Skip to content

New DenyWDACConfig

Violet Hansen edited this page Nov 4, 2024 · 23 revisions

New-DenyWDACConfig available parameters

New-DenyWDACConfig -Normal

image

Syntax

New-DenyWDACConfig
    [-Normal]
    -PolicyName <String>
    [-ScanLocations <DirectoryInfo[]>]
    [-Deploy]
    [-Level <String>]
    [-Fallbacks <String[]>]
    [-SpecificFileNameLevel <String>]
    [-NoUserPEs]
    [-NoScript]
    [-Confirm]
    [<CommonParameters>]

Description

Creates a Deny base policy by scanning a directory. The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.

Parameters

-PolicyName

Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-ScanLocations

Accepts one or more comma separated folder paths. Supports argument completion, when you press tab, folder picker GUI will open allowing you to easily select a folder, you can then add a comma , and press tab again to select another folder path or paste a folder path manually, works both ways.

Type: DirectoryInfo[]
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-Deploy

Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-Levels

Offers the same official Levels to scan the specified directory path(s).

Type: String
Position: Named
Default value: WHQLFilePublisher
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-Fallbacks

Offers the same official Fallbacks to scan the specified directory path(s).

Type: String[]
Position: Named
Default value: FilePublisher,Hash
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-SpecificFileNameLevel

More info available on Microsoft Learn

Type: String
Position: Named
Accepted values: OriginalFileName, InternalName, FileDescription, ProductName, PackageFamilyName, FilePath
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-NoUserPEs

By default the module includes user PEs in the scan, but when you use this switch parameter, they won't be included. More info available on Microsoft Learn

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-NoScript

More info available on Microsoft Learn

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

horizontal super thin rainbow RGB line

New-DenyWDACConfig -Drivers

image

Syntax

New-DenyWDACConfig
    [-Drivers]
    -PolicyName <String>
    [-ScanLocations <DirectoryInfo[]>]
    [-Deploy]
    [-Confirm]
    [<CommonParameters>]

Description

Creates a Deny base policy by scanning a directory, this parameter uses DriverFile objects so it's best suitable for driver files. The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.

Note

The scan uses WHQLFilePublisher level without any fallbacks, and includes both usermode and kernel mode drivers.

Parameters

-PolicyName

Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-ScanLocations

Accepts one or more comma separated folder paths. Supports argument completion, when you press tab, folder picker GUI will open allowing you to easily select a folder, you can then add a comma , and press tab again to select another folder path or paste a folder path manually, works both ways.

Type: DirectoryInfo[]
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-Deploy

Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

horizontal super thin rainbow RGB line

New-DenyWDACConfig -InstalledAppXPackages

image

Syntax

New-DenyWDACConfig
    [-InstalledAppXPackages]
    -PackageName <String>
    -PolicyName <String>
    [-Deploy]
    [-Force]
    [-Confirm]
    [<CommonParameters>]

Description

Creates a Deny base policy for one or more installed Windows Apps (Appx) based on their PFN (Package Family Name). The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.

Parameters

-PackageName

Enter the package name of an installed app. Supports wildcard * character. e.g, *Edge* or "*Microsoft*".

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: True

-PolicyName

Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-Deploy

Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-Force

Indicates that the cmdlet won't ask for confirmation and will proceed with creating the deny policy.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

horizontal super thin rainbow RGB line

New-DenyWDACConfig -PathWildCards

New-DenyWDACConfig -PathWildCards demo

Syntax

New-DenyWDACConfig
    [-PathWildCards]
    -PolicyName <String>
    -FolderPath <DirectoryInfo>
    [-Deploy]
    [-Confirm]
    [<CommonParameters>]

Description

Creates a Deny standalone base policy for a folder using wildcards. The base policy created by this parameter can be deployed side by side any other base/supplemental policy.

Note

This feature is also used internally by the Harden Windows Security Module.

Parameters

-PolicyName

Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-FolderPath

A folder path that includes at least one wildcard * character. Press TAB to open the folder picker GUI. Once you selected a folder, you will see the path will have \* at the end of it. You can modify the selected path by adding/removing wildcards * to it before proceeding.

Type: DirectoryInfo
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: True

-Deploy

Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False








C#


Clone this wiki locally