question

TimothyCanning-2744 avatar image
0 Votes"
TimothyCanning-2744 asked LimitlessTechnology-2700 answered

Checking Microsoft Defender Application Control is active on an endpoint within SCCP or Microsoft Endpoint Configuration Manager

Hi,

Next, slightly noob question, thank you all for the help so far!

Again, I have a number of Windows 10 Enterprise servers running in a fully isolated environment within some Industrial Control System(s) (ICS)

I intend to implement MDAC to these, but can't get as far as a Microsoft Endpoint Configuration Manager install yet, for reasons to long to go into here, sorry!

Is there a simple Powershell or command-line script, or even better GUI area I could use to see on each endpoint that the MDAC remains active? In case some wag turns it off to allow them to do something that's otherwise blocked...

windows-10-securitywindows-10-setup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello Timothy C,

In fact there are different methods:

  1. MSINFO
    You only need to open MSINFO32.exe and start looking for the Windows defender application control status. As shown below, it’s enforced.


  2. Codeintegrity Folder

Just like with Applocker, device guard has its own folder with the active policy in it.

Before we continue we need to take a look at this folder C:\Windows\System32\CodeIntegrity\ to understand when which file is created


If you have a SiPolicy file in this folder, that means you have selected the single policy format in the WDAC tool instead of the multiple policy format. If you have selected the multiple policy format, the policy is going to be created inside the cipolicies\active folder.


  1. Event log

Please note only using the default template and rules is going to produce a lot of errors on the device. First, we need to know which kind of event’s can be triggered.

*Don’t be mistaken by these kinds of warnings, because it’s a known problem.


  1. Powershell

Open a new PowerShell session as admin and copy paste this command

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL codeintegrity

If WDAC is enfored the “UserModeCodeIntegrityPolicyEnforcementStatus” needs to have a value of “2”

Hope this helps!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.