AppControl Manager 1.2.0.0 and WDACConfig 0.4.8

What's New

AppControl Manager App

• Improved the policy viewing page. Now there is a complete data grid with sortable and relocatable columns, offering very nice experience for managing and viewing the deployed policies and searching through them.

• The AppControl Manager now has a new option in the Update page where you can turn on (it is off by default), and that option will make it check for updates on app startup and then if a new version is available, will display a small dot on the navigation menu next to the update page's icon, letting you know there is a new version available and if you want, you can go to the update page, click/tap on the update button to update it. It respects user's choice and is a non-intrusive and subtle notification method.

WDACConfig Module

• It works on Windows 11 build 23H2 again.

• Removed the -SkipVersionCheck from all cmdlets, instead added a new setting to the user configurations, named AutoUpdate, you can configure it once and the built-in update checker will use that value to determine whether check for new version should happen or not. This improves user experience as you no longer have to pass the -SkipVersionCheck for every cmdlet if you wish to stay on a specific version of the WDACConfig despite newer versions being available.

  • The check for update happens every 1 hour.

  • To completely disable automatic check for update, you can use the following command: set-commonWDACConfig -AutoUpdate $false.

  • To enable automatic check for update, you can use the following command: set-commonWDACConfig -AutoUpdate $true.

• Significantly improved the performance of the merge operations during policy creation tasks.

PR: #382

Harden Windows Security v.0.6.8

What's New

This update mainly focuses on improving the general aspects of the Harden Windows Security module based on user feedback and discussions.

TLS Category

• The TLS category now checks whether BattleNet client is installed on the system and if it is then uses a different group policy for the TLS category that has the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite.

recent discussion: #372
related issue: #38

The check happens by looking for the following 2 files on the system

C:\Program Files (x86)\Battle.net\Battle.net.exe

C:\Program Files (x86)\Battle.net\Battle.net Launcher.exe

BitLocker Category

• Added new notice to inform the user about drive decryption status when they try to decrypt a drive that is already being decrypted.

• Added a new notice to inform the user that the Enhanced level encryption requires removable drive selection. The notice is displayed when no removable drive is selected from the dropdown menu and then the user tries to use the Enhanced level encryption.

• Improved scrolling experience on the backup page, the datagrid can now be scrolled using mouse wheel or trackpad. Suitable when there are so many BitLocker encrypted drives on the system that user needs to use the scrollbar to view all of them.

Other Changes

• The Harden Windows Security module is now able to run as SYSTEM account. Related issue: #375

• Implemented many recommendations by GitHub's Advanced Code quality scan for higher quality code base.

• No errors will be displayed in the logs section if for any reason the toast notifications cannot be displayed. It prevents polluting the logs.

• Increased the timeout for collecting MDM related info from the system from 10 seconds to 30 seconds when performing compliance check, in case a system has very low hardware specs and is extremely slow.

PR: #376

AppControl Manager v1.1.0.0 + WDACConfig v0.4.7

What's New

New Features 🎉

• The AppControl Simulation feature has been fully integrated into the AppControl Manager GUI, with rewritten components and improved arbitration logic.

• A new Advanced Code Integrity section has been introduced in the AppControl Manager app, offering detailed insights into system integrity.

• The SHA3-512 hashing algorithm is now used for hashing files in the WDACConfig module, enhancing security standards.

• Keyboard navigation in the AppControl Manager app has been improved, enhancing the selection experience for UI elements.

• The color pickers on the Logs page have been refined, with clearer distinctions between selected colors and their labels.

• The main navigation in the AppControl Manager app now dynamically adapts to window width, automatically switching modes for optimal responsiveness.

• Implemented the process that finds and downloads SignTool from the Microsoft Nuget package natively.

• Improved the updating experience in AppControl Manager by implementing progress bars and proper messages to communicate the real time status to the user.

Security 🔐

• A new GitHub workflow has been added for enhanced security and transparency, allowing the AppControl Manager to be built directly from the source code and generate verified artifacts publicly on GitHub. This workflow uses cryptographic signatures to ensure that the AppControl Manager MSIX package in the release section is verifiably built from the repository's source code and that workflow will upload the package with verification details to the release. Find more about the process in here.

