AppControl Manager 1.8.7.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added flyouts with buttons to the EVTX file path selector buttons in the Create Policy From Event Logs page. Now whenever you select EVTX files, a small flyout will open, displaying the path you selected and offers a Clear button so you can clear the selected path if you want. This is aligned with the rest of the browse button behaviors throughout the AppControl Manager's UI.

• Added the same flyout feature to the MDE Advanced Hunting page for the browse for CSV button.

• ✨In the AppControl Manager, all buttons that allow you to browse for files and folders already feature flyouts—small pop-up areas that display the selected files or folders. Previously, these flyouts would only appear after a left-click or tap on the browse buttons, which would first launch the file/folder picker and then display the flyout. In this update, the flyouts can now also be triggered by right-clicking the buttons or, on touch-enabled devices, by tapping and holding the buttons. This enhancement improves your experience by making it easier to view your selected content without needing to click the browse button again to launch the file/folder picker.

• Version bump from 1.8.6.0 to 1.8.7.0

• Added JSON source generation support for the Intune class, making it Native AOT/Trim friendly and faster.

• The Simulation page's folder picker now supports picking multiple folders. Previously it only supported picking 1 folder.

• The Configure Policy Rule Options page now automatically shows you the available rule options in the XML file you select by checking/unchecking any boxes in the UI, they are dynamically updated to reflect the XML file's rule options.

  • The buttons were also simplified and there are no longer any Add/Remove/Select All buttons. They were replaced by "Apply the changes" and "Retrieve Rules Status" buttons.

  • Additionally, the entire row containing each checkbox is now clickable, making interaction easier.

  • When using a template, checkboxes update automatically in real time, reflecting the latest changes instantly. These enhancements significantly improve usability and efficiency.

PRs

• AppControl Manager v.1.8.7.0 by @HotCakeX in #573

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.6.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager now supports 3 more rule types for both Supplemental policies and Deny base policies:

  • File path rules for each file.
  • File path rules based on wildcards for each folder (that means any file that resides in the selected folder will be automatically allowed).
  • PFN based rules for packaged apps (Package Family Name)

• With these 3 additional rule types, you can allow your apps, files and folders in new ways that suit your needs.

• Keep in mind that the most secure rule types are signature based ones such as FilePublisher.

  • Read more about rule type security in this article: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Rule-Levels-Comparison-and-Guide

• Removed the static color for text highlights in flyout text boxes. The colors are now dynamically set based on the Windows accent color.

• The "Get Configuration" button in the Settings page now automatically expands the section to make the configurations visible, reducing extra clicks/taps needed.

• The Create policy page's deploy buttons are now consistent with the rest of the deploy buttons in the app.

• Improved consistency in the codebase and UI elements.

• Added documentation for creating Deny policies => https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy

• When parsing the Microsoft Defender for Endpoint Advanced Hunting logs, Blocked events would show as Audit events in the data grid, that is now fixed.

---

Automated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.5.0 by @github-actions in #545
• The old WDACConfig PowerShell module has been fully deprecated by @HotCakeX in #553
• Implementing FilePath and PFN based rules in AppControl Manager by @HotCakeX in #554
• Fixed Audit/Block categorization of the MDE Advanced Hunting data by @HotCakeX in #557
• docs: remove empty image tag from WDAC Notes.md by @HryshcIlya in #558
• Code refactoring and general improvements by @HotCakeX in #560
• Version bump to 1.8.6.0 - AppControl Manager by @HotCakeX in #561

Full Changelog: AppControlManager.v.1.8.5.0...AppControlManager.v.1.8.6.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.5.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• You can now use AppControl Manager to deploy App Control policies with 1 click/tap to your entire Intune-managed fleet of workstations. Simply authenticate with your tenant and then deploy the policies in the app as you normally would. The entire process is very simple, automated and fast. Both signed and unsigned policies are supported for cloud deployment.

  • Full documentation available here

• Added documentation for Strict Kernel-mode policy creation and management

• Updated NuGet dependencies.

---

Automated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.4.0 by @github-actions in #538
• Bump dotnet-sdk from 9.0.1 to 9.0.102 in /AppControl Manager by @dependabot in #539
• Added direct Intune cloud deployment to AppControl Manager by @HotCakeX in #542
• Creating new documentations for App Control by @HotCakeX in #543
• AppControl Manager has reduced permissions for Intune and better policyID in Intune by @HotCakeX in #544

Full Changelog: AppControlManager.v.1.8.4.0...AppControlManager.v.1.8.5.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.4.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Upgraded the .NET version and NuGet packages.

• Implemented ISG based Supplemental policy in the AppControl Manager. This is a new type of supplemental policy that doesn't explicitly allow anything, instead it only activates the usage of the ISG, Intelligent Security Graph, on the system so reputable files can be automatically authorized.

• Implemented initial support for translating the AppControl Manager to other languages.

• Implemented another protection when removing signed policies in AppControl Manager.

  • This new protection mechanism ensures the safe removal of signed policies. To complete the process securely, a system reboot is required after the first stage. The newly implemented protection verifies that the reboot has been performed before allowing the process to proceed to the final stage.

  • If the user forgets to reboot or is unsure whether it’s necessary, a prompt will appear to guide them through the process. This safeguard prevents accidental errors that could lead to boot failures, making the AppControl Manager even safer and more reliable when managing Signed App Control policies.

  • Wonder why Signed policies are important? Check out this article

• Implemented Strict Kernel-mode App Control Policy. It's a special type of policy that can protect against all BYOVD scenarios as well as protecting the kernel unauthorized access while letting regular user-mode files to function normally.

• Implemented Strict Kernel-mode Supplemental policy creation.

• All local file scans in the AppControl Manager now consider the Security Catalogs, improving accuracy.

• Added support for catalog signed files to the View File Certificates page. Many files are signed via Security Catalogs. So they seem unsigned if you investigate them individually, but Windows has access to the Security Catalogs where those files' signatures exist and now AppControl Manager can show you those details.

---

Auto Generated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.3.0 by @github-actions in #517
• Implemented ISG based Supplemental policy in the AppControl Manager by @HotCakeX in #520
• Adding initial support for translating app control manager into other languages by @HotCakeX in #521
• Implemented another protection when removing signed policies in AppControl Manager by @HotCakeX in #522
• Alignment of namespaces with folder structures in the AppControl Manager code base by @HotCakeX in #523
• Bump System.Management from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #530
• Bump System.Management from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #529
• Bump Microsoft.WindowsAppSDK from 1.6.241114003 to 1.6.250108002 in /AppControl Manager by @dependabot in #528
• Bump Microsoft.XmlSerializer.Generator from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #526
• Bump System.Security.Cryptography.Pkcs from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #527
• Bump System.Diagnostics.EventLog from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #525
• Implementing Strict Kernel-mode policy in AppControl Manager by @HotCakeX in #531
• Removing unused PowerShell logic from the deprecated WDACConfig module by @HotCakeX in #532
• Added support for catalog signed files in local file scans in the AppControl Manager by @HotCakeX in #533
• Bump System.DirectoryServices.AccountManagement from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #534
• Version bump to 1.8.4.0 - AppControl Manager by @HotCakeX in #535
• Minor improvements before AppControl Manager v.0.1.8.4 release by @HotCakeX in #536
• Updating documents with new information by @HotCakeX in #537

Full Changelog: AppControlManager.v.1.8.3.0...AppControlManager.v.1.8.4.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.3.0

What's Changed

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the update mechanism, it will remove any related previous ASR rule exclusions instead of only those for the previous app version. The same improvement was previously implemented in the bootstrapper script and the Harden Windows Security module as well.

• Improved page behaviors, their states will now be preserved at all times even if you navigate away from them for any amount of time.

• Fixed NuGet connection (e.g., for downloading the SignTool.exe), it isn't always compatible with HTTP v.2

PR: #516

Harden Windows Security v.0.7.3

What's New

• Added a new section to the Apps | Features page where you can remove the pre-installed built-in network drivers that you do not use. Windows by default has WIFI and Ethernet network adapter drivers of Intel, Broadcom, Ralink, Realtek, Qualcomm and Marvel. If you do not have any of those hardware or you install your own drivers then you can remove the unnecessary ones, freeing up disk space and reducing the overall attack surface.

  • You can view the full list of pre-installed network drivers via this PowerShell command: Get-WindowsCapability -Online

  • As always, detailed logs of each step of the operation will be generated and made available.

• Improved the dialog window design. It has a gradient dark background and will stay at top so user won't miss important message that is displayed.

• Added a check to display a message to the user when installing AppControl Manager and an incompatible policy is detected.

• Improved the module's compatibility with other modules that load the same Microsoft DLLs in the session through PowerShell profile. When Harden Windows Security detects such situations, it will automatically use the -NoProfile switch.

• Updated the Microsoft DLLs to the latest versions from NuGet.

