Skip to content

WDAC for Fully Managed Devices

Violet edited this page Mar 2, 2024 · 29 revisions

WDAC policy for Fully Managed device - Variant 1

Base policy type Method used Signed Protection score 1-5
Allow Microsoft / Default Windows WDACConfig module No 4

horizontal super thin rainbow RGB line

Video Guide

WDAC policy for Fully Managed device - Variant 1 YouTube Guide


  • This variant helps you create and deploy a WDAC policy for fully managed device using only Event Viewer audit logs.

  • This scenario includes using explicit Allow rules for files and certificates/signers, anything not allowed by the policies we are going to make are automatically denied/blocked.


horizontal super thin rainbow RGB line

Prepare a Virtual Machine

Install Hyper-V role from optional Windows features if you haven't already.

Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -norestart

Download the latest Windows .ISO file from Microsoft website, create a new VM with it, install Windows and log in. Fully update Windows and then restart to apply the updates. You can create a Hyper-V checkpoint at this point so that you can return back to this clean state later on if you need to.


horizontal super thin rainbow RGB line

Prepare a Base policy

There are 2 types of base policies you can choose from.

  1. Allow Microsoft: Allows only files and apps that are signed by Microsoft's trusted root certificates.

  2. Default Windows: Allows only files and apps that come pre-installed by Windows.


Deploy the Allow Microsoft Prep mode base policy

New-WDACConfig -PrepMSFTOnlyAudit -LogSize 10MB -Deploy

Deploy the Default Windows Prep mode base policy

New-WDACConfig -PrepDefaultWindowsAudit -LogSize 10MB -Deploy

Depending on whichever of the option you choose, it deploys the base policy in audit mode. No reboot required.


horizontal super thin rainbow RGB line

Generate Audit Event Logs on the System

Install all of the programs that you want to allow in the WDAC policy, on the VM. These are the programs that you want to allow to run and be installed on the target system once you've deployed the WDAC policy.

  • Installing or running 3rd party non-Microsoft programs, while Allow Microsoft policy in Audit mode is deployed on the VM, generates event logs for each of the programs and their files.

  • Installing or running any program that doesn't come pre-installed by default with Windows, while Default Windows policy in Audit mode is deployed on the VM, generates event logs for each of the programs and their files.

These event logs are exactly what we need to identify and create Allow rules for the detected files.

Only files that are executed during Prep mode phase generate event logs, so by simply installing a program using its installer, we can't trigger event log generation for each of the components and executables that each program has. So, after installing the programs, run them, use them a bit as you normally would so that all of the programs' components are executed and event logs generated for them.


horizontal super thin rainbow RGB line

Generate Supplemental Policy From the Audit Event Logs

If you chose the Allow Microsoft path

New-WDACConfig -MakePolicyFromAuditLogs -BasePolicyType 'Allow Microsoft Base' -NoDeletedFiles

If you chose the Default Windows path

New-WDACConfig -MakePolicyFromAuditLogs -BasePolicyType 'Default Windows Base' -NoDeletedFiles

If you use the -Deploy optional switch parameter with the commands above, 3 things will automatically happen:

  1. The deployed Prep mode base policy will be removed.
  2. The actual base policy will be deployed depending on whichever you choose.
  3. The Supplemental policy generated from Audit logs will be deployed.

If you don't use the -Deploy switch, you can deploy the .cip binary files manually using CITool.

More info on deployment

Information about how to Sign and Deploy a Signed WDAC policy.


horizontal super thin rainbow RGB line
flowchart TD
    A(Deploy Allow Microsoft base policy) -->B(Start running your programs)
    B --> C[An App is getting blocked?]
    C --> D[Is it a normal app?]
    D --> E[Create Supplemental policy based on App's directory]
    E --> F[New-SupplementalWDACConfig -Normal]
    E --> G[Edit-WDACConfig -AllowNewApps]
    C --> H[Is it a game Installed using Xbox app?]
    H --> I[Is it an app that installs drivers outside app's directory?]
    I --> J[Use Event viewer logs + game/app's directory scan]
    J --> K[Edit-WDACConfig -AllowNewAppsAuditEvents]
    C --> L[Want to allow an entire folder?]
    L --> M[Use folder path with one or more Wildcards]
    M --> N[New-SupplementalWDACConfig -FilePathWildCards]

horizontal super thin rainbow RGB line
flowchart TD
    A(Deploy Default Windows base policy) -->B(Identify Important apps that need Supplemental policy)
    B --> C(Create and Deploy Supplemental policies for them)
    C --> D[Another App is getting blocked?]
    D --> E[Is it a normal app?]
    E --> F[Create Supplemental policy based on App's directory]
    D --> G[Is it a game Installed using Xbox app?]
    G --> H[Is it an app that installs drivers outside app's directory?]
    H --> I[Use Event viewer logs + game/app's directory scan]
    I --> J[Edit-WDACConfig -AllowNewAppsAuditEvents]
    D --> L[Want to allow an entire folder?]
    L --> M[Use folder path with one or more Wildcards]
    M --> N[New-SupplementalWDACConfig -FilePathWildCards]
    F --> O[Edit-WDACConfig -AllowNewApps]
    F --> Q[New-SupplementalWDACConfig -Normal]







Clone this wiki locally