{"id":6733,"date":"2023-03-08T22:56:28","date_gmt":"2023-03-08T22:56:28","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6733"},"modified":"2024-07-30T07:18:04","modified_gmt":"2024-07-30T07:18:04","slug":"wdac","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/wdac","title":{"rendered":"WDAC"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Baseline Wizard : <a href=\"https:\/\/webapp-wdac-wizard.azurewebsites.net\/\">Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net)<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/microsoft\/AaronLocker\">GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Whitelist <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) <\/li>\n\n\n\n<li>Whitelist Publishers<\/li>\n\n\n\n<li>Enable 18 &#8211;<a href=\" https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create\"> https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Advanced Hunting Defender to find Apps running outside if Allow List <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">DeviceProcessEvents\n| where FolderPath !contains \"Program Files\"\n| where FolderPath !contains \"Onedrive\"\n| where FolderPath !contains \"Teams\"\n| where FolderPath !contains \"C:\\\\Windows\\\\\"\n| where FolderPath !contains \"C:\\\\WindowsAzure\\\\\"\n| where FolderPath !contains \"C:\\\\programdata\\\\\"\n| where FileName contains \".exe\"\n| where ProcessCommandLine contains \".exe\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Don&#8217;t create Policy Binary ( .cip ) over 350KB of you won&#8217;t be able to deploy via Intune!!!!<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Update WDAC Audit Logs to Azure Log Analytics &#8211;<a href=\"https:\/\/stephanvdkruis.com\/2021\/02\/endpoint-manager-and-windows-defender-application-control\/\">Endpoint Manager and Windows Defender Application Control \u2013 stephanvdkruis.com<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.stephanvdkruis.com\/2021\/02\/endpoint-manager-and-windows-defender-application-control\/\">Endpoint Manager and Windows Defender Application Control \u2013 stephanvdkruis.com<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-gb\/windows\/security\/threat-protection\/windows-defender-application-control\/example-wdac-base-policies\">Example Windows Defender Application Control (WDAC) base policies (Windows) | Microsoft Learn<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Tools<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RefreshPolicy.exe download  <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=102925\">https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=102925<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/operations\/citool-commands\" title=\"CiTool&nbsp;\">CiTool&nbsp;<\/a>( CiTool is currently included as part of the Windows image in Windows 11 version 22H2. ) <\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Company Portal Whitelisting Managed Apps<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/configure-authorized-apps-deployed-with-a-managed-installer\">https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/configure-authorized-apps-deployed-with-a-managed-installer<\/a> ( Deploy Default Policy Listed Here ) CANNOT BE DEPLOYED by Custom CSP , have to use powershell!!!! <a href=\"https:\/\/github.com\/ne8801\/scripts\">GitHub &#8211; ne8801\/scripts<\/a><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-reddit wp-block-embed-reddit\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"reddit-embed-bq\" style=\"height:316px\" ><a href=\"https:\/\/www.reddit.com\/r\/Intune\/comments\/tyxgq8\/wdac_policy_whitelisting_issues_with_company\/\">WDAC Policy Whitelisting issues with Company Portal<\/a><br> by<a href=\"https:\/\/www.reddit.com\/user\/Trigzeee\/\">u\/Trigzeee<\/a> in<a href=\"https:\/\/www.reddit.com\/r\/Intune\/\">Intune<\/a><\/blockquote><script async src=\"https:\/\/embed.reddit.com\/widgets.js\" charset=\"UTF-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-call-4-cloud-intune-mmp-c-windc-autopilot wp-block-embed-call-4-cloud-intune-mmp-c-windc-autopilot\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/call4cloud.nl\/2021\/06\/wdac-or-the-unexpected-virtue-of-ignorance\/#part5\n<\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Remove WDAC Policy    \n# Set PolicyId GUID to the PolicyId from your WDAC policy XML\n    $PolicyId = \"{a244370e-44c9-4c06-b551-f6016e563076}\"\n\n    # Initialize variables\n    $SinglePolicyFormatPolicyId = \"{A244370E-44C9-4C06-B551-F6016E563076}\"\n    $SinglePolicyFormatFileName = \"\\SiPolicy.p7b\"\n    $MountPoint =  $env:SystemDrive+\"\\EFIMount\"\n    $SystemCodeIntegrityFolderRoot = $env:windir+\"\\System32\\CodeIntegrity\"\n    $EFICodeIntegrityFolderRoot = $MountPoint+\"\\EFI\\Microsoft\\Boot\"\n    $MultiplePolicyFilePath = \"\\CiPolicies\\Active\\\"+$PolicyId+\".cip\"\n\n    # Mount the EFI partition\n    $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]\n    if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }\n    mountvol $MountPoint $EFIPartition\n\n    # Check if the PolicyId to be removed is the system reserved GUID for single policy format.\n    # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as\n    # {GUID}.cip in the CiPolicies\\Active subdirectory\n    if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}\n    \n    $Count = 1\n    while ($Count -le $NumFilesToDelete) \n    {\n           \n        # Set the $PolicyPath to the file to be deleted, if exists\n        Switch ($Count)\n        {\n            1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}\n            2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}\n            3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}\n            4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}\n        }\n\n        # Delete the policy file from the current $PolicyPath\n        Write-Host \"Attempting to remove $PolicyPath...\" -ForegroundColor Cyan\n        if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}\n\n        $Count = $Count + 1\n    }\n\n    # Dismount the EFI partition\n   mountvol $MountPoint \/D<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Double check this not being used in Intune<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png\"><img loading=\"lazy\" decoding=\"async\" width=\"835\" height=\"148\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png\" alt=\"\" class=\"wp-image-6824 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png 835w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15-300x53.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15-768x136.png 768w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Event ID&#8217;s<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16.png\"><img loading=\"lazy\" decoding=\"async\" width=\"365\" height=\"357\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16.png\" alt=\"\" class=\"wp-image-8149 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16.png 365w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16-300x293.png 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"windows-codeintegrity-operational-log\">Windows CodeIntegrity Operational log<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Event ID<\/th><th>Explanation<\/th><\/tr><\/thead><tbody><tr><td>3004<\/td><td>This event isn&#8217;t common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.<\/td><\/tr><tr><td>3033<\/td><td>This event isn&#8217;t common. It often means the file&#8217;s signature is revoked or expired. Try using option&nbsp;<code>20 Enabled:Revoked Expired As Unsigned<\/code>&nbsp;in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs.<\/td><\/tr><tr><td>3034<\/td><td>This event isn&#8217;t common. It&#8217;s the audit mode equivalent of event 3033 described above.<\/td><\/tr><tr><td>3076<\/td><td>This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced.<\/td><\/tr><tr><td>3077<\/td><td>This event is the main Application Control block event for enforced policies. It indicates that the file didn&#8217;t pass your policy and was blocked.<\/td><\/tr><tr><td>3089<\/td><td>This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the&nbsp;<code>Correlation ActivityID<\/code>&nbsp;found in the&nbsp;<strong>System<\/strong>&nbsp;portion of the event.<\/td><\/tr><tr><td>3099<\/td><td>Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Example Policy<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/pariswells\/public-code\/blob\/master\/WDAC.xml\">https:\/\/github.com\/pariswells\/public-code\/blob\/master\/WDAC.xml<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Advanced Hunting Defender to find Apps running outside if [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4193,4192],"class_list":["post-6733","post","type-post","status-publish","format-standard","hentry","category-research","tag-wdac","tag-windows-defender-application-control"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.10 - aioseo.com -->\n\t<meta name=\"description\" content=\"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains &quot;Program\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"paris\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/pariswells.com\/blog\/research\/wdac\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.10\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Welcome to Pariswells.com |\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"WDAC | Welcome to Pariswells.com\" \/>\n\t\t<meta property=\"og:description\" content=\"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains &quot;Program\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/pariswells.com\/blog\/research\/wdac\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2023-03-08T22:56:28+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2024-07-30T07:18:04+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary\" \/>\n\t\t<meta name=\"twitter:title\" content=\"WDAC | Welcome to Pariswells.com\" \/>\n\t\t<meta name=\"twitter:description\" content=\"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains &quot;Program\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#article\",\"name\":\"WDAC | Welcome to Pariswells.com\",\"headline\":\"WDAC\",\"author\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/author\\\/paris#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/#organization\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/image-15.png\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac\\\/#articleImage\",\"width\":835,\"height\":148},\"datePublished\":\"2023-03-08T22:56:28+00:00\",\"dateModified\":\"2024-07-30T07:18:04+00:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#webpage\"},\"articleSection\":\"Research, WDAC, Windows Defender Application Control\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/pariswells.com\\\/blog\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/category\\\/research#listItem\",\"name\":\"Research\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/category\\\/research#listItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/category\\\/research\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#listItem\",\"name\":\"WDAC\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#listItem\",\"position\":3,\"name\":\"WDAC\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/category\\\/research#listItem\",\"name\":\"Research\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/#organization\",\"name\":\"Welcome to Pariswells.com\",\"url\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/author\\\/paris#author\",\"url\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/author\\\/paris\",\"name\":\"paris\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/93b8ee3f592ac401167f870452bd82d43de80152cd3524e2853403658ada9984?s=96&d=mm&r=g\",\"width\":96,\"height\":96,\"caption\":\"paris\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#webpage\",\"url\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac\",\"name\":\"WDAC | Welcome to Pariswells.com\",\"description\":\"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \\u2013 microsoft\\\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\\\ WIndows ) Whitelist Publishers Enable 18 - https:\\\/\\\/learn.microsoft.com\\\/en-us\\\/windows\\\/security\\\/application-security\\\/application-control\\\/windows-defender-application-control\\\/design\\\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains \\\"Program\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/research\\\/wdac#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/author\\\/paris#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/author\\\/paris#author\"},\"datePublished\":\"2023-03-08T22:56:28+00:00\",\"dateModified\":\"2024-07-30T07:18:04+00:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/\",\"name\":\"Welcome to Pariswells.com\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/pariswells.com\\\/blog\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"WDAC | Welcome to Pariswells.com","description":"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains \"Program","canonical_url":"https:\/\/pariswells.com\/blog\/research\/wdac","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/pariswells.com\/blog\/research\/wdac#article","name":"WDAC | Welcome to Pariswells.com","headline":"WDAC","author":{"@id":"https:\/\/pariswells.com\/blog\/author\/paris#author"},"publisher":{"@id":"https:\/\/pariswells.com\/blog\/#organization"},"image":{"@type":"ImageObject","url":"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png","@id":"https:\/\/pariswells.com\/blog\/research\/wdac\/#articleImage","width":835,"height":148},"datePublished":"2023-03-08T22:56:28+00:00","dateModified":"2024-07-30T07:18:04+00:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/pariswells.com\/blog\/research\/wdac#webpage"},"isPartOf":{"@id":"https:\/\/pariswells.com\/blog\/research\/wdac#webpage"},"articleSection":"Research, WDAC, Windows Defender Application Control"},{"@type":"BreadcrumbList","@id":"https:\/\/pariswells.com\/blog\/research\/wdac#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog#listItem","position":1,"name":"Home","item":"https:\/\/pariswells.com\/blog","nextItem":{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog\/category\/research#listItem","name":"Research"}},{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog\/category\/research#listItem","position":2,"name":"Research","item":"https:\/\/pariswells.com\/blog\/category\/research","nextItem":{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog\/research\/wdac#listItem","name":"WDAC"},"previousItem":{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog\/research\/wdac#listItem","position":3,"name":"WDAC","previousItem":{"@type":"ListItem","@id":"https:\/\/pariswells.com\/blog\/category\/research#listItem","name":"Research"}}]},{"@type":"Organization","@id":"https:\/\/pariswells.com\/blog\/#organization","name":"Welcome to Pariswells.com","url":"https:\/\/pariswells.com\/blog\/"},{"@type":"Person","@id":"https:\/\/pariswells.com\/blog\/author\/paris#author","url":"https:\/\/pariswells.com\/blog\/author\/paris","name":"paris","image":{"@type":"ImageObject","@id":"https:\/\/pariswells.com\/blog\/research\/wdac#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/93b8ee3f592ac401167f870452bd82d43de80152cd3524e2853403658ada9984?s=96&d=mm&r=g","width":96,"height":96,"caption":"paris"}},{"@type":"WebPage","@id":"https:\/\/pariswells.com\/blog\/research\/wdac#webpage","url":"https:\/\/pariswells.com\/blog\/research\/wdac","name":"WDAC | Welcome to Pariswells.com","description":"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains \"Program","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/pariswells.com\/blog\/#website"},"breadcrumb":{"@id":"https:\/\/pariswells.com\/blog\/research\/wdac#breadcrumblist"},"author":{"@id":"https:\/\/pariswells.com\/blog\/author\/paris#author"},"creator":{"@id":"https:\/\/pariswells.com\/blog\/author\/paris#author"},"datePublished":"2023-03-08T22:56:28+00:00","dateModified":"2024-07-30T07:18:04+00:00"},{"@type":"WebSite","@id":"https:\/\/pariswells.com\/blog\/#website","url":"https:\/\/pariswells.com\/blog\/","name":"Welcome to Pariswells.com","inLanguage":"en-US","publisher":{"@id":"https:\/\/pariswells.com\/blog\/#organization"}}]},"og:locale":"en_US","og:site_name":"Welcome to Pariswells.com |","og:type":"article","og:title":"WDAC | Welcome to Pariswells.com","og:description":"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains &quot;Program","og:url":"https:\/\/pariswells.com\/blog\/research\/wdac","article:published_time":"2023-03-08T22:56:28+00:00","article:modified_time":"2024-07-30T07:18:04+00:00","twitter:card":"summary","twitter:title":"WDAC | Welcome to Pariswells.com","twitter:description":"Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) Whitelist Publishers Enable 18 - https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create Advanced Hunting Defender to find Apps running outside if Allow List DeviceProcessEvents | where FolderPath !contains &quot;Program"},"aioseo_meta_data":{"post_id":"6733","title":null,"description":null,"keywords":null,"keyphrases":{"focus":{"keyphrase":"","score":0,"analysis":{"keyphraseInTitle":{"score":0,"maxScore":9,"error":1}}},"additional":[]},"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":"","og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"Article","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":"-1","robots_max_videopreview":"-1","robots_max_imagepreview":"large","priority":null,"frequency":"default","location":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2023-03-08 22:14:25","updated":"2024-07-30 07:28:19","primary_term":null,"seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/pariswells.com\/blog\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/pariswells.com\/blog\/category\/research\" title=\"Research\">Research<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tWDAC\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/pariswells.com\/blog"},{"label":"Research","link":"https:\/\/pariswells.com\/blog\/category\/research"},{"label":"WDAC","link":"https:\/\/pariswells.com\/blog\/research\/wdac"}],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6733"}],"version-history":[{"count":16,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6733\/revisions"}],"predecessor-version":[{"id":8166,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6733\/revisions\/8166"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}