New Update Application Control on Windows 10 Home

F

ForgottenSeer 95367

This thread is the experimental one, because I check the possibility of using at home the security layer used in Enterprises. Your comments are probably true for Windows Pro, but not for Windows Home, except for some very special WDAC policies (like BabySitter).
My conclusion is that generally, it would be hard to deploy WDAC at home. Anyway, it is possible in some cases:
https://mattifestation.medium.com/w...20h2-and-building-a-simple-secure-4fd4ee86de4
Matt Graeber uses W10 Pro.

Did you manage to do it also on W10 Home?

1664112309497.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Matt Graeber uses W10 Pro.

Did you manage to do it also on W10 Home?
The home laptop is not only with Windows Pro but it is also Microsoft Surface. So, everything is compatible with WDAC. This setup can be used on many home computers, that use the same software as in the example.
The problem can be with laptops (Lenovo, Dell, Asus, et.) because they are using firmware that sometimes can contain unsigned DLLs. I am not sure if all these DLLs are allowed by ISG.
I noticed that the XML policy file based on SAC is already included in the Windows 11 2022 update (%OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml).
I will try to make a binary policy and apply it for testing on my wife's computer with Windows Home.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
There are some new options:
  • Developer Mode Dynamic Code Trust
  • Conditional Windows Lockdown Policy
The first should probably trust all DLLs included in the installer if the installer is allowed by SAC.
The second is only supported on Windows 11 2022 update and was also used in Windows "S":
SmartAppControl.xml is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see WDAC and Smart App Control.

There are also some settings new for me:

Code:
    <Setting Provider="PolicyInfo" Key="NoRevalidationUponRefresh" ValueName="NoRevalidationUponRefreshValue">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="ShellSmartscreenSuppressed">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
        <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="BrowserSmartscreenSuppressed">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="ISGSmartscreenTrustSuppressed">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="VerifiedAndReputableUI">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="WindowsLockdownOfficeExtensions">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="VerifiedAndReputablePerfMode">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="VerifiedAndReputableTrustMode">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="WindowsLockdownDangerousExtensionValidation">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="WindowsLockdownDangerousExtensionEnforcement">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="DisableMshtmlUmci">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
    <Setting Provider="Microsoft" Key="WindowsLockdownPolicySettings" ValueName="VerifiedAndReputableAllowAntiMalware">
      <Value>
        <Boolean>true</Boolean>
      </Value>

These settings are related to SmartScreen, MS Office, MSHTML, and dangerous extensions.
 
Last edited:
F

ForgottenSeer 95367

There are some new options:
  • Developer Mode Dynamic Code Trust
  • Conditional Windows Lockdown Policy
The first should probably trust all DLLs included in the installer if the installer is allowed by SAC.
The second is only supported on Windows 11 2022 update and was also used in Windows "S":
Microsoft personnel are on the record stating that Windows S is extremely effective against malware. So it is no surprise to see the "Conditional Windows Lockdown Policy."
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
159
Is it possible to use WD Application Control (WDAC) on Windows 10 Home, with disabled WD? The answer is somewhat surprising. Why?

WDAC is the Windows 10 security feature, which was introduced for Windows Enterprise editions. It can be used only on the computers with UEFI. The working WDAC (WD Application Control) code integrity policy cannot be created on WIndows Home and Windows Pro via registry tweaks or PowerShell, or GPO.
But, WDAC code integrity policy can be applied on any Windows 10 editions, if the user has the file SIPolicy.p7b, that was created on the machine with Windows Enterprise.

So, yes - WDAC can be used on Windows 10 Home and Pro. But, for the standard home user applying it, in the usual way (block applications), would be impractical.

Yet, WDAC can be used as a very practical diagnostic tool, to monitor the execution of processes, which are not whitelisted by WDAC.
The below events are logged in the Windows Event Log :
  1. All user-mode code not built-in to the OS or originating from the Microsoft Store.
  2. All kernel drivers except Windows, HAL, and ELAM-signed drivers.
The events are logged under Applications and Services Logs >> Microsoft >> Windows >> CodeIntegrity >> Operational, Event Id 3076. It is recommended to make a custom filter only for that event.

Applying it is very easy. Download a pre-built version of SIPolicy.p7b, copy it to C:\Windows\System32\CodeIntegrity (admin rights are required), and reboot. The details are available in Matt Graeber's article:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode
For those without an Enterprise license, you can download a pre-built version of SIPolicy.p7b here. Fortunately, SIPolicy.p7b can be applied to all Windows 10 SKUs. To deploy the policy, copy SIPolicy.p7b to.......
 

Attachments

  • sshot-2022-09-26-08-14-30.jpg
    sshot-2022-09-26-08-14-30.jpg
    40.3 KB · Views: 190
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The link to the prebuild SIPolicy.p7b file in the OP is not yet available. I edited my OP and added the link to the Microsoft WDAC Wizard.
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
159
The link to the prebuild SIPolicy.p7b file in the OP is not yet available. I edited my OP and added the link to the Microsoft WDAC Wizard.
Ok Andy, thanks for letting me know. I was going to implement it with editing from another GitHub Policy tied to it and see how things fare on my Windows 10 Home. I do wish Microsoft wasn't so bent on leaving Home user's out of specialized protections like this but it's always been their nature to brush off what they consider Low Grade systems/versions.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Ok Andy, thanks for letting me know. I was going to implement it with editing from another GitHub Policy tied to it and see how things fare on my Windows 10 Home. I do wish Microsoft wasn't so bent on leaving Home user's out of specialized protections like this but it's always been their nature to brush off what they consider Low Grade systems/versions.
Please remember to run this command in the Administrator PowerShell:
Get-Service -Name applockerfltr | Set-Service -StartupType Automatic

Check if all needed services are running:
Get-Service -Name applockerfltr,appidsvc,appid
 
  • Like
Reactions: simmerskool

EASTER

Level 4
Verified
Well-known
May 9, 2017
159
Please remember to run this command in the Administrator PowerShell:


Check if all needed services are running:
Why run the commands Andy. Remember on this end its Windows Home. You didnt explain what those command will initiate.
I'm all ears

Ooops sorry i am on the 8.1 this week but once i turn on Windows 10 again i will do that and see if the needed services are running or not. It is up to date btw.

Microsoft are such disgusting tightwads and hold back those extras that make security more efficient. Thank Goodness for people like you who choose to fill in some of the gaps that Microsoft leaves Home users without. Thanks You so much for all your efforts and generosity

Believe you me i am not beyond waiting for Windows 12 instead of falling in lockstep with what they try to peddle with lack of better security for the home users

Okay Andy-Run those commands on this Windows 10- Here is those results if it helps.

This DELL 10 came with S-Mode at delivery which once set it up i dismissed it - It was way too restrictive for me. Just a tidbt that i know s mode is a total lockdown and decision was made for more local flexibility since i am the only user of it.
 

Attachments

  • sshot-001.jpg
    sshot-001.jpg
    55.6 KB · Views: 197
Last edited:
  • Like
  • Applause
Reactions: kylprq and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Why run the commands Andy. Remember on this end its Windows Home.
These services can run on Windows Home and are necessary to WDAC.
You did not run PowerShell as Administrator (I mentioned it in my post). (y)

Edit.
Windows restart can be required.
 
Last edited:

EASTER

Level 4
Verified
Well-known
May 9, 2017
159
These services can run on Windows Home and are necessary to WDAC.
You did not run PowerShell as Administrator (I mentioned it in my post). (y)

Edit.
Windows restart can be required.
Sorry but i most certainly did. It's one of the first things i look for on the title ribbon bar on the PowerShell Screen to see it is reflecting running Admin and you always can tell it whether or not it is.

I can try again later and see if there's any change or not. It's not really that big a deal for me. I been at this Micro Windows stuff since the 90's so i am quite familiar with things and after seeing the posting of yet another MICRO HIDDEN avenue of tightening i thought i would see if might be applied to the HOME 10 version.

My Own EDIT: DID NOT REBOOT: So i'll try that later and see if it kicked in or not.-
EDIT AGAIN: REBOOT WAS NECESSARY-SUCCESS

Now for the Wizard

The Windows Defender Application Control Wizard (Version 2.0.0) enables IT professionals to build and deploy WDAC code integrity (CI) policies by wrapping the WDAC CI PowerShell cmdlets.

Use this application to create new base and supplemental policies, in addition to editing and merging exisiting WDAC CI policies.
 

Attachments

  • sshot-002.jpg
    sshot-002.jpg
    57.9 KB · Views: 189
Last edited:

NormanF

Level 9
Verified
Jan 11, 2018
404
All in all, it sounds like a pretty inconvenient way to manage a system,
less somebody like Andy Ful creates a tool for it...

Home users should use the Simple Windows Hardening portable tool. WDAC is far too complicated to set up and manage at home. You should only run it in audit mode because if you don't understand what you're doing, you can brick Windows! The SWH preconfigured SRP policies are perfectly safe.
 
  • Like
  • +Reputation
Reactions: Back3 and ErzCrz

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
There are some important differences between available WDAC path rules on Windows 10 and Windows 11:


1686521144925.png

The path rules on Windows 11 allow several wildcards (* or ?) in the rule which is a great improvement. :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top