WDAC - Blacklist App and Disable Script Enforcement

Question

Hello

We would like to prohibit the use of the app “Mail – microsoft.windowscommunicationsapps” via a WDAC policy distributed by Intune.

We also use the "psappdeploytoolkit", but the execution of the device is not possible because of the "Constrained Language Mode"

Problem Described here: https://discourse.psappdeploytoolkit.com/t/appdeploytoolkitmain-cs-could-not-be-opened/2962/7

We used this script to generate the WDAC Policy:

# Set the Policy Name 
$PolicyName = "ucm_WDAC_v1"

# Policy Files
$DenyPolicyFile = "C:\Temp\ucm_WDAC_v1.xml"
$BinaryFilePath = "C:\Temp\ucm_WDAC_v1.cip"

# Basis Ppolic 
$AllowAllPolicy = $env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml"

# Create deny rule
$Packages = Get-AppXPackage -Name microsoft.windowscommunicationsapps

# Build Rules
foreach ($Package in $Packages) {
   $DenyRules += New-CIPolicyRule -Package $Package -Deny
}

# Merge from Base policy 
Merge-CIPolicy -PolicyPaths $AllowAllPolicy -OutputFilePath $DenyPolicyFile -Rules $DenyRules

# Set Information
Set-CiPolicyIdInfo -FilePath $DenyPolicyFile -PolicyName $PolicyName -ResetPolicyID

# Option 11 Disabled:Script Enforcement
Set-RuleOption -FilePath $DenyPolicyFile -Option 11

# Option 3 Enabled:Audit Mode (Default)
Set-RuleOption -FilePath $DenyPolicyFile -Option 3 -Delete

We added based on the AllowAll.xml Policy some deny rules for the "windowscommunicationsapps" App and removed the Script Enforcement.

The "windowscommunicationsapps" App is getting blocked, but we are now in the "ConstrainedLanguage"Powershell Mode.

The Documentation of the "Script Enforcement" there is writte:

WDAC puts interactive PowerShell into Constrained Language Mode if any WDAC UMCI policy is enforced and any active WDAC policy enables script enforcement,, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for all policies. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement#enlightened-script-hosts-that-are-part-of-windows

My Question is, How to disable script enforcement for all policies?

Answer 1

@Kaj Bossard, Thanks for posting in Q&A. Based on my researching, to disable script enforcement for all policies, you can modify the WDAC policy to set the option 11 Disabled:Script Enforcement. This can be done using the Set-RuleOption cmdlet in PowerShell. Here's an example:

Set-RuleOption -FilePath <path to policy file> -Option 11 -Delete

Replace <path to policy file> with the path to your WDAC policy file. This will remove the script enforcement option from the policy, allowing PowerShell to run with Full Language rights.

Note that disabling script enforcement for all policies can decrease the security of your device, so it should only be done if necessary.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create#windows-defender-application-control-policy-rules

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.