[Bug]: Edit-SignedWDACConfig not merging Supplemental Policies #125
Comments
|
|
|
I think that there's a limit of 3 supplemental policies per time to merge that's why is causing the issue |
|
I try with six, after that the command gives the error message and we couldn't merge all supplemental policies, I will try with WDAC Toolkit Update info: with WDAC toolkit I could merge all the 15 supplemental policies |
|
During the process of whitelisting, I see a little problem. I think is my mistake but here's what is happening I try to run the following command And After creating all the supplemental policies, in the .xml didn't create rule for all the files in some directories. Maybe is something that I'm doing wrong, but I check in the WDAC Wizard and the executable file of Photoshop has Publisher and the command did not recognized it |
|
Hi, as mentioned in the docs, I haven't set any limitation for the merge operations. If the Photoshop is not genuine then you will need to use hash for the level, because by default the cmdlets use FilePublisher for main level and Hash as fallback, and non-genuine software have a mismatch between the hash saved in their certificate vs the file hash. More info here If the Photoshop is genuine then this is a problem I have to try to fix (which I don't have any info about based on what you gave me). by the way, if you use |
|
I just merged 15 policies without problem
Then restarted and everything working fine
I'm also releasing a new update for the WDACConfig module soon, it has user experience improvements. |
|
If any of the files in the programs that you use are signed but their certificates are expired (e.g., some files in the free download manager program) or there is a mismatch between certificate hash and file hash (e.g., non-genuine software) then they are not allowed by the WDAC engine because of the policy rule option I can't reproduce the error you showed in the screenshot for the |
|
It's been 4 days without response. Looks like the explanations I added resolved your situation. Please reopen this or create a separate issue if there is still any problem. Thanks |
Tools category
WDACConfig Module
Does your system meet the requirements?
Is your Windows installation genuine?
Please explain the bug
Today I start deploying WDAC in my machine and find something interesting, the following command
Edit-SignedWDACConfig -MergeSupplementalPolicies -CertPath "C:\Certificate.cer" -SuppPolicyName "Merge of Multiple Supplementals" -PolicyPaths "C:\AllowMicrosoftPlusBlockRules.xml" -CertCN "WDAC Certificate" -SuppPolicyPaths "C:\Supplemental policy for App1.xml","C:\Supplemental policy for App 2.xml","C:\Supplemental policy for App 3.xml"
It appears not working if you use the following command
New-SupplementalWDACConfig -Normal -ScanLocation "C:\Program Files\Program" -SuppPolicyName "App's Name" -PolicyPath "C:\AllowMicrosoftPlusBlockRules.xml"
It shows an error message with the PolicyPaths or even the supplemental are not deployed, but I test with the supplemental policies deployed and it not works.
Currently I'm testing creating one by one and them merging them, using this command
Edit-SignedWDACConfig -AllowNewApps -CertPath "C:\Certificate.cer" -SuppPolicyName "App's Name" -PolicyPaths "C:\AllowMicrosoftPlusBlockRules.xml" -CertCN "WDAC Certificate"
The text was updated successfully, but these errors were encountered: