HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.8k stars 139 forks source link

[Bug]: Edit-WDACConfig -AllowNewApps ==> blocked by WDAC #327

Closed Kofl closed 2 months ago

Kofl commented 2 months ago

Tools category

WDACConfig Module

Does Your System Meet The Requirements?

Is your Windows Installation Genuine?

Did You Read The Frequently Asked Questions?

Please Explain The Bug

Edit-WDACConfig -AllowNewApps -SuppPolicyName 'TreeSize' -PolicyPath "C:\wdac\Base Policy Enforce Mode_2024-07-23_v10.0.3.6.xml"
Audit mode deployed, start installing/running your programs now

Starting the application => blocked by WDAC

Windows 11 24H2, en-gb

Happy to provide further requested information

Error Details

No response

HotCakeX commented 2 months ago

Do you have more than 1 non-system base policy deployed on the system that is in charge of blocking files?

You can check them via this command

Confirm-WDACConfig -ListActivePolicies -OnlyBasePolicies
HotCakeX commented 2 months ago

You can enter this command

ConvertTo-WDACPolicy

or this for full details

ConvertTo-WDACPolicy -ExtremeVisibility

or check the event logs, that will show you which policy is blocking the files. The behavior you're describing usually originates from having more than 1 base policy. The module turns on audit mode in the policy you select, but if there are more than 1 (which isn't necessary), then the other one will still be enforcing and blocking files. If this is the case, we can convert this issue into a discussion to come up with a solution for your case.

Kofl commented 2 months ago

Thanks for the feedback, so far its only one base policy visible via

Confirm-WDACConfig -ListActivePolicies -OnlyBasePolicies

and seems to be blocked by that one?

image

Base Policy xml content:

image

HotCakeX commented 2 months ago

Interesting, when you run this command in a new terminal tab, after the audit mode has been turned on

Confirm-WDACConfig -VerifyWDACStatus

do you see number 2 for both of the items?

Kofl commented 2 months ago

yes

image

HotCakeX commented 2 months ago

Is Smart App control enabled on your system? Have you used Intune to deploy one of the App control presets? You can run this for system policies:

Confirm-WDACConfig -ListActivePolicies -OnlySystemPolicies

I'm not sure if this is a bug in the module, I haven't been able to reproduce it so far. If you can try a clean VM, deploy a base policy, then use the Edit-WDACConfig command to turn on audit mode in it to install an app, that's what I did just now in a Hyper-V VM and it works fine like before.

Kofl commented 2 months ago

Smart App Control is set to Evaluation

Not aware of any App control presets set via Intune, WDAC policies are deployed via Intune.

Would that look okay and should not cause the issue?

image

image

Could I use WDACConfig to deploy our/the same base policy on the clean VM as now via Intune?

HotCakeX commented 2 months ago

You don't need the WDACConfig module for deploying a XML file you have on the local system, you can use these commands

ConvertFrom-CIPolicy -XmlFilePath basepolicy.xml -BinaryFilePath basepolicy.cip
CiTool.exe --update-policy basepolicy.cip

But now that you mentioned you deployed them originally from the Intune, i'm thinking maybe Intune agent (running as SYSTEM) is preventing the module (running as Admin) to modify the deployed policy, or maybe Intune is actively restoring the system back to the state you set in Intune portal via config refresh or something similar.

I haven't done many tests to modify policies deployed via Intune locally using the Edit-WDACConfig cmdlets, for Intune scenario I've developed and considered other ways, and all of them involve creating the policy locally and then deploying them via Intune itself, because the Intune managed systems are usually too many to be managed locally and individually.

HotCakeX commented 2 months ago

If you want i can include logic to manage Intune deployed policies as well, but it will be through the Microsoft Graph and not locally.

Due to the idempotency nature of the Intune, it reapplies the same WDAC policies you deploy through the portal over and over again on the system, there is no way to override it locally.

I will add the Intune management through the MS Graph in a future update, for now you can create the policies locally and deploy them through the same Intune portal.

Closing this issue because it's not a bug in WDACConfig that i can fix, just how Intune deployed policies operate.