• Artifact attestations are used to establish provenance for builds. It guarantees that the package(s) you download from this repository are 100% created from the source code that exist in this repository.

• SBOMs (Software Bill of Materials) are generated for the entire repository to comply with data protection standards and providing transparency. Together with attestation they provide SLSA L2 security level for the build process.

Miscellaneous 💡

• The repository's Extras folder has been removed; its PowerShell scripts are now embedded within corresponding Wiki articles, and all C# code previously in that directory has been integrated into the AppControl Manager app.

• Windows 11 version 24H2 introduces several new features, including support for the SHA-3 hashing algorithm, enhancements to CiTool.exe that display which policies are signed and which are not, and the ability to remove App Control policies without requiring a reboot. Due to these advancements, both the WDACConfig module and the AppControl Manager app will require Windows 11 24H2 or later.

• Updated some internal log names that were referring to "Windows Defender Application Control" to "App Control for Business" to match the new naming convention.

• Improved code optimizations and applied best practices through the GitHub's CodeQL scans and detections.

• Improved the bootstrapper script.

• Added SHA3-512 hashes of all of the files in the WDACConfig module to the CSV file.

• Created a text file in the AppControl Manager directory that will always contain the link to the latest version of AppControl Manager and it will remain up to date using an automatic GitHub action. It's used internally by the bootstrapper script and the application itself.

List of the merged PRs:

• #373
• #371
• #367
• #365

List of closed issues with this update:

• #68
• #283

To quickly install the latest version of the new AppControl Manager application use the following PowerShell one-liner:

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Harden Windows Security v.0.6.7

What's New

• Added SSH hardening by configuring the SSH client to use secure MACs (Message Authentication Codes). Closes #354

• 🎉 Added the ability to Decrypt a BitLocker encrypted drive to the Unprotect tab. You can select a drive from the list of drives in a dropdown menu and then use the button to easily decrypt it if you want to.

• Moved the security measure that sets all network profiles' locations to public from the Windows Networking category to the Windows Firewall category. Related discussion

• Added a check to the compliance checking to make sure the LanmanWorkstation service is enabled and running. Related discussion

• 🎉 Added a new feature through a new button in the ASR (Attack Surface Reduction) tab where it allows you to retrieve the current effective status of each ASR rule on the system and populate the boxes with them and then take action.

• 🎉 When modifying the ASR rules using the ASR tab, there will be detailed logging.

• Adjusted the system requirement checks to happen sooner to show proper messages to the user about any possible problems.

• Changed some of the element names in the GUI from "WDAC" to "App Control" due to name changes by Microsoft starting Windows build 24H2.

• In the Unprotect tab, the App Control policies dropdown menu now only becomes available when the other dropdown menu is set to "Only Remove The App Control Policies", improving user experience.

• Minor overall performance improvements.

• Various GUI tabs have been improved to work with very small heights. Now they will have a scrollbar whenever the height is too small so you can always work with the UI elements.

• Updated the Microsoft signed DLLs used for toast notifications to the latest versions. Wonder how it's done? Check out this Wiki article.

• The GUI is no longer draggable from anywhere on the interface by touch or mouse click, it now works like any other user interface where you use the title bar for dragging.

Tip

If you're new here, the Harden Windows Security module automatically checks for update whenever you start it so no manual work is needed to stay up to date. It does this by comparing the installed version with the version number on GitHub.

PR: #364

WDACConfig 0.4.6 + AppControl Manager 1.0.0.0

Introduction of the Modern GUI for WDACConfig

This update marks the release of the initial version of the graphical user interface (GUI) for the WDACConfig module. The application operates as a standalone tool, independent of PowerShell. It is called AppControl Manager and it offers the following key features:

• Built using WinUI3 / XAML / C#.
• Built using the latest .NET.
• Powered by the WinAppSDK (formerly Project Reunion).
• Packaged with the modern MSIX format.
• Incorporates the Mica material design for backgrounds.
• Adopts the Windows 11 Fluent design system.
• Fast execution and startup time.
• 0 required dependency.
• 0 Third-party library or file used.
• 0 Telemetry or data collection.
• 0 Windows Registry changes.
• 100% clean uninstallation.
• 100% open-source and free to use.

How To Install the AppControl Manager app

Use the following PowerShell command for Automated Installation

A familiar installation method, just like the Harden Windows Security module. Nothing else is needed to be done.

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Here is a preview of it

As demonstrated in the preview, several features have already been implemented. The application leverages WebView2, which comes pre-installed with Windows, to facilitate web rendering. I've included two convenient menu items that provide direct access to both App Control resources from this repository and official Microsoft documentation, ensuring guidance and support are always just two clicks or taps away.

Features Implemented So Far

• Creating, configuring and deploying AllowMicrosoft policy
• Creating, configuring and deploying SignedAndReputable policy (based on ISG)
• Creating and deploying Microsoft recommended driver block rules
• Creating and deploying Microsoft recommended user-mode block rules
• Checking for secure policy settings on the system
• Getting the Code Integrity hashes of the files (Authenticode hash and Page hash)
• Adding/Changing/Removing User Configurations
• Configure policy rule options
• View deployed policies on the system (with filtering search)
• Remove unsigned policies from the system
• Quick access to App Control resources and documentations right within the app

More features will come very quickly in the near future.

Let's Talk Security and Threat Model

At this stage, security should be top of mind. Let's delve into how the recent developments, particularly the introduction of compiled binaries for the GUI, impact the overall security and threat model.

First and foremost, the PowerShell module will always remain available in its uncompiled form. This ensures flexibility for users who prefer or require it.

Additionally, the source code for the new MSIX-packaged AppControl Manager is fully accessible in this repository. Anyone can review the code and explore the complete Visual Studio solution provided, allowing you to easily create the MSIX package on your own.

Tip

Does this alter the threat model? Absolutely not. Here's why: When using the WDACConfig PowerShell module, you inherently grant it Administrator privileges. By doing so, you're already placing a level of trust in the module—demonstrated by running PowerShell as an Administrator and executing one of its cmdlets or commands in the terminal.

The same level of privilege applies to the new AppControl Manager application packaged in MSIX format. It will still require Administrator privileges for its operations, as it performs the same functions as the PowerShell version. In fact, 90% of the codebase remains unchanged.

Is using the MSIX package mandatory? Absolutely not. You can continue using the WDACConfig PowerShell module exactly as before—nothing has changed in that regard. The AppControl Manager application is simply a part of the development roadmap, and as promised, I'm actively working on it. Personally, this interface will make managing application controls on my systems, and those I manage, much more streamlined and easier.

Important

If you are an enterprise or business, you can have your security team code review the AppControl Manager application, and after fully verifying it, code sign it and use it in your environment.

Note

Question: Is the MSIX package pre-signed?
Answer: No.

Question: Can I (as a user) code sign it using my own certificate?
Answer: It's up to you.

If users choose to install it, the process involves generating a self-signed certificate on their device, which is then used to sign the MSIX package before installation.

This approach ensures a high level of security, as the certificate is unique to each device, and no one else has access to it. Furthermore, the certificate contains no private keys, meaning it cannot be used to sign anything else, adding an additional layer of protection.

Here is a quick technical rundown of the AppControl function that performs all of the required tasks automatically in a matter of seconds. No manual work is needed for the user to perform.

The script installs the AppControl Manager MSIX package on the system.

It does so by securely generating a unique self-signed certificate on the user's system and then using it to sign the MSIX package.

Everything happens locally and no certificate comes from outside of the device.

The certificate is added to the Local Machine's Trust Root Certification Authorities Store with only public keys, ensuring no private key exists to be used to sign anything else.

Its existence with public key is needed so that you can use the AppControl Manager app; without it the app will not launch as it will be considered untrusted by the system.

The 2 files, AppControlManager.dll and AppControlManager.exe inside of the MSIX app installation folder will be added to the Attack Surface Reduction rules exclusion list if they don't already exist in there, so the app will work properly.

