[Suggestion] Add an FAQ to explain the default templates and recommended configurations

[dennyamarojr]

Hi,

This is my second issue here, and this time I come to make an suggestion to WDAC Toolkit. I see that have a lot of templates available and also in the WDAC Policy Wizard has some templates, Default windows mode, Allow Microsoft mode and Signed and reputable mode. Which is good templates to use as a start point, but we also have the templates of WDAC in windows, and this could have some trouble for beginners to decide which one is the best and what is the best for the environment of the user. Policy rules is another one that we may need some information, to decide which are the best rules for enforced and some explanation of each one (maybe have in the official documentation) , and also tell which are the rules to troubleshoot any issues in the environment.

[jgeurten]

Hi @dennyamarojr,

Can you see whether our official docs answer your questions:

1. Rule options explanations: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---policy-rule-options
2. Templates: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies
3. Common scenarios: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/types-of-devices

[dennyamarojr]

That's a good documentation and I checked the informations but I couldn't find which Policy Rules in the Table 1. Windows Defender Application Control policy - policy rule options is recommended to use.

To explain my point, for example I fully managed device as described in the 3 link in common scenarios The recommended policy rules: 0 Enabled:UMCI 2 Required:WHQL 10 Enabled:Boot Audit on Failure 12 Required:Enforce Store Applications

and for Lightly manage device is X X X X

This could be useful for beginners and also if the template is described which one is recommended to use for the scenario, since in the link 2, we just have the description for templates but in the third link I couldn't see which templates is used for each scenario.

[HotCakeX]

@dennyamarojr

For a fully managed system:

Rule number	Rule option
0	Enabled:UMCI
2	Required:WHQL
5	Enabled:Inherit Default Policy
6	Enabled:Unsigned System Integrity Policy
11	Disabled:Script Enforcement
12	Required:Enforce Store Applications
16	Enabled:Update Policy No Reboot
17	Enabled:Allow Supplemental Policies
19	Enabled:Dynamic Code Security
20	Enabled:Revoked Expired As Unsigned

For lightly managed system

Rule number	Rule option
0	Enabled:UMCI
2	Required:WHQL
5	Enabled:Inherit Default Policy
6	Enabled:Unsigned System Integrity Policy
11	Disabled:Script Enforcement
12	Required:Enforce Store Applications
14	Enabled:Intelligent Security Graph Authorization
15	Enabled:Invalidate EAs on Reboot
16	Enabled:Update Policy No Reboot
17	Enabled:Allow Supplemental Policies
19	Enabled:Dynamic Code Security
20	Enabled:Revoked Expired As Unsigned

• Remove the 6th option when signing the policy
• You can use Required:EV Signers too but then (in my experience) some 3rd party programs' drivers might not work as they aren't signed by an EV certificate.
  • The Description says: In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement.
• There are some more interesting options such as 1 Enabled:Boot Menu Protection but the document says they aren't supported (yet?).