D
Daniel James (daniel.james)
Hi.
I am trying to to get Windows defender Application Control working via hash rules. We are using WDAC as we don't have win10 enterprise (i know, we should...)
I have got WDAC working, my policy allows all Microsoft apps and anything in c:\windows\ c:\program files and c:\program files (x86). I am also happy getting apps to work via publisher however I just can't get it working by file hash alone.
I am running:
new-cipolicy -level hash -scanpath 'c:\source\' -filepath puttyhash.xml
which appears to create a blank policy(?) (see bottom of this message). Converting this policy to binary seems to result in windows defender being switched off, no logs appear in event viewer -> application and service logs -> microsoft -> windows -> code integrity -> operational for any .exe's
Switching option 3 off and re-converting stops the machine from booting (so i don't understand the lack of logs...)
Merging this to my normal policy (and then switching option 3 off) doesn't seem to have any affect on behavior, I still can't run putty.exe (I get the 'Your ), except from file paths I have allowed.
using new-cipolicy -level publisher -scanpath 'c:\source\' -filepath puttyhash.xml and then merging/converting does seem to work.
What am I doing wrong? Does hash only work as a fallback when a file doesn't have a publisher?
Thanks.
Created hash policy:
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules />
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 01-30-2020">
<ProductSigners />
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 01-30-2020">
<ProductSigners />
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
</SiPolicy>
Continue reading...
I am trying to to get Windows defender Application Control working via hash rules. We are using WDAC as we don't have win10 enterprise (i know, we should...)
I have got WDAC working, my policy allows all Microsoft apps and anything in c:\windows\ c:\program files and c:\program files (x86). I am also happy getting apps to work via publisher however I just can't get it working by file hash alone.
I am running:
new-cipolicy -level hash -scanpath 'c:\source\' -filepath puttyhash.xml
which appears to create a blank policy(?) (see bottom of this message). Converting this policy to binary seems to result in windows defender being switched off, no logs appear in event viewer -> application and service logs -> microsoft -> windows -> code integrity -> operational for any .exe's
Switching option 3 off and re-converting stops the machine from booting (so i don't understand the lack of logs...)
Merging this to my normal policy (and then switching option 3 off) doesn't seem to have any affect on behavior, I still can't run putty.exe (I get the 'Your ), except from file paths I have allowed.
using new-cipolicy -level publisher -scanpath 'c:\source\' -filepath puttyhash.xml and then merging/converting does seem to work.
What am I doing wrong? Does hash only work as a fallback when a file doesn't have a publisher?
Thanks.
Created hash policy:
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules />
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 01-30-2020">
<ProductSigners />
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 01-30-2020">
<ProductSigners />
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
</SiPolicy>
Continue reading...
