Skip to content

Commit

Permalink
Added a lot more verbose messages
Browse files Browse the repository at this point in the history
  • Loading branch information
@HotCakeX
HotCakeX committed Dec 11, 2023
1 parent c821afb commit 6a895e7
Show file tree
Hide file tree
Showing 2 changed files with 134 additions and 29 deletions.
8 changes: 6 additions & 2 deletions WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1243,10 +1243,14 @@ CiTool --update-policy "$((Get-Location).Path)\EnforcedMode.cip" -json; Remove-I
Write-Verbose -Message 'Removing the signed base policy CIP file after deployment'
Remove-Item -Path ".\$CurrentID.cip" -Force

Write-Verbose -Message 'Making sure a policy file with the same name as the current base policy does not exist in the current working directory'
Remove-Item -Path $PolicyFiles[$NewBasePolicyType] -Force -ErrorAction SilentlyContinue
Rename-Item -Path '.\BasePolicy.xml' -NewName $PolicyFiles[$NewBasePolicyType]

Write-Verbose -Message 'Renaming the base policy XML file to match the new base policy type'
Rename-Item -Path '.\BasePolicy.xml' -NewName $PolicyFiles[$NewBasePolicyType] -Force

Write-ColorfulText -Color Pink -InputText "Base Policy has been successfully updated to $NewBasePolicyType"
Write-ColorfulText -Color Lavender -InputText 'Keep in mind that your previous policy path saved in User Configurations is no longer valid as you just changed your Base policy.'
Write-ColorfulText -Color Lavender -InputText 'Keep in mind that your previous policy path saved in User Configurations (if any) is no longer valid as you just changed your Base policy.'
}
}

Expand Down
155 changes: 128 additions & 27 deletions WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -828,114 +828,215 @@ CiTool --update-policy "$((Get-Location).Path)\EnforcedMode.cip" -json; Remove-I

if ($MergeSupplementalPolicies) {
foreach ($PolicyPath in $PolicyPaths) {
############ Input policy verification prior to doing anything ############

#Region Input-policy-verification
Write-Verbose -Message 'Verifying the input policy files'
foreach ($SuppPolicyPath in $SuppPolicyPaths) {

Write-Verbose -Message "Getting policy ID and type of: $SuppPolicyPath"
$Supplementalxml = [System.Xml.XmlDocument](Get-Content -Path $SuppPolicyPath)
$SupplementalPolicyID = $Supplementalxml.SiPolicy.PolicyID
$SupplementalPolicyType = $Supplementalxml.SiPolicy.PolicyType
$DeployedPoliciesIDs = (&'C:\Windows\System32\CiTool.exe' -lp -json | ConvertFrom-Json).Policies.PolicyID | ForEach-Object -Process { return "{$_}" }
[System.String]$SupplementalPolicyID = $Supplementalxml.SiPolicy.PolicyID
[System.String]$SupplementalPolicyType = $Supplementalxml.SiPolicy.PolicyType

Write-Verbose -Message 'Getting the IDs of the currently deployed policies on the system'
[System.String[]]$DeployedPoliciesIDs = (&'C:\Windows\System32\CiTool.exe' -lp -json | ConvertFrom-Json).Policies.PolicyID | ForEach-Object -Process { return "{$_}" }

# Check the type of the user selected Supplemental policy XML files to make sure they are indeed Supplemental policies
Write-Verbose -Message 'Checking the type of the policy'
if ($SupplementalPolicyType -ne 'Supplemental Policy') {
Write-Error -Message "The Selected XML file with GUID $SupplementalPolicyID isn't a Supplemental Policy."
Throw "The Selected XML file with GUID $SupplementalPolicyID isn't a Supplemental Policy."
}

# Check to make sure the user selected Supplemental policy XML files are deployed on the system
Write-Verbose -Message 'Checking the deployment status of the policy'
if ($DeployedPoliciesIDs -notcontains $SupplementalPolicyID) {
Write-Error -Message "The Selected Supplemental XML file with GUID $SupplementalPolicyID isn't deployed on the system."
Throw "The Selected Supplemental XML file with GUID $SupplementalPolicyID isn't deployed on the system."
}
}
# Perform the merge
}
#Endregion Input-policy-verification

Write-Verbose -Message 'Merging the Supplemental policies into a single policy file'
Merge-CIPolicy -PolicyPaths $SuppPolicyPaths -OutputFilePath "$SuppPolicyName.xml" | Out-Null
# Delete the deployed Supplemental policies that user selected from the system because we're going to deploy the new merged policy that contains all of them

# Remove the deployed Supplemental policies that user selected from the system, because we're going to deploy the new merged policy that contains all of them
Write-Verbose -Message 'Removing the deployed Supplemental policies that user selected from the system'
foreach ($SuppPolicyPath in $SuppPolicyPaths) {

