AppControl Manager 1.8.9.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager can now be natively installed on non-X64 platforms such as ARM64. It no longer uses MSIX files, it uses MSIXBundle files which include the MSIX files for multiple platforms, making the installation simpler and more straightforward.

• The Logs page no longer has a file size limit. It will display log files of any size in an optimized and high-performance way.

• The Logs folder would previous be automatically cleaned up when it reached 100MB. The new limit is now set to 1GB.

• Removed the color pickers from the Logs page which resulted in the removal of an extra dependency package from the application. They were used to control the logs text color and highlight color which are no longer needed. Now, the text color is defined by your OS theme which makes it more accessible and readable, and the highlight color is defined by your OS accent color.

• Significantly improved the search experience in the Logs page.

• FilePath or Wildcard FilePath rules are no longer created for kernel-mode files because only user-mode files can be allowed/denied via File Path. Using FilePath rules for kernel-mode files simply has no effect.

• ✨You can now effortlessly swap any deployed policy in the System Information page. For example, if you have the "Allow Microsoft" policy deployed and you want to change it instantly to "Default Windows", you can select "Default Windows" from the dropdown menu and confirm the action. All of the supplemental policies associated with that base policy will continue to work. At the moment this feature only works for unsigned policies and will cover signed policies in a future version.

• In the MDE Advanced Hunting page, added a new section where you can view query examples that generate standard logs compatible with the AppControl Manager, as suggested here.

PRs:

• Improved build process and added ARM64 support by @HotCakeX in #585
• AppControl Manager v.1.8.9.0 by @HotCakeX in #588

Note

As mentioned at the top, please refer to this page for installation instructions.

Harden Windows Security v.0.7.4

What's New

✨ The Harden Windows Security now uses .NET 9 (PowerShell 7.5), that means:

• New appearance that is modern, based on Windows 11 fluent design
• Mica backdrop
• Better and more modern code
• Removal of all custom UI elements that belonged to the old WPF designs
• Faster startup time
• Support for light/dark theme in the OS
• Support for accent colors in the OS
• More accessible user experience
• Plus so much more benefits

Removed features:

• Custom background image.
• The ability to set custom background image.

Since Mica design is used for the background, there is no longer the need to set a custom color or custom background image.

Other Features

• You can now export the results of compliance check in the GUI using a new button that was added.

• Improved Username detection, making it more resilient.

• Further improved the GUI and code behinds to be more consistent.

• Improved the comments in the code to be more accurate.

• Updated the link to the Microsoft 365 apps security baselines to the latest version, 24H2. Previous version was 2306.

• Added a new design for when an error occurs in the app

  • This is of course a rare occurrence, but this feature is there whenever it's necessary. You no longer need to use PowerShell to copy the logs and no error is propagated there. Complete detail of the error is presented to you in the dialog that you see, and with 1 press of a button you can copy it to clipboard and report it on GitHub if you want.

• Added support for running the module in Windows Server. You can use all of the features of the Harden Windows Security module in Windows Server 2025 to harden it. This is the Phase 1 of completing this roadmap item.

• Applied more optimizations to the code.

• Updated Readme with info regarding the new Edge policeis.

• Updated the version number file.

• Update the required Microsoft DLLs.

• Removed the emoji text arts that appear at the end of the compliance check in the CLI experience.

• Improved the text colors in the Protect cmdlet in the CLI experience.

New Security Measures

Added 4 new policies to the Edge protection category

1. Added a policy that will keep support for Manifest V2 extensions enabled even after its depreciation. Manifest V2 extension support is vital for proper functioning of ublock origin (and similar extensions) which is beyond a simple adblocker and can provide lots of protection when browsing the web through its custom lists.

   • Note that this is something being pushed by Google through their controlling power of Chromium, not Microsoft.

2. Added a policy that will prevent websites to even request access to the local connected USB devices.

3. Added a policy that automatically denies the window management permission to sites by default. This limits the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

4. Added a policy that will disable dynamic code in Edge browser which is a security feature that prevents the browser process from creating dynamic code. The default value of this policy is not explicitly defined, it could be enable or could be disabled. Setting it explicitly to enabled via this policy ensures that no dynamic code is created by the browser process.

PRs

• #570
• #571
• #564
• #572

AppControl Manager 1.8.8.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager now seamlessly integrates Microsoft Defender for Endpoint Advanced Hunting, allowing you to perform queries directly within the app. You can retrieve and analyze hunting results with advanced filtering and sorting options. From there, you can effortlessly create App Control policies and deploy them via Intune—all without ever leaving the app.

  • Technical details: the implemented code is fully compatible with the ahead of time compilation (Native AOT), resulting in high performance source generated code. So whether you are using CSV files from your local system or retrieving the results from the cloud, they are processes very quickly.

  • AppControl Manager employs MediumIL (Medium Integrity Level) when running as an Administrator, ensuring that non-elevated processes cannot access its memory or attach debuggers. Given that the app handles sensitive information—such as Microsoft 365 authentication tokens stored in private variables—this design decision safeguards these tokens from unauthorized, unelevated access or tampering.

  • AppControl Manager leverages MSAL from Microsoft to manage Microsoft 365 authentications. This industry-standard library adheres to best practices for secure authentication token management.

  • Following the Least Privilege Access, the only required permission is ThreatHunting.Read.All

• Bumped version to 1.8.8.0

• Improved the toolbar menus in Event logs page and MDE Advanced Hunting page.

• Adjusted the margin of the titles in the pages to reduce the empty spaces.

• Updated the documents to cover the new changes and features introduced in this version.

• Improved the About section in the settings page. The links are now dynamically relocated based on the app window's width.

PR: #580

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.7.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added flyouts with buttons to the EVTX file path selector buttