Windows Defender Application Control (WDAC) Implementation - Part 5: Developer Support

Part 5 in a guide to setting up Windows Defender Application Control (WDAC)

Windows Defender Application Control (WDAC) Implementation - Part 5: Developer Support
Photo by charlesdeluvio / Unsplash
In the organisation I work in, we do not have a PKI to support code signing. If you have a PKI, you should use it to add a code signing step to your compilation process. The approach described here is a "if all you have is a hammer, everything looks like a nail", and will introduce a security hole into your environment

This policy allows developers to run unsigned code from their user profile. This allows the developer to have a bit more control over which exe's they can run in their profile.

  • Copy the following XML into a new file named Developer.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Supplemental Policy">
  <VersionEx>10.0.0.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Audit Mode</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Advanced Boot Options Menu</Option>
    </Rule>
    <Rule>
      <Option>Required:Enforce Store Applications</Option>
    </Rule>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
    <Rule>
      <Option>Disabled:Runtime FilePath Rule Protection</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Intelligent Security Graph Authorization</Option>
    </Rule>
  </Rules>
  <!--EKUS-->
  <EKUs />
  <!--File Rules-->
  <FileRules>
    <Allow ID="ID_ALLOW_A_5" FriendlyName="%OSDRIVE%\Users\* FileRule" MinimumFileVersion="0.0.0.0" FilePath="%OSDRIVE%\Users\*" />
  </FileRules>
  <!--Signers-->
  <Signers />
  <!--Driver Signing Scenarios-->
  <SigningScenarios>
    <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 01-03-2023">
      <ProductSigners />
    </SigningScenario>
    <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 01-03-2023">
      <ProductSigners>
        <FileRulesRef>
          <FileRuleRef RuleID="ID_ALLOW_A_5" />
        </FileRulesRef>
      </ProductSigners>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners />
  <HvciOptions>0</HvciOptions>
  <Settings>
    <Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
      <Value>
        <String>Supplemental - Developer Mode</String>
      </Value>
    </Setting>
  </Settings>
  <BasePolicyID>{00000000-0000-0000-0000-000000000000}</BasePolicyID>
  <PolicyID>{00000000-0000-0000-0000-000000000000}</PolicyID>
</SiPolicy>
  • Ensure you replace the BasePolicyID with the PolicyID from the DefaultWindows_Enforced.xml file
  • Give this file a unique PolicyID GUID
  • Convert the file to a binary .p7b file with the following PowerShell command:
ConvertFrom-CIPolicy -XmlFilePath Developer.xml -BinaryFilePath Developer.p7b
  • Create an EntraID group called "WDAC Users - Developers", and add your developers to this group
  • Create a new custom policy in Intune named "WDAC - Developers"
  • Add a new OMA-URI:
    • Name: Base Policy
    • OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/<PolicyID/Policy
    • Data type: Base64 (file)
    • Upload the file Developer.p7b
💡
Replace with the PolicyID from the Developer.xml file
  • Assign the policy to the group "WDAC Users - Developers"