# Get the policy ID of the currently selected Supplemental policy
$Supplementalxml = [System.Xml.XmlDocument](Get-Content -Path $SuppPolicyPath)
$SupplementalPolicyID = $Supplementalxml.SiPolicy.PolicyID
[System.String]$SupplementalPolicyID = $Supplementalxml.SiPolicy.PolicyID

Write-Verbose -Message "Removing policy with ID: $SupplementalPolicyID"
&'C:\Windows\System32\CiTool.exe' --remove-policy $SupplementalPolicyID -json | Out-Null

# remove the old policy files unless user chose to keep them
if (!$KeepOldSupplementalPolicies) { Remove-Item -Path $SuppPolicyPath -Force }
if (!$KeepOldSupplementalPolicies) {
Write-Verbose -Message "Removing the old policy file: $SuppPolicyPath"
Remove-Item -Path $SuppPolicyPath -Force
}
}
# Prepare the final merged Supplemental policy for deployment

Write-Verbose -Message 'Preparing the final merged Supplemental policy for deployment'
Write-Verbose -Message 'Converting the policy to a Supplemental policy type and resetting its ID'
$SuppPolicyID = Set-CIPolicyIdInfo -FilePath "$SuppPolicyName.xml" -ResetPolicyID -PolicyName "$SuppPolicyName - $(Get-Date -Format 'MM-dd-yyyy')" -BasePolicyToSupplementPath $PolicyPath
$SuppPolicyID = $SuppPolicyID.Substring(11)

Write-Verbose -Message 'Setting HVCI to Strict'
Set-HVCIOptions -Strict -FilePath "$SuppPolicyName.xml"

Write-Verbose -Message 'Converting the Supplemental policy to a CIP file'
ConvertFrom-CIPolicy -XmlFilePath "$SuppPolicyName.xml" -BinaryFilePath "$SuppPolicyID.cip" | Out-Null

Write-Verbose -Message 'Deploying the Supplemental policy'
&'C:\Windows\System32\CiTool.exe' --update-policy "$SuppPolicyID.cip" -json | Out-Null

Write-ColorfulText -Color TeaGreen -InputText "The Supplemental policy $SuppPolicyName has been deployed on the system, replacing the old ones.`nSystem Restart Not immediately needed but eventually required to finish the removal of previous individual Supplemental policies."

Write-Verbose -Message 'Removing the Supplemental policy CIP file after deployment'
Remove-Item -Path "$SuppPolicyID.cip" -Force
}
}

if ($UpdateBasePolicy) {
# First get the Microsoft recommended block rules

Write-Verbose -Message 'Getting the Microsoft recommended block rules by calling the Get-BlockRulesMeta function'
Get-BlockRulesMeta | Out-Null

Write-Verbose -Message 'Determining the type of the new base policy'
switch ($NewBasePolicyType) {
'AllowMicrosoft_Plus_Block_Rules' {
Write-Verbose -Message 'The new base policy type is AllowMicrosoft_Plus_Block_Rules'

Write-Verbose -Message 'Copying the AllowMicrosoft.xml template policy file to the current working directory'
Copy-Item -Path 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml' -Destination '.\AllowMicrosoft.xml' -Force

Write-Verbose -Message 'Merging the AllowMicrosoft.xml and Microsoft recommended block rules into a single policy file'
Merge-CIPolicy -PolicyPaths .\AllowMicrosoft.xml, '.\Microsoft recommended block rules.xml' -OutputFilePath .\BasePolicy.xml | Out-Null

Write-Verbose -Message 'Setting the policy name'
Set-CIPolicyIdInfo -FilePath .\BasePolicy.xml -PolicyName "Allow Microsoft Plus Block Rules refreshed On $(Get-Date -Format 'MM-dd-yyyy')"

Write-Verbose -Message 'Setting the policy rule options'
@(0, 2, 5, 6, 11, 12, 16, 17, 19, 20) | ForEach-Object -Process { Set-RuleOption -FilePath .\BasePolicy.xml -Option $_ }

Write-Verbose -Message 'Removing the unnecessary policy rule options'
@(3, 4, 9, 10, 13, 18) | ForEach-Object -Process { Set-RuleOption -FilePath .\BasePolicy.xml -Option $_ -Delete }
}
'Lightly_Managed_system_Policy' {
Write-Verbose -Message 'The new base policy type is Lightly_Managed_system_Policy'

Write-Verbose -Message 'Copying the AllowMicrosoft.xml template policy file to the current working directory'
Copy-Item -Path 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml' -Destination '.\AllowMicrosoft.xml' -Force