The script creates a new directory in the TEMP directory for its operations and it will be deleted at the end of the script.

The script checks for the existence of any previous self-signed certificates generated by it and will remove them if it detects any, guaranteeing no unnecessary leftover remains on the user's system.

Summary

This is a new milestone in the development of the WDACConfig module. I'm personally learning a lot by doing it and the application I'm making is very useful for my needs and others I work with, by sharing it with the community, I'm hoping it will be useful for you too.

As I've thoroughly explained, the security model remains intact, decisions being made are based on logic and research with security in mind.

If you have any feedback or questions, feel free to share it. I'm always open to suggestions and improvements.

---

Other Changes

• Changed the wording in all of the documents and codes to replace "Windows Defender Application Control" with "App Control" or "App Control for Business". This aligns the documentations with the Microsoft's as they also made the same changes to their documentations.

• Updated the URLs for the Microsoft recommended block rules to point to the correct ones.

• The Set-CiRuleOptions cmdlet has been removed. You can fully configure a policy in real-time using the new AppControl Manager. I received lots of feedbacks from users that the module and its cmdlets are too advanced or the learning curve is high, that's why the AppControl Manager, which has a full featured GUI, makes everything easier to use and there is essentially no learning curve for that.

• Systematic reduction of PowerShell code and transitioning to modern C# code for improved interoperability and robustness which also unlocks many new possibilities.

• Improved startup speed of the WDACConfig module and all its cmdlets.

• WDAC Simulation has become significantly faster.

• The WDACConfig module now automatically creates log files and stores them in the secure location inside of the WDACConfig folder in Program files. The size of that folder never gets bigger than 100MB due to the checks implemented, if it does, the folder is automatically emptied. You will be able to modify this limit in the settings in a future update.

PR: #345

Harden Windows Security v.0.6.6

What's New

• Made the page transition animations faster. Helps when running in VMs with no GPU.
• The tooltips in the Protect tab now appear with more delay on hover.
• Updated required OS version from 22621.3880 to 22621.4169.
• Changed the PowerShell Gallery's icon to align with the new app icon that's been in use.

Windows Networking Category

• Added 2 policies to configure the Cipher Suites of the SMB for both server and client from the default value of AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM to AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM. More info -> #351

• Added 2 policies to enable SMB over QUIC for both server and client. More info -> #351

• Made the NTLM blocking policy in the Windows Networking category an optional sub-category. More info -> #353

Miscellaneous Category

• Added a policy as an optional sub-category, which is responsible for enabling Windows Protected Print. More info here.

PR: #359

Harden Windows Security v.0.6.5

What's New

• Added a default file name which is based on the current date for when you select the Log Path button on the Protect tab. Previously the name was empty and if you wanted to quickly press the button to save the logs, you'd have to type something randomly, but now a meaningful name is available by default, reducing the need for pressing extra keys.

• Added a new button to the Logs tab, it's called "Clear Logs" and will clear the logs on the GUI screen if pressed.

• Added the ability to enable Sudo to the optional overrides of the Microsoft Security baselines. The baselines for 24H2 disable the ability to use Sudo. This override does not enable Sudo, it simply allows the user to enable Sudo from Windows Settings if they want to. When Microsoft Security Baselines disable Sudo, it becomes hidden from Windows Settings too. Enabling Sudo requires Administrator privileges, Standard (unelevated) users cannot enable Sudo.

Windows Networking

• Added 2 new policies that set the minimum required version of SMB for clients and servers to be the latest version which currently is 3.1.1. Microsoft Security Baselines for 24H2 configure this policy to 3.0.0 which is too old. 3.1.1 was introduced many years ago with Windows 10 and it is the most secure SMB version.

• Added a new policy to block NTLM completely for SMB.

• Added a new policy to require encryption for SMB clients.

• Moved the policy that enables SMB server encryption, from the Miscellaneous category, to the Windows Networking category, so it can be next to the rest of the relevant policies.

