of a series of posts about how to create and implement a WDAC policy for the desktop, with file path rules, and using Intune to deliver it.