WDACConfig

0.1.2

WDACConfig.psd1

                                #

# Module manifest for module 'WDACConfig'

#

# Generated by: HotCakeX

#

# Generated on: 4/2/2023

#

@{

    # Script module or binary module file associated with this manifest.

    # RootModule = ""

    # Version number of this module.

    ModuleVersion        = '0.1.2'

    # Supported PSEditions

    CompatiblePSEditions = @("Core")

    # ID used to uniquely identify this module

    GUID                 = '79920947-efb5-48c1-a567-5b02ebe74793'

    # Author of this module

    Author               = 'HotCakeX'

    # Company or vendor of this module

    CompanyName          = 'SpyNetGirl'

    # Copyright statement for this module

    Copyright            = '(c) 2023'

    # Description of the functionality provided by this module

    Description          = @"

This is an advanced PowerShell module for WDAC (Windows Defender Application Control) and automates a lot of tasks.

🟢 Please see the GitHub page for Full details and everything about the module: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig

🛡️ Here is the list of parameters the module supports

✔️ New-WDACConfig [-GetBlockRules]

✔️ New-WDACConfig [-GetDriverBlockRules]

✔️ New-WDACConfig [-MakeAllowMSFTWithBlockRules] [-Deployit] [-TestMode] [-RequireEVSigners]

✔️ New-WDACConfig [-DeployLatestDriverBlockRules]

✔️ New-WDACConfig [-SetAutoUpdateDriverBlockRules]

✔️ New-WDACConfig [-PrepMSFTOnlyAudit] [-LogSize <Int64>]

✔️ New-WDACConfig [-PrepDefaultWindowsAudit] [-LogSize <Int64>]

✔️ New-WDACConfig [-MakePolicyFromAuditLogs] -BasePolicyType <String> [-Deployit] [-TestMode] [-RequireEVSigners] [-Debugmode] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-NoDeletedFiles] [-NoUserPEs] [-NoScript] [-Levels <String>] [-Fallbacks <String[]>] [-LogSize <Int64>]

✔️ New-WDACConfig [-MakeLightPolicy] [-Deployit] [-TestMode] [-RequireEVSigners]

✔️ New-WDACConfig [-MakeSupplementalPolicy] -ScanLocation <String> -SuppPolicyName <String> -PolicyPath <String> [-Deployit] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-NoUserPEs] [-NoScript] [-Levels <String>] [-Fallbacks <String[]>]

✔️ New-WDACConfig [-MakeDefaultWindowsWithBlockRules] [-Deployit] [-TestMode] [-RequireEVSigners]

✔️ Remove-WDACConfig [-RemoveSignedPolicies] -PolicyPaths <String[]> -CertCN <String> [-SignToolPath <String>] 

✔️ Remove-WDACConfig [-RemovePolicies] [-PolicyIDs <String[]>] [-PolicyNames <String[]>]

✔️ Edit-WDACConfig [-AllowNewAppsAuditEvents] -SuppPolicyName <String> -PolicyPaths <String[]> [-Debugmode] [-Levels <String>] [-Fallbacks <String[]>] [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-LogSize <Int64>] [-IncludeDeletedFiles]

✔️ Edit-WDACConfig [-AllowNewApps] -SuppPolicyName <String> -PolicyPaths <String[]> [-Levels <String>] [-Fallbacks <String[]>] [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>]    

✔️ Edit-WDACConfig [-MergeSupplementalPolicies] -SuppPolicyName <String> -PolicyPaths <String[]> -SuppPolicyPaths <String[]>

✔️ Edit-WDACConfig [-UpdateBasePolicy] -CurrentBasePolicyName <String[]> -NewBasePolicyType <String> [-RequireEVSigners]

✔️ Edit-SignedWDACConfig [-AllowNewAppsAuditEvents] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> -CertCN <String> [-Debugmode] [-LogSize <Int64>] [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-IncludeDeletedFiles] [-SignToolPath <String>] [-Levels <String>] [-Fallbacks <String[]>]