Device Guard

• The Device Guard category is available again. It was previously removed and was only available for Compliance checks, because all of its security measures were applied by Microsoft Security Baselines 23H2 and later, but in build 24H2, there is a new security measure available called Machine Identity Isolation Configuration, and in this update, it is set to Enforcement mode.

• The Device Guard category is also completely added to the Readme page with improvements. It was previously available as a Wiki page.

• The Device Guard category is almost completely self-sufficient and doesn't rely on whether you used Microsoft Security Baselines category first or not except for 1 policy which is LSA with UEFI lock and that is applied by the Microsoft Security baselines.

• The category has been added to the PowerShell CLI experience And GUI (Graphical User Interface) experience when applying protections.

PR: #348

Harden Windows Security v.0.6.4

What's New

This release ensures that the Harden Windows Security module/app is compatible with the Windows 11 24H2 build. The latest Windows build introduces numerous new group policies for configurations that were previously accessible only through methods like CIM. Consequently, many of these configurations are now implemented via group policies, providing a more streamlined and unified process.

The Readme content and style have been updated for better readability. A reminder that the Readme document is the main source of all of the security measures that is applied by the Harden Windows Security module/app.

All of the registry keys, policies, process mitigations and so on have been verified to continue to be compatible with the latest build of Windows, which currently is 24H2.

More policies will be added in the next update after further testing and verification.

Updated the DLLs from Microsoft Nuget packages to the latest versions.

Microsoft Defender Category

• Intel TDT policy is now applied through Group Policy.
• Disabling Performance mode of Microsoft Defender (For Dev Drives) is now applied through Group Policy.
• Real-time protection and Security Intelligence Updates during OOBE policy is now applied through Group Policy.
• Brute-Force Protection policy is now applied through Group Policy.
• Brute-Force Protection aggressiveness policy is now applied through Group Policy.
• Remote Encryption Protection policy is now applied through Group Policy.
• Remote Encryption Protection aggressiveness policy is now applied through Group Policy.

---

• New policy: Enable Network Protection to be configured into block or audit mode on Windows Server.

---

Identified 2 issues with the group policies on build 26100.1742 and 26100.1882. Mentioned them in the Microsoft Tech Community as well.

The following group policies do not actually apply the policies on the system when they are enabled in the specified build.

Windows Components\Microsoft Defender Antivirus\Network Inspection System\
Turn on asynchronous inspection

And

Windows Components\Microsoft Defender Antivirus\Network Inspection System\
Convert warn verdict to block

After applying them and checking the output of the cmdlet/CIM via the Get-MpPreference, even after system restart,
we can see that the values of EnableConvertWarnToBlock and AllowSwitchToAsyncInspection are still false.

That is why the Harden Windows Security module will continue to enforce and apply them through the CIM. The checks and balances in the module/app make sure everything stays compliant regardless of the method of enforcement.

---

• During Process mitigations compliance verification, if a process has more mitigations applied to it than the ones required by the Harden Windows Security application, it will be considered compliant. Previous behavior would only consider them compliant if they were exact match but that would miss the situations where currently applied mitigations were more than the required mitigations. The log messages have been improved to provide detailed info about each process.

BitLocker Category

• Added more logging messages during compliance checking of the BitLocker category to let user know why OS drive is not compliant.

• BitLocker group policies are completely self-sufficient and no longer depend on the Microsoft Security Baselines.

• Improved the BitLocker encryption for Non-OS Drives. The ExternalKey key protectors that belong to previous OS installations and are leftovers are now properly taken care of and renewed to be bound to the new OS Drive.

User Account Control (UAC) Category

• New Policy: Sets the behavior of the elevation prompt for Standard users to Prompt for Credentials on the Secure Desktop. Microsoft Security Baselines 23H2 would set this to Deny elevation requests but since Windows is moving towards the Adminless future, it is required to perform elevation from Standard users. This policy ensures that the elevation prompt is secure and the user is prompted to enter the credentials on the Secure Desktop.