• Improved the logging mechanism when using the Harden Windows Security in unattended/headless mode like this:

Protect-WindowsSecurity -Verbose -Categories MicrosoftSecurityBaselines,Microsoft365AppsSecurityBaselines,MicrosoftDefender,AttackSurfaceReductionRules,BitLockerSettings,TLSSecurity,DeviceGuard,LockScreen,UserAccountControl,WindowsFirewall,WindowsNetworking,WindowsUpdateConfigurations,MiscellaneousConfigurations,EdgeBrowserConfigurations,CertificateCheckingCommands,CountryIPBlocking,DownloadsDefenseMeasures,NonAdminCommands -Log -LogPath 'C:\Users\Admin\Desktop\Logs.txt' -Offline -MSFTDefender_SAC -MSFTDefender_BetaChannels -DeviceGuard_MandatoryVBS -WindowsNetworking_BlockNTLM -MiscellaneousConfigurations_ReducedTelemetry -MiscellaneousConfigurations_LongPathSupport -CountryIPBlocking_OFAC -DangerousScriptHostsBlocking -UAC_OnlyElevateSigned -LockScreen_CtrlAltDel -Miscellaneous_WindowsProtectedPrint -UAC_NoFastSwitching -MiscellaneousConfigurations_StrongKeyProtection -LockScreen_NoLastSignedIn -PathToLGPO 'C:\Users\Admin\Desktop\LGPO.zip' -PathToMSFT365AppsSecurityBaselines 'C:\Users\Admin\Desktop\Microsoft365SecurityBaseline.zip' -PathToMSFTSecurityBaselines 'C:\Users\Admin\Desktop\Windows 11 v24H2 Security Baseline.zip'

• That's an example command that will run all of the categories and sub-categories in unattended mode, completely offline, and log the output to a file. The log file will contain every details of the operation just like they are generated in the GUI mode.

• Previously the logs in this scenario would have very minimal content because the built-in PowerShell transcription feature was being used but now it's handled by the module itself.

• With a command like that, you can configure your systems/workstations in bulk and schedule that command to run periodically. That is a completely automated mechanism and if a new version of the module is available, it will download and install it and remove any older version.

• Documentation is available here.

• If you have any questions about the unattended/headless mode, feel free to ask here on GitHub.

PR: #515

Harden Windows Security v.0.7.2

What's New

This update is full of new features 🎉

Ability to Remove built-in pre-installed apps

Introduced the ability to remove built-in apps using the Harden Windows Security module. This functionality is available on a dedicated page. The list of removable apps is stored in a JSON file, providing flexibility and extensibility.

When apps are removed using the Harden Windows Security module, they are removed for all users, and they won't come back when you create a new user. They are re-installable from the Microsoft Store if necessary.

The JSON file currently includes 37 apps. More apps can easily be added to it in the future without requiring to modify the code.

Ability to Remove Individual Optional Windows Features and Capabilities

Added a new page for managing Optional Windows Features. While the Harden Windows Security module already includes an Optional Features category in the hardening measures section, this new page allows for granular control, enabling you to fine-tune which features to enable or disable. It also includes additional optional features that can be removed.

Online File Reputation Check via Smart App Control/SmartScreen through Microsoft Defender

Using Microsoft Defender, queries a file's reputation based on either the Smart App Control or SmartScreen, depending on whichever is in control. It doesn't need Admin privileges. It's in a new dedicated tab available in the GUI. Simply browse for a file and detect its reputation and some other advanced details. You can use this feature while other tasks in the Harden Windows Security module are running.

Added Reduced Telemetry Policies

Added reduced telemetry policies to the Miscellaneous Category in the Harden Windows Security module. They are a sub-category and include the following policies:

• Disable Online Tips. CSP

• Disable Find My Device feature. CSP

• Disable Automatic Update of Speech Data. CSP

• Turn off the advertising ID. CSP

• Turn off cloud optimized content. CSP

• Do not show Windows tips. CSP

• Do not show feedback notifications. CSP

• Turn off Automatic Download and Update of Map Data. CSP

• Disable Message Service Cloud Sync for cellular text messages. CSP

• Disable support for web-to-app linking with app URI handlers. CSP

• Disable "Continue experiences on this device" feature. CSP

• Disable Font Providers. CSP

• Don't search the web or display web results in Search. CSP

• Do not allow web search. More Info

AppControl Manager Installer Integration

You can now install the AppControl Manager right from the Harden Windows Security module. This is a very convenient way to install it as it only requires a click/tap of a button.

Other Changes

• Compliance Checking Enhancement: Added support for VBScript compliance checks.

• Code Improvements: Implemented several code enhancements and optimizations.

• UI Enhancements: Updated the button styles on the ASR Rules and Unprotect pages. The new design replaces the previous animated buttons with play icons, offering a cleaner and more modern look.

• Added description texts to the top of the pages.

• Changed Only Elevated Signed sub-category name to Only Elevate Signed, it was a typo.

• Updated the readme.

• Updated the demo gif to reflect the changes in the GUI.

---

Auto generated release notes 👇

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.2.0 by @github-actions in #500
• Implemented Apps and Windows Features Removal by @HotCakeX in #506
• Implemented online file reputation verification in the Harden Windows Security moulde by @HotCakeX in #507
• Added AppControl Manager native installer to the Harden Windows Security Module by @HotCakeX in #508
• Improved the bootstrapper script by @HotCakeX in #509
• Added reduced telemetry policies by @HotCakeX in #510

Full Changelog: AppControlManager.v.1.8.2.0...Hardening-Module-v.0.7.2

AppControl Manager 1.8.2.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added policy validation feature to the AppControl Manager. It's a dedicated page where user can browse for App Control XML files and validate them. Useful if user modified an XML file manually and wants to make sure the modifications are valid according to the official schema.

• A new page, View File Certificates, has been added. This page allows you to load any file and examine its certificates in a highly detailed format. It also supports CIP and CER files. Many of the details displayed for signed files, such as the TBS hash and precise identification of each policy type, are not readily available elsewhere.

• Added useful labels to the main navigation to offer a more categorized menu.

• Reduced the empty spaces in the documentation pages, dedicating more space to the web content.

• Added SHA3-384 and SHA3-512 hashes calculation to the Get Code Integrity Hashes page.

• Added new documentations for the new features.

• Set the minimum HTTP version to 2.0 so it no longer uses 1.1 as fallback and by default it tries the highest available version which is 3.0 at the moment.

• Added progress rings for each hash type in the Get Code Integrity Hashes page to display their individual progress.

---

Automated Change Logs

• Added XML policy file validation feature to the AppControl Manager by @HotCakeX in #495
• Added a feature to view advanced file cert details in AppControl Manager by @HotCakeX in #496
• Set minimum HTTP version to 2.0 by @HotCakeX in #497
• Version bump to 1.8.2.0 - AppControl Manager by @HotCakeX in #498
• Adding support for hashing very large file by @HotCakeX in #499

Full Changelog: Hardening-Module-v.0.7.1...AppControlManager.v.1.8.2.0

Note

As mentioned at the top, please refer to this page for installation instructions.

Harden Windows Security v.0.7.1

What's New

• During the compliance checking, MDM results that are not used by the module are no longer collected, improving the performance and speed, especially on lower end hardware.

• Adjusted the TLS Category's Intune Json config to match the new schema.

• Added a new sub-category for the TLS category, called "TLS for BattleNet". When selected, the TLS category will deploy the group policy that has the extra cipher suite TLS_RSA_WITH_AES_256_CBC_SHA which is less secure but required for BattleNet client to connect to its servers. Fixes -> #489

  • This means BattleNet client is no longer automatically detected on the system because there are times when it's installed in non-default location. Now the user is in control to decide whether to use the extra cipher suite or not.

• WDACConfig module is no longer used/installed for Downloads Defense Measures category. All the necessary logic for policy creation is now implemented natively. This substantially improves the performance and allows for full offline usage of this category and its sub-categories.

  • This also facilitates the deprecation of the WDACConfig module which is replaced with the new modern AppControl Manager.

PR: #494

AppControl Manager 1.8.1.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the UX (User Experience) in the Update page. When actions such as checking for update or installing a new version is happening, the page behind the update button becomes unavailable in order to keep things consistent.

• Improved the Allow New Apps page's experience. When filtering data from the DataGrids and then remove some items, they will show correctly after removing the filter.

• Also, in the Allow New Apps page when you reset, the path to the selected base policy will remain intact and you can begin creating a new policy right away for another program because the selected logs will be properly emptied.

• The app no longer allows the wrong certificate or common name to be used during signed policy deployment, re-deployment or removal. Such possible user accidents are caught very early on and communicated to the user with proper and clear messages so user can fix the mistake quickly. The goal is to never let AppControl Manager be used even intentionally to cause boot failure when dealing with signed policies.

  • Deployment of signed policies is very much recommended over unsigned ones, check this article to see why: https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies

  • AppControl Manager is the only app that's currently available that makes it the safest way to interact with signed policies and it keeps getting better quickly.

• The content dialogs that ask for user input for signing scenarios have better visuals now, and the focus is by default on the Verify button, which makes it easier and clearer what needs to be done. It also means you can press the enter key on the keyboard quickly to confirm the actions without using mouse.

• Improved DataGrid experience when removing items in MDE Advanced Hunting and Event Logs pages.

---

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.0.0 by @github-actions in #486
• Improving documentations for the AppControl Manager app by @HotCakeX in #487
• Various UI improvements in the AppControl Manager by @HotCakeX in #490
• Implemented more guardrails for signed scenarios in AppControl Manager by @HotCakeX in #492

Full Changelog: AppControlManager.v.1.8.0.0...AppControlManager.v.1.8.1.0

Note

As mentioned at the top, please refer to this page for installation instructions.