dennyamarojr
commented
1 year ago Closed dennyamarojr closed 1 year ago
dennyamarojr
commented
1 year ago dennyamarojr
commented
1 year ago I think that there's a limit of 3 supplemental policies per time to merge that's why is causing the issue
dennyamarojr
commented
1 year ago I try with six, after that the command gives the error message and we couldn't merge all supplemental policies, I will try with WDAC Toolkit
Update info: with WDAC toolkit I could merge all the 15 supplemental policies
dennyamarojr
commented
1 year ago During the process of whitelisting, I see a little problem. I think is my mistake but here's what is happening
I try to run the following command New-SupplementalWDACConfig -Normal -ScanLocation "C:\Program Files\Program" -SuppPolicyName "App's Name" -PolicyPath "C:\AllowMicrosoftPlusBlockRules.xml"
And After creating all the supplemental policies, in the .xml didn't create rule for all the files in some directories.
Maybe is something that I'm doing wrong, but I check in the WDAC Wizard and the executable file of Photoshop has Publisher and the command did not recognized it
HotCakeX
commented
1 year ago Hi,
as mentioned in the docs, Edit-SignedWDACConfig -MergeSupplementalPolicies and Edit-WDACConfig -MergeSupplementalPolicies check the user selected xml policy files to ensure that they are all deployed on the system first. This is to prevent accidental user error.
I haven't set any limitation for the merge operations.
If the Photoshop is not genuine then you will need to use hash for the level, because by default the cmdlets use FilePublisher for main level and Hash as fallback, and non-genuine software have a mismatch between the hash saved in their certificate vs the file hash. More info here
If the Photoshop is genuine then this is a problem I have to try to fix (which I don't have any info about based on what you gave me).
by the way, if you use Set-CommonWDACConfig cmdlet then you don't need to specify repetitive parameters each time, such as certCN, CertPath, PolicyPath, SignTool.exe etc.
HotCakeX
commented
1 year ago I just merged 15 policies without problem
Then restarted and everything working fine
I'm also releasing a new update for the WDACConfig module soon, it has user experience improvements. https://github.com/HotCakeX/Harden-Windows-Security/pull/126
HotCakeX
commented
1 year ago If any of the files in the programs that you use are signed but their certificates are expired (e.g., some files in the free download manager program) or there is a mismatch between certificate hash and file hash (e.g., non-genuine software) then they are not allowed by the WDAC engine because of the policy rule option 20 Enabled:Revoked Expired As Unsigned, also Authenticode can't generate a proper hash for tampered files.
I can't reproduce the error you showed in the screenshot for the -SuppPolicyPaths parameter. I can suggest 2 things, make sure the files aren't open by another application and they exist on the disk.
HotCakeX
commented
1 year ago It's been 4 days without response. Looks like the explanations I added resolved your situation.
Please reopen this or create a separate issue if there is still any problem.
Thanks
Tools category
WDACConfig Module
Does your system meet the requirements?
Is your Windows installation genuine?
Please explain the bug
Today I start deploying WDAC in my machine and find something interesting, the following command Edit-SignedWDACConfig -MergeSupplementalPolicies -CertPath "C:\Certificate.cer" -SuppPolicyName "Merge of Multiple Supplementals" -PolicyPaths "C:\AllowMicrosoftPlusBlockRules.xml" -CertCN "WDAC Certificate" -SuppPolicyPaths "C:\Supplemental policy for App1.xml","C:\Supplemental policy for App 2.xml","C:\Supplemental policy for App 3.xml"
It appears not working if you use the following command New-SupplementalWDACConfig -Normal -ScanLocation "C:\Program Files\Program" -SuppPolicyName "App's Name" -PolicyPath "C:\AllowMicrosoftPlusBlockRules.xml"
It shows an error message with the PolicyPaths or even the supplemental are not deployed, but I test with the supplemental policies deployed and it not works.
Currently I'm testing creating one by one and them merging them, using this command Edit-SignedWDACConfig -AllowNewApps -CertPath "C:\Certificate.cer" -SuppPolicyName "App's Name" -PolicyPaths "C:\AllowMicrosoftPlusBlockRules.xml" -CertCN "WDAC Certificate"