• Added this only for compliance checking: UAC: Behavior of the elevation prompt for administrators in Enhanced Privilege Protection Mode. This policy is by default set to the most secure value, which is Prompt for Credentials on the Secure Desktop. Adding it to compliance checking in the UAC category provides easy verification for the user to ensure it is set to the correct value because it is an important policy.

• New policy: Configures the type of Admin Approval Mode to be Admin Approval Mode with enhanced privilege protection. This is another new policy added in the build 24H2.

Windows Update Category

There are no configuration changes. Only updated the group policy objects to match the new policies' locations in the 24H2 build. All of them are related to update auto-restart grace period and deadlines and how their locations are different between 23H2 and 24H2 builds.

• The SetComplianceDeadline policy is changed. In 24H2, it is broken down to 2 different policies. They are also Intune compatible which means unified compliance check between group policy or Intune deployments.

  • ConfigureDeadlineNoAutoRebootForFeatureUpdates

  • ConfigureDeadlineNoAutoRebootForQualityUpdates

Optional Windows Features

There is a bug in Windows 11 24H2 builds 26100.1742 and 26100.1882, related to the DISM module cmdlet, Get-WindowsCapability -Online and Internet Explorer mode! Watch the video:

2024-10-04.00-02-05.mp4

As a workaround, Internet explorer mode removal was moved to the end of the Optional Windows Features category instead of being in the middle. This change makes sure the category will complete successfully.

The problem with the cmdlet will most likely be fixed after a system restart. That means when Internet explorer mode which is for the legacy rendering in the Edge browser and is totally unnecessary, is removed, you will have to perform a system restart before that cmdlet can be used again.

As you can see in the video, this is not related to the Harden Windows Security.

Non-Admin Category

• Removed the 2 policies that were used to enable Clipboard syncing for the current user. They were an optional sub-category of the Non-Admin category.

PR: #347

Harden Windows Security v.0.6.3

What's New

• Closes #343
• Adjusted animations of the tooltips.
• General code improvements.
• Updated the demo Gif on the readme to display the latest changes and improvements in the GUI.

PR: #344

Harden Windows Security v.0.6.2

What's New

• Implemented a new GUI section to offer a unified place to browse for multiple files and add them all at once to multiple exclusion lists. Closes #323 - Related Discussion

• BitLocker encryption has been added to the GUI! You can now effortlessly encrypt the OS drive, non-OS drives, and removable drives directly through the graphical interface, with multiple options available for each type of encryption. With the encryption process now fully integrated into the GUI, the command-line encryption feature has been removed. Previously, encryption through the CLI was manual and limited by the terminal's capabilities. - Closes #282

• With this pull request, the Harden Windows Security project is now fully implemented in native C# code, adhering to modern best practices. For those interested in the technical details, you can find more information here. Once PowerShell 7.5 and .NET 9 reach stable release, the application will undergo a complete GUI overhaul. This update will introduce a modernized design aligned with Windows 11 aesthetics, seamless automatic dark/light mode based on your system theme, and many additional enhancements.

• When running without elevated privileges, any GUI pages requiring administrative access will no longer open automatically. Instead, a dialog box will appear, notifying you that Administrator privileges are necessary to proceed.

• On the BitLocker page, utilizing the execute button now ensures that relevant group policies are applied to facilitate proper drive encryption. These policies are essential for enabling advanced BitLocker features, such as TPM-based key protectors and Enhanced PINs.

• A new toggle has been introduced on the Logs tab, allowing users to enable or disable the logger's auto-scroll functionality with ease.

• The Logs tab now includes a convenient button for swiftly exporting all log entries to a file, streamlining the process for documentation or analysis.

• You can access the BitLocker page to view all recovery passwords for BitLocker-encrypted drives. Additionally, you can utilize the backup button to store these passwords in a file for safekeeping. The file will include all of the necessary properties in case you need to perform drive recovery in the future from the OOBE.

• Fixed an issue where Controlled Folder Access exclusions list would be cleared after using the Harden Windows Security application.

• The GUI toggle button on the Protect page used to write logs to the Windows event viewer is now disable when running without Administrator privileges as it is required for writing event logs to the designated location.

PR: #341