Closed zygmuntszpak closed 1 week ago
Hi, Thanks for making such detailed report. It seems like a bug, i will check what's happening and fix it.
I'm currently in the process of adding this feature, ConvertTo-WDACConfig
, plus Edit-WDACConfig
+ Edit-SignedWDACConfig
to the new AppControl Manager app. The features that will be added to the app will have different logic which will fix this bug as well.
It's going to take approximately ~2 weeks, maybe less, before i can release new version of WDACConfig module and AppControl Manager.
@zygmuntszpak
After having another look at the code, i think i found out why you couldn't see those logs. I think it's because those temp files are deleted after installation and are not included in the result. There is however an option you can try. First export the code integrity or AppLocker logs from event viewer to an .evtx
file and then use this syntax
ConvertTo-WDACPolicy -Source EVTXFiles -EVTXLogs "Path To .evtx files"
It should show you everything. Just a temporary workaround.
Thank you very much. You are right, when I load the EVTXLogs explicitly it correctly detects the .tmp
files.
Regarding the new App Control Manager App, will it still support the creating of policies without automatic deployment? My use case is built around Intune and from what I understood from reading a previous issue, it is best not to mix how policies are deployed but to consistently use Intune.
@zygmuntszpak my pleasure!
Of course, it will definitely have deployment as optional feature, using it for Intune or remote systems in general is one of the main focus points. After this new update is released, you can try it out and give me more feedback so i can improve it to meet your other needs.
I've resolved this issue, please take a look at this release note:
https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/WDACConfigv0.4.9
Tools category
WDACConfig Module
Does Your System Meet The Requirements?
Is your Windows Installation Genuine?
Did You Read The Frequently Asked Questions?
Please Explain The Bug
I have created a
DefaultWindowsAudit
policy and deployed it via intune.I'm trying to whitelist Adobe Standard PDF Reader by running the
setup.exe
as per the installation instructions.Upon installing and launching the program, I attempt to create a whitelist using
which detects and parses the following log events.
However, parsing the log event with the App Control Wizard I notice that there were other events which were detected that are associated with
Applocker MSI and Script Events
which were not detected by theConvertToWDACPolicy
cmdlet. For example, there are numerous.tmp
files which are related to something calledADelRPC.dll
If I only select the events detected by
ConvertToWDACPolicy
then the whitelist appears to be incomplete. Specifically, after selecting all of these events, I uninstall Adobe, switch to enforcing DefaultWindows and attempt to install the Adobe Reader again only to find that it fails. Some of the dll's in the.tmp
files are blocked during installation as part ofApplocker MSI and Script Events
and if I runConvertToWDACPolicy
withPolicyAddTo
it still doesn't detect them.I can confirm this dll is not detected in the logs:
I presume this is a bug?
Many thanks for this excellent package.
Error Details
No response