✔️ Edit-SignedWDACConfig [-AllowNewApps] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> -CertCN <String> [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-SignToolPath <String>] [-Levels <String>] [-Fallbacks <String[]>]

✔️ Edit-SignedWDACConfig [-MergeSupplementalPolicies] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> -CertCN <String> -SuppPolicyPaths <String[]> [-SignToolPath <String>]

✔️ Edit-SignedWDACConfig [-UpdateBasePolicy] -CertPath <String> -CertCN <String> -SignToolPath <String> -CurrentBasePolicyName <String[]> -NewBasePolicyType <String> [-RequireEVSigners]

✔️ Deploy-SignedWDACConfig -CertPath <String> -PolicyPaths <String[]> -CertCN <String> [-SignToolPath <String>]

✔️ Confirm-WDACConfig [-ListActivePolicies] [-OnlyBasePolicies] [-OnlySupplementalPolicies]

✔️ Confirm-WDACConfig [-VerifyWDACStatus]

✔️ Confirm-WDACConfig [-CheckSmartAppControlStatus]

To get help and syntax on PowerShell console, type:

"Get-Command -Module WDACConfig"

"Get-Help New-WDACConfig"

"Get-Help Remove-WDACConfig"

"Get-Help Edit-WDACConfig"

"Get-Help Edit-SignedWDACConfig"

"Get-Help Deploy-SignedWDACConfig"

"Get-Help Confirm-WDACConfig"

"@

    # Minimum version of the PowerShell engine required by this module

    PowerShellVersion    = '7.3.4'

    # Name of the PowerShell host required by this module

    # PowerShellHostName = ''

    # Minimum version of the PowerShell host required by this module

    # PowerShellHostVersion = ''

    # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.

    # DotNetFrameworkVersion = ''

    # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.

    # ClrVersion = ''

    # Processor architecture (None, X86, Amd64) required by this module

    # ProcessorArchitecture = ''

    # Modules that must be imported into the global environment prior to importing this module

    # RequiredModules = @()

    # Assemblies that must be loaded prior to importing this module

    # RequiredAssemblies = @()

    # Script files (.ps1) that are run in the caller's environment prior to importing this module.

    # ScriptsToProcess = @()

    # Type files (.ps1xml) to be loaded when importing this module

    # TypesToProcess = @()

    # Format files (.ps1xml) to be loaded when importing this module

    # FormatsToProcess = @()

    # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

    NestedModules        = @("New-WDACConfig.psm1", "Remove-WDACConfig.psm1", "Deploy-SignedWDACConfig.psm1", "Confirm-WDACConfig.psm1", "Edit-WDACConfig.psm1", "Edit-SignedWDACConfig.psm1")

    # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.

    FunctionsToExport    = @("New-WDACConfig", "Remove-WDACConfig", "Deploy-SignedWDACConfig", "Confirm-WDACConfig", "Edit-WDACConfig", "Edit-SignedWDACConfig")

    # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

    CmdletsToExport      = @("New-WDACConfig", "Remove-WDACConfig", "Deploy-SignedWDACConfig", "Confirm-WDACConfig", "Edit-WDACConfig", "Edit-SignedWDACConfig")

    # Variables to export from this module

    VariablesToExport    = '*'

    # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.

    AliasesToExport      = @()

    # DSC resources to export from this module

    # DscResourcesToExport = @()

    # List of all modules packaged with this module

    # ModuleList = @()

    # List of all files packaged with this module

    FileList             = @('WDACConfig.psd1', 'New-WDACConfig.psm1', 'Deploy-SignedWDACConfig.psm1', 'Remove-WDACConfig.psm1', "Confirm-WDACConfig.psm1", "Edit-WDACConfig.psm1", "Edit-SignedWDACConfig.psm1", "Resources.ps1")

    # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.

