Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Further improvements to the code to follow the best practices.
Added native prompt for confirmation to Deploy-SignedWDACConfig before deploying the signed policy on the system.
Added native prompt for confirmation to New-DenyWDACConfig before deploying the deny base policy for Appx based apps. Shows the details of the select appx package based on the user input and allows for confirming or denying it before proceeding.
Added native prompt for confirmation to New-SupplementalWDACConfig before deploying the supplemental policy for Appx based apps. Shows the details of the select appx package based on the user input and allows for confirming or denying it before proceeding.
Added native prompt for confirmation to Remove-WDACConfig -SignedBase before deploying the signed policy in unsigned mode.
All of the prompts for confirmations can be bypassed with the familiar -Force parameter. This allows the WDACConfig module to be used non-interactively for remote administration.
Improved detection of PowerShell core, now when creating Default Windows base policies, PowerShell core files are only scanned if it's installed using MSI. PowerShell core installed from Microsoft Store doesn't need to be scanned and allowed in the Default Windows base policy because it's automatically allowed.
Added progress bars to all of the parameters of the New-WDACConfig cmdlet.
Completed adding verbose messages to every single component of the WDACConfig module.
Added progress bars to all of the parameters of the Edit-WDACConfig cmdlet.
Added progress bars to all of the parameters of the Edit-SignedWDACConfig cmdlet.
Improved and added progress bars to Remove-WDACConfig -UnsignedOrSupplemental cmdlet and parameter.
Improved input validations on the Set-CommonWDACConfig cmdlet.
Added progress bars to all of the parameters of the New-SupplementalWDACConfig cmdlet.
Added progress bars to all of the parameters of the New-DenyWDACConfig cmdlet.
Added progress bars to the Deploy-SignedWDACConfig cmdlet.
In Edit-SignedWDACConfig and Edit-WDACConfig cmdlets, changed the name of the -PolicyPaths parameter to -PolicyPath because those cmdlets only work on one base policy at a time and realistically there is no need for more than 1 base policy to allow files. The documentation also has been updated.
Added progress bars to all of the parameters of the New-KernelModeWDACConfig cmdlet.
Created a new cmdlet called Assert-WDACConfigIntegrity, used to verify the integrity of the WDACConfig module with the most secure available hashing algo: SHA2 512. Will switch to SHA3 hashes that are available in .NET 8 and later once they are available in stable builds Windows. They are currently available in insider channels. The documentation of this new cmdlet can be found here.
Improved the self updating mechanism. The execution flow is no longer disrupted when the module auto updates to a new version despite using constant variables, they are properly recycled.
[!NOTE]\
When the module automatically updates to version 0.2.8 there might be a one-time error because of a bug (that is fixed in this version but present in version 0.2.7). You can safely ignore it by closing the PowerShell tab and reopening it again to continue using the new version of the module. Alternatively you can manually update the WDACConfig module by running the following command:
Update-Module -Name WDACConfig -Force
The bug 🐛 is related to constant variables being used and the inability of the v0.2.7 to empty them when the module updates to a new version.
Improved the way Certificate Common Names were detected from the local user certificates store by taking into account the CNs that have comma in them and as a result are wrapped around double quotes. Also implemented an additional check to make sure the certificate's algorithm uses RSA and not others such as ECDSA.
The WDACConfig module comprises of .ps1 and .psm1 files that bear the cryptographic signature of my local certificate authority's (CA) certificate. The module incorporates mechanisms to automatically ascertain the integrity of the module files and prevent any unauthorized modifications. The module manifest, .psd1 file, on the other hand, lacks a signature due to the installation error that arises from the PowerShell gallery when it is signed with a self-signed certificate.
The public key of the certificate used to sign the module files can be obtained from here.
What's Changed 🎄
Deploy-SignedWDACConfigbefore deploying the signed policy on the system.New-DenyWDACConfigbefore deploying the deny base policy for Appx based apps. Shows the details of the select appx package based on the user input and allows for confirming or denying it before proceeding.New-SupplementalWDACConfigbefore deploying the supplemental policy for Appx based apps. Shows the details of the select appx package based on the user input and allows for confirming or denying it before proceeding.Remove-WDACConfig -SignedBasebefore deploying the signed policy in unsigned mode.-Forceparameter. This allows the WDACConfig module to be used non-interactively for remote administration.New-WDACConfigcmdlet.Edit-WDACConfigcmdlet.Edit-SignedWDACConfigcmdlet.Remove-WDACConfig -UnsignedOrSupplementalcmdlet and parameter.Set-CommonWDACConfigcmdlet.New-SupplementalWDACConfigcmdlet.New-DenyWDACConfigcmdlet.Deploy-SignedWDACConfigcmdlet.Edit-SignedWDACConfigandEdit-WDACConfigcmdlets, changed the name of the-PolicyPathsparameter to-PolicyPathbecause those cmdlets only work on one base policy at a time and realistically there is no need for more than 1 base policy to allow files. The documentation also has been updated.New-KernelModeWDACConfigcmdlet.Assert-WDACConfigIntegrity, used to verify the integrity of the WDACConfig module with the most secure available hashing algo: SHA2 512. Will switch to SHA3 hashes that are available in .NET 8 and later once they are available in stable builds Windows. They are currently available in insider channels. The documentation of this new cmdlet can be found here..ps1and.psm1files that bear the cryptographic signature of my local certificate authority's (CA) certificate. The module incorporates mechanisms to automatically ascertain the integrity of the module files and prevent any unauthorized modifications. The module manifest,.psd1file, on the other hand, lacks a signature due to the installation error that arises from the PowerShell gallery when it is signed with a self-signed certificate.