Write-Verbose -Message 'Merging the AllowMicrosoft.xml and Microsoft recommended block rules into a single policy file'
Merge-CIPolicy -PolicyPaths .\AllowMicrosoft.xml, '.\Microsoft recommended block rules.xml' -OutputFilePath .\BasePolicy.xml | Out-Null

Write-Verbose -Message 'Setting the policy name'
Set-CIPolicyIdInfo -FilePath .\BasePolicy.xml -PolicyName "Signed And Reputable policy refreshed on $(Get-Date -Format 'MM-dd-yyyy')"

Write-Verbose -Message 'Setting the policy rule options'
@(0, 2, 5, 6, 11, 12, 14, 15, 16, 17, 19, 20) | ForEach-Object -Process { Set-RuleOption -FilePath .\BasePolicy.xml -Option $_ }

Write-Verbose -Message 'Removing the unnecessary policy rule options'
@(3, 4, 9, 10, 13, 18) | ForEach-Object -Process { Set-RuleOption -FilePath .\BasePolicy.xml -Option $_ -Delete }

# Configure required services for ISG authorization
Write-Verbose -Message 'Configuring required services for ISG authorization'
Start-Process -FilePath 'C:\Windows\System32\appidtel.exe' -ArgumentList 'start' -Wait -NoNewWindow
Start-Process -FilePath 'C:\Windows\System32\sc.exe' -ArgumentList 'config', 'appidsvc', 'start= auto' -Wait -NoNewWindow
}
'DefaultWindows_WithBlockRules' {
Write-Verbose -Message 'The new base policy type is DefaultWindows_WithBlockRules'

Write-Verbose -Message 'Copying the DefaultWindows.xml template policy file to the current working directory'
Copy-Item -Path 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml' -Destination '.\DefaultWindows_Enforced.xml' -Force
# Scan PowerShell core directory and add them to the Default Windows base policy so that the module can be used after it's been deployed


if (Test-Path -Path 'C:\Program Files\PowerShell') {
Write-Host -Object 'Creating allow rules for PowerShell in the DefaultWindows base policy so you can continue using this module after deploying it.' -ForegroundColor Blue
New-CIPolicy -ScanPath 'C:\Program Files\PowerShell' -Level FilePublisher -NoScript -Fallback Hash -UserPEs -UserWriteablePaths -MultiplePolicyFormat -FilePath .\AllowPowerShell.xml
Write-Verbose -Message 'Scanning the PowerShell core directory '

Write-ColorfulText -Color HotPink -InputText 'Creating allow rules for PowerShell in the DefaultWindows base policy so you can continue using this module after deploying it.'

New-CIPolicy -ScanPath 'C:\Program Files\PowerShell' -Level FilePublisher -NoScript -Fallback Hash -UserPEs -UserWriteablePaths -MultiplePolicyFormat -AllowFileNameFallbacks -FilePath .\AllowPowerShell.xml

Write-Verbose -Message 'Merging the DefaultWindows.xml, AllowPowerShell.xml, SignTool.xml and Microsoft recommended block rules into a single policy file'
Merge-CIPolicy -PolicyPaths .\DefaultWindows_Enforced.xml, .\AllowPowerShell.xml, '.\Microsoft recommended block rules.xml' -OutputFilePath .\BasePolicy.xml | Out-Null
}
else {
Write-Verbose -Message 'Not including the PowerShell core directory in the policy'
Write-Verbose -Message 'Merging the DefaultWindows.xml, SignTool.xml and Microsoft recommended block rules into a single policy file'
Merge-CIPolicy -PolicyPaths .\DefaultWindows_Enforced.xml, '.\Microsoft recommended block rules.xml' -OutputFilePath .\BasePolicy.xml | Out-Null
}

Write-Verbose -Message 'Setting the policy name'
Set-CIPolicyIdInfo -FilePath .\BasePolicy.xml -PolicyName "Default Windows Plus Block Rules refreshed On $(Get-Date -Format 'MM-dd-yyyy')"

Write-Verbose -Message 'Setting the policy rule options'
@(0, 2, 5, 6, 11, 12, 16, 17, 19, 20) | ForEach-Object -Process { Set-RuleOption -FilePath .\BasePolicy.xml -Option $_ }

Write-Verbose -Message 'Removing the unnecessary policy rule options'
@(3, 4, 9, 10, 13, 18) | ForEach-Object -Process { Set-RuleOption -FilePath .\BasePolicy.xml -Option $_ -Delete }
}
}

if ($UpdateBasePolicy -and $RequireEVSigners) { Set-RuleOption -FilePath .\BasePolicy.xml -Option 8 }

Set-CIPolicyVersion -FilePath .\BasePolicy.xml -Version '1.0.0.1'
Set-HVCIOptions -Strict -FilePath .\BasePolicy.xml
if ($UpdateBasePolicy -and $RequireEVSigners) {
Write-Verbose -Message 'Adding the EV Signers rule option to the base policy'
Set-RuleOption -FilePath .\BasePolicy.xml -Option 8
}