    PrivateData          = @{

        PSData = @{

            # Tags applied to this module. These help with module discovery in online galleries.

            Tags         = @('WDAC', 'Windows-Defender-Application-Control', 'Windows', 'Security', 'Microsoft', 'Application-Control', 'MDAC', 'Application-Whitelisting')

            # A URL to the license for this module.

            LicenseUri   = 'https://github.com/HotCakeX/Harden-Windows-Security/blob/main/LICENSE'

            # A URL to the main website for this project.

            ProjectUri   = 'https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig'

            # A URL to an icon representing this module.

            IconUri      = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/WDACConfig/icon.png'

            # ReleaseNotes of this module

            ReleaseNotes = @"

## Version 0.1.2

Made the Get-SignTool function more secure.

Added smarter argument completer to Remove-WDACConfig cmdlet.

## Version 0.1.1

Created a Resources.ps1 file to store repeated functions that are used in all sub-modules, resulting in reduced repeated codes. It is dot-sourced at the beginning of each sub-module and function calls are dot-sourced too.

Started using #Requires -RunAsAdministrator instead of a function to check for Admin privileges, also resulting in reduced repeated codes.

Bumped PowerShell required version to 7.3.4 since it has some fixed for ConfigCI module cmdlets that the WDACConfig module relies on.

Improved the Edit-WDACConfig -AllowNewAppsAuditEvents so that it can now produce a more effective supplemental policy. Also going forward, it won't include deleted files by default, unless the newly introduced -IncludeDeletedFiles switch is used. Deleted files are files that are run and then deleted during a program's installation but event viewer audit logs will have their records.

To improve readability and code validation, added lots of meaningful comments to many commands, functions and script blocks.

Removed "Dekstop" from CompatiblePSEditions in the module manifest since WDACConfig module needs PowerShell and not Windows PowerShell (old).

Removed #requires -version from the top of each sub-module since it's enough for version control to be enforced using module manifest only.

Added extra validation to Edit-SignedWDACConfig cmdlet to prevent user from accidentally using Unsigned policies.

Added extra validation to Edit-WDACConfig cmdlet to prevent user from accidentally using Signed policies.

Changed Valid range for log size parameter from [System.Int64]::MaxValue (9223372036854775807 KB) to 18014398509481983 KB which is the maximum allowed log size by Windows Event viewer

Edit-SignedWDACConfig -AllowNewAppsAuditEvents and Edit-WDACConfig -AllowNewAppsAuditEvents no longer include file rules for deleted file hashes by default, unless -IncludeDeletedFiles optional switch parameter is used.

Edit-SignedWDACConfig -AllowNewAppsAuditEvents and Edit-WDACConfig -AllowNewAppsAuditEvents got smarter. They now can successfully detect and only create extra rules for files that are not in the user-selected paths.

Edit-SignedWDACConfig cmdlet and Edit-WDACConfig got equiped with multiple new optional parameters that were added to New-WDACConfig cmdlet in the previous update. Those parameters include: -NoUserPEs, -NoScript, -AllowFileNameFallbacks and -SpecificFileNameLevel.

Added Validations to parameters to validate folder paths and file paths.

Made multiple argument completers and validate sets more advanced. They no longer suggest the same values that have been selected by user. Thanks to helpful answers by mklement0 on StackOverflow: https://stackoverflow.com/users/45375/mklement0

https://stackoverflow.com/questions/76143006/how-to-prevent-powershell-validateset-argument-completer-from-suggesting-the-sam/76143269

https://stackoverflow.com/questions/76141864/how-to-make-a-powershell-argument-completer-that-only-suggests-files-not-already/76142865

Added 5-way validation for the SignTool executable before it is allowed to be executed.

Substantially improved the security of the script.

## Version 0.1.0

New features: Added new parameter to New-WDACConfig cmdlet, -PrepDefaultWindowsAudit, which as the name suggests, will prepare the system for Default Windows auditing,

it will create audit logs for any file that is run and is not part of the Windows, unlike -PrepMSFTOnlyAudit parameter that creates audit logs for any file that is not signed,

by Microsoft's trusted root certificate. The -PrepDefaultWindowsAudit parameter also scans the WDACConfig module files and PowerShell core files, adds them to the Prep base policy,

so that the final Supplemental policy generated from Event viewer audit logs, won't include those files.

