介绍如何在 Windows 10 上快速部署 Enforced Windows Defender Application Control(WDAC) 策略并进行测试

windows
github-com
08-10-2018

#1

Permalink

Join GitHub today

GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.

Sign up

=====================================================================================================================
Quickly Deploy an Enforced Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)
for Testing on Windows 10 Enterprise
=====================================================================================================================
*As an Administrator, copy and save the Microsoft Block Rules Policy [Microsoft recommended block rules (Windows 10) | Microsoft Docs] to C:\Windows\System32\CodeIntegrity\BlockRules.xml
*Open PowerShell (as an Administrator):
*Merge the Block Rules Policy with the Default Enforced Policy
Merge-CIPolicy -PolicyPaths C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml,C:\Windows\System32\CodeIntegrity\\BlockRules.xml -OutputFilePath C:\Windows\System32\CodeIntegrity\Merged.xml
*Set the Merged Policy to Enforce Rules (Delete Audit Mode):
Set-RuleOption -FilePath C:\Windows\System32\CodeIntegrity\Merged.xml -Option 3 -Delete
*Convert Policy to Binary Format:
ConvertFrom-CIPolicy -XmlFilePath C:\Windows\System32\CodeIntegrity\Merged.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
*Reboot the machine
-------------------------------------------------------------------------------------------
*Great resources if you want to build custom or more robust/flexible policies:
- Planning and getting started on the Windows Defender Application Control deployment process (Windows 10) | Microsoft Docs
- Exploit Monday: Windows Device Guard Code Integrity Policy Reference [Thanks to @mattifestation]
- https://www.fortynorthsecurity.com/building-a-windows-defender-application-control-lab/ [Thanks to @christruncer]
- https://www.fortynorthsecurity.com/updating-an-existing-windows-defender-application-control-policy/ [Thanks to @christruncer]
- windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control at master · MicrosoftDocs/windows-itpro-docs · GitHub [Thanks to @oddvarmoe]
- Device Guard Configuration · GitHub [Thanks to @Carlos_Perez]

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Press h to open a hovercard with more details.

Original links

Notes/Win10_WDAC_DeviceGuard_Testing_Policy_Quick_Deploy.txt at master · bohops/Notes · GitHub