Windows Defender Application Control or App Control for Business it's very easy to setup. However it's very easy to create downtimes after the deployment of WDAC Policies.
It's very important to understand exactly what applications should be allowed and how to manage when a new application must be installed. If you don't have a clear understanding and start the Deployment you will create a chaos in your environemnt.
The questions that must be ask in your team or to yourself if you are alone are the followings
- Who can be say exactly which applications should allow ?
- How to allow the installation of the new application ?
Nobody can verify all the applications that must be allowed in the environment. The only solution is to use the Audit Mode for 2 weeks at least and maybe more if the company large.
However, you should have a solution to centralize the WDAC Logs from all the PCs. Then you can create Reports that will be include all the applications that are used by the users . Then you can discuss it with the appropriate Persons (Leaders, Managers) to take a decision for the applications that will be allow.
The following method is recommended when don't have any other option and you need a quick solution to centralize WDAC Logs.
To achieve the solution you should setup a new Windows Server that will be use it as the Collector of the Windows Event Logs.
Prerequisites
Before start to use the Subscription you should prepare the environemnt
- Enable WinRM in all PCs that you want to collect the Event Logs.
- Configure the Windows Event Collector Service to be in Running State and Automatic.
- Add the Computer Name of the Collector Computer ( Windows Server that you will enable the Subscription) in the Event Log Reader Group on each PC that you want to collect the Event Logs.
How to create a GPO to enable WinRM and Windows Event Collector Service
We can create a GPO to deploy the prerequisites that we need to apply to the PCs.
- Open the Group Policy Management Edito
- Create a new Group Policy with the following settings:
- Enable the Computer Configuration/Windows Components/Windows Remote Management(WinRM)/WinRM Service/Allow remote server management through WinRM
- Configure the services WINRM and Windows Event Collector with State Running and Startup Automatic in Computer Configuration/Preferences/Control Panel Settings/Services
- Computer Configuration/Windows Components/Event Forwarder
- Enable the Configure forwarder resource usage
- Enable the Configure target Subscription Manager. Click on Show and add the url http:<FQDN of the Collector>:5986/wsman/SubscriptionManager/WEC,Refresh=60
- Apply the GPO to the PCs that you want to connect the Event Logs
About of how to add the Computer Account n the Event Log Reader Group on each PC you should do it manually or create a PowerShell Script and included to the GPO in Computer Configuration/Windows Settings/Scripts(Startup/Shutdown).
How to create the Subscription to collect Events in the Windows Server
As we said in the begin we should setup a new Windows Server that will be used for the Windows Event Subscription. After you have setup the Windows Server follow the instructions
- Open the Event Viewer and click on Subscriptions.
- Click Yes to start the Windows Event Collector Service.
- Right click in the Subscriptions and select Create Subscription.
- Type the Subscription name.
- Click on Select Computers.
- Click on Add Domain Computers to add all the Computers that you want to collect the Event Logs.
- When you will finish verify the connection while click the button Test for each Computer Name.
- You will get the Connectivity test succeeded if all works fine. Unless you must check if all the prerequisites have been applied. Click OK
- Click on the button Select Events.
- In the Event Logs select the Application and Services Logs/Microsoft/Windows/Code Integrity.
- In the Event Level select all the Levels (Critical, Warning, Verbose , Errors, Informational). Click OK
- Click on the Advanced Button.
- Keep the Machine Account selected. However you can use a user account that must be included in the Event Log Readers group of each PC instead of the Machine account.
- You can configure and the other settings like the Protocol but for our scenario we will not change anything. The Event Delivery Optimization will be Normal and the Protocol HTTP. Click OK.
- Now expand the Windows Logs.
- Right click in Forwarded Logs and select Properties.
- Select the Don't overwrite Logs or Archive the Logs when full ....
Now you will need to wait until the PC's receive the GPO and start to send the Event Logs. You can see the Event Logs of each PC when you will expand the Windows Logs and open the Forwarded Logs.
You can use this method if you don't have other options like to install a 3rd part application as Log Server or to integrate with the Windows Advance Threat Protection.
That's it!!!