Windows Defender Application Control (WDAC) Implementation - Part 5: Developer Support
Part 5 in a guide to setting up Windows Defender Application Control (WDAC)
❗
In the organisation I work in, we do not have a PKI to support code signing. If you have a PKI, you should use it to add a code signing step to your compilation process. The approach described here is a "if all you have is a hammer, everything looks like a nail", and will introduce a security hole into your environment
This policy allows developers to run unsigned code from their user profile. This allows the developer to have a bit more control over which exe's they can run in their profile.
- Copy the following XML into a new file named
Developer.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Supplemental Policy">
<VersionEx>10.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Disabled:Runtime FilePath Rule Protection</Option>
</Rule>
<Rule>
<Option>Enabled:Intelligent Security Graph Authorization</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules>
<Allow ID="ID_ALLOW_A_5" FriendlyName="%OSDRIVE%\Users\* FileRule" MinimumFileVersion="0.0.0.0" FilePath="%OSDRIVE%\Users\*" />
</FileRules>
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 01-03-2023">
<ProductSigners />
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 01-03-2023">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_A_5" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
<Settings>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
<Value>
<String>Supplemental - Developer Mode</String>
</Value>
</Setting>
</Settings>
<BasePolicyID>{00000000-0000-0000-0000-000000000000}</BasePolicyID>
<PolicyID>{00000000-0000-0000-0000-000000000000}</PolicyID>
</SiPolicy>
- Ensure you replace the BasePolicyID with the PolicyID from the
DefaultWindows_Enforced.xml
file - Give this file a unique PolicyID GUID
- Convert the file to a binary .p7b file with the following PowerShell command:
ConvertFrom-CIPolicy -XmlFilePath Developer.xml -BinaryFilePath Developer.p7b
- Create an EntraID group called "WDAC Users - Developers", and add your developers to this group
- Create a new custom policy in Intune named "WDAC - Developers"
- Add a new OMA-URI:
- Name:
Base Policy
- OMA-URI:
./Vendor/MSFT/ApplicationControl/Policies/<PolicyID/Policy
- Data type:
Base64 (file)
- Upload the file
Developer.p7b
- Name:
💡
Replace with the PolicyID from the
Developer.xml
file- Assign the policy to the group "WDAC Users - Developers"