Filename: microsoft-md101-3-4-1-windows-defender-application-control

Show Name: Managing Modern Desktops (MD-101)

Topic Name: Manage and Protect Devices
Episode Name: Windows Defender Application Control
Description: Windows Defender Application Control (WDAC) is an application whitelisting technologh that can help mitigate executable file-based malware threats. You will learn to create
a WDAC policy by scanning a system and using audit information. Then you will deploy the WDAC policy using Group Policy.

Windows Defender Application Control

Whate is Application Control

Application whitelisting technology

Reduce the risk of being infected by Advanced Persistent Threats
Zero-day malware

Evolution of

Software Restriction Policies

Difficult to work with

AppLocker

Users could disable

Only user mode applications

Prior to Windows 1709 was known as

Windows Defender Device Guard configurable code integrity policies

Uses Code Integrity (CI) policies

Implemented by the Windows kernel

Early in the boot sequence

Before most other OS code starts running

CI policies can be digitally signed

Difficult to maliciously modify

Create initial policy

Initialize variables that you will use

$CIPolicyPath=$env:userprofile+"\Desktop\"
$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"

Create a new WDAC policy by scanning the system for installed applications
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt

Convert the WDAC policy to a binary format

ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

Deploy using Group Policy

Computer Configuration > Administrative Templates > System > Device Guard

Audit mode allows administrators to discover

Any applications that were missed during an initial policy scan

Identify any new applications that have been installed and run
Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational
Can merge it with your existing WDAC policies

Capture Audit Information

Initialize variables that you will use

$CIPolicyPath=$env:userprofile+"\Desktop\"
$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"

Generate a new WDAC policy from logged audit events

New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt

Review the WDAC audit policy, looking for

Any applications that were caught as exceptions, but should be allowed to run in your environment
Any applications that actually should not be allowed to run in your environment