New features: Added more control over the workflow of -MakePolicyFromAuditLogs and -MakeSupplementalPolicy parameters. They now accept multiple new parameters to fine tune the supplemental policy.

Quality improvements: The default level in the module is FilePublisher now, previously it was SignedVersion. The default Fallbacks have also changed from "FilePublisher, Hash" to "Hash" only.

This change contributes to more secure policy creation, although these defaults can be overwritten by user via available parameters.

Quality improvements: Removed the question asked from the user at the end of the -MakePolicyFromAuditLogs parameter about deleting the deployed Prep Audit mode policy.

It will now be automatically deleted when -Deployit switch parameter is used, Otherwise the Prep audit mode policy will stay on the system.

Added -NoDeletedFiles switch parameter to -MakePolicyFromAuditLogs, When used, only event viewer log data will be scanned and used in the final supplemental policy, and no rules will be created for files

that were run but then deleted during program installation.

## Version 0.0.9

Very small update only to change the description of the PowerShell gallery's page and fix the details, nothing code related.

## Version 0.0.8

New features: Added the last base policy type, DefaultWindows, to the available base policy options to be used for the cmdlets of this module.

New features: Added -UpdateBasePolicy parameter for the Edit-SignedWDACConfig cmdlet, so you can seamlessly change the base policy type or update block rules in it without changing or redeploying supplemental policies.

All cmdlets and parameters that create a supplemental policy by scanning now allow optional granular controls over levels and fallback levels, giving user full control over that process.

Removed underscore (_) from parameter names and now using camel case for all of them.

Changed parameter set names from generic Set1,Set2 etc. to proper names that can easily identify which parameter they belong to.

Added [-OnlyBasePolicies] and [-OnlySupplementalPolicies] switches to "Confirm-WDACConfig [-ListActivePolicies]".

The module now has a total of 24 distinct parameters/features to help easily manage advanced WDAC and Application Whitelisting tasks.

## Version 0.0.7

New feature: Edit-WDACConfig -UpdateBasePolicy It can rebootlessly change the type of the deployed base policy. It can update the recommended block rules and/or change policy rule options in the deployed base policy.

Used Begin and Process blocks in module functions to organize everything properly. Added a lot of parameter validations.

## Version 0.0.6

New feature: Confirm-WDACConfig -CheckSmartAppControlStatus.

Checks the status of Smart App Control and reports the results on the console.

Improved Confirm-WDACConfig -ListActivePolicies by showing the number of deployed non-system WDAC policies and base policies on the console.

## Version 0.0.5

New feature: Edit-SignedWDACConfig -Merge_SupplementalPolicies. It can merge multiple deployed Signed supplemental policies into 1 and deploy it, remove the individual ones, all happening automatically.

Very useful to keep Supplemental policies below 32 since that's the limit.

## Version 0.0.4

New feature: Merge multiple deployed Supplemental policies into 1 and deploy it, remove the individual ones, all happening automatically. Very useful to keep Supplemental policies below 32 since that's the limit.

## Version 0.0.3

Completed self-updating feature. Changed icon, added syntaxes.

## Version 0.0.2

Testing self updating procedure with the new PowerShell gallery repo

## Version 0.0.1 

Renamed the previous repository in order to comply with proper nested modules and improve the readability and mangement of the module.

Added 2 new features too, rebootlessly add new apps to non-signed deployed WDAC policies. You could do it with Signed policies, now you can do the same with non-signed policies.

"@

            # Prerelease string of this module

            # Prerelease = ''

            # Flag to indicate whether the module requires explicit user acceptance for install/update/save

            # RequireLicenseAcceptance = $false

            # External dependent modules of this module

            # ExternalModuleDependencies = @()

        } # End of PSData hashtable

    } # End of PrivateData hashtable

    # HelpInfo URI of this module

    HelpInfoURI          = 'https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig'

    # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

    # DefaultCommandPrefix = ''

}