WDAC supplemental deny filepath rule #159
Replies: 2 comments 1 reply
-
|
Hi, no, it's not currently possible to create a deny rule for a filepath with wildcards, but I can add that capability to the module in the next update. The New-SupplementalWDACConfig cmdlet is for creating supplemental policies which can only have allow rules to expand a base policy. The base policies can have deny and allow rules in them. So if the feature is added to the WDACConfig module, it will either be creating a new base policy which you need to deploy side by side other base policies or it will require you to select a base policy and add the deny rule to it. The modified base policy will need to be redeployed of course but it can be automated as well. WDAC in nature blocks everything unless it's allowed by a policy. UpdateThe WDACConfig module now supports creating deny policies based on filepath with wildcards. |
Beta Was this translation helpful? Give feedback.
-
|
I use Intune App Control (with a built-in rule with GUID {2DA0F72D-1688-4097-847D-C42C39E631BC}. |
Beta Was this translation helpful? Give feedback.
-
|
That policy uses ISG, intelligent security graph to authorize apps with good known reputation, that's why you see unwanted allowed executions. I can suggest using another default policy on Intune, it has ID of :
It doesn't use ISG. To allow an app, you will install it through Intune. That way you no longer need to create deny rules. Supplemental policies can't have deny rules, if they do contain deny rules they are simply ignored. Only base policies can have deny rules. More info can be found here: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies |
Beta Was this translation helpful? Give feedback.
-
Is it possible to create a deny filepath rule via
New-SupplementalWDACConfig-PathWildCards -FolderPath...Beta Was this translation helpful? Give feedback.
All reactions