Microsoft Block rules - best practice

[iainfm]

Hi, I was wondering what method other people are using to include the Microsoft's recommended Block Rules in their WDAC policies. As far as I can see the choices are:

1. [Base Policy that includes the MBRs] + [Supplemental Policies]

or

2. [Simple Base Policy] + [Supplemental Policy containing MBRs] + [Other Supplemental Policies]

Is one method easier to maintain? Are there any other/better ways of doing this?

Best wishes,
Iain

[HotCakeX]

Hi,
You can't include any deny rules in the Supplemental policies, so any deny rules, including the ones in the recommended block rules, must go to the base policies only.

A supplemental policy's job is only to expand the scope of a base policy, by allowing more files.

You can deploy Microsoft recommended block rules with 2 allow all rules as a stand-alone base policy, then deploy another base policy as your main policy and associate any future supplemental policies with your main policy. That way you can keep the recommended block rules up to date separately than your main base policy.

More info: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies

[iainfm]

Thanks again for explaining this - much appreciated!

[HotCakeX]

Anytime, glad i could help!

[jgeurten]

Hi, You can't include any deny rules in the Supplemental policies, so any deny rules, including the ones in the recommended block rules, must go to the base policies only.

A supplemental policy's job is only to expand the scope of a base policy, by allowing more files.

You can deploy Microsoft recommended block rules with 2 allow all rules as a stand-alone base policy, then deploy another base policy as your main policy and associate any future supplemental policies with your main policy. That way you can keep the recommended block rules up to date separately than your main base policy.

More info: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies

^ This is the correct answer. The WDAC feature team and I recommend 2 base policies (1 with your baseline allowlist and the other the recommended block rules).