# Remove the extra files create during module operation that are no longer necessary
Remove-Item -Path '.\AllowPowerShell.xml', '.\DefaultWindows_Enforced.xml', '.\AllowMicrosoft.xml' -Force -ErrorAction SilentlyContinue
Remove-Item -Path '.\Microsoft recommended block rules.xml' -Force
if (!$Debug) {
Remove-Item -Path '.\AllowPowerShell.xml', '.\DefaultWindows_Enforced.xml', '.\AllowMicrosoft.xml' -Force -ErrorAction SilentlyContinue
Remove-Item -Path '.\Microsoft recommended block rules.xml' -Force
}

# Get the policy ID of the currently deployed base policy based on the policy name that user selected
$CurrentID = ((&'C:\Windows\System32\CiTool.exe' -lp -json | ConvertFrom-Json).Policies | Where-Object -FilterScript { $_.IsSystemPolicy -ne 'True' } | Where-Object -FilterScript { $_.Friendlyname -eq $CurrentBasePolicyName }).BasePolicyID
$CurrentID = "{$CurrentID}"
Write-Verbose -Message 'Getting the policy ID of the currently deployed base policy based on the policy name that user selected'
[System.String]$CurrentID = ((&'C:\Windows\System32\CiTool.exe' -lp -json | ConvertFrom-Json).Policies | Where-Object -FilterScript { $_.IsSystemPolicy -ne 'True' } | Where-Object -FilterScript { $_.Friendlyname -eq $CurrentBasePolicyName }).BasePolicyID
$CurrentID = "{$CurrentID}"

Write-Verbose -Message "This is the current ID of deployed base policy that is going to be used in the new base policy: $CurrentID"
Write-Verbose -Message 'Reading the current base policy XML file'
[System.Xml.XmlDocument]$Xml = Get-Content -Path '.\BasePolicy.xml'

Write-Verbose -Message 'Setting the policy ID and Base policy ID to the current base policy ID in the generated XML file'
$Xml.SiPolicy.PolicyID = $CurrentID
$Xml.SiPolicy.BasePolicyID = $CurrentID

Write-Verbose -Message 'Saving the updated XML file'
$Xml.Save('.\BasePolicy.xml')

Write-Verbose -Message 'Setting the policy version to 1.0.0.1'
Set-CIPolicyVersion -FilePath .\BasePolicy.xml -Version '1.0.0.1'

Write-Verbose -Message 'Setting HVCI to Strict'
Set-HVCIOptions -Strict -FilePath .\BasePolicy.xml

Write-Verbose -Message 'Converting the base policy to a CIP file'
ConvertFrom-CIPolicy -XmlFilePath '.\BasePolicy.xml' -BinaryFilePath "$CurrentID.cip" | Out-Null
# Deploy the new base policy with the same GUID on the system

Write-Verbose -Message 'Deploying the new base policy with the same GUID on the system'
&'C:\Windows\System32\CiTool.exe' --update-policy "$CurrentID.cip" -json | Out-Null
# Remove the policy binary after it's been deployed

Write-Verbose -Message 'Removing the base policy CIP file after deployment'
Remove-Item -Path "$CurrentID.cip" -Force

# Keep the new base policy XML file that was just deployed, in the current directory, so user can keep it for later
# Defining a hashtable that contains the policy names and their corresponding XML file names
[System.Collections.Hashtable]$PolicyFiles = @{
'AllowMicrosoft_Plus_Block_Rules' = 'AllowMicrosoftPlusBlockRules.xml'
'Lightly_Managed_system_Policy' = 'SignedAndReputable.xml'
'DefaultWindows_WithBlockRules' = 'DefaultWindowsPlusBlockRules.xml'
}

Write-Verbose -Message 'Making sure a policy file with the same name as the current base policy does not exist in the current working directory'
Remove-Item -Path $PolicyFiles[$NewBasePolicyType] -Force -ErrorAction SilentlyContinue

Write-Verbose -Message 'Renaming the base policy XML file to match the new base policy type'
Rename-Item -Path '.\BasePolicy.xml' -NewName $PolicyFiles[$NewBasePolicyType] -Force

Write-ColorfulText -Color Pink -InputText "Base Policy has been successfully updated to $NewBasePolicyType"
Write-ColorfulText -Color Lavender -InputText 'Keep in mind that your previous policy path saved in User Configurations is no longer valid as you just changed your Base policy.'
Write-ColorfulText -Color Lavender -InputText 'Keep in mind that your previous policy path saved in User Configurations (if any) is no longer valid as you just changed your Base policy.'
}
}

Expand Down

0 comments on commit 6a895e7

Please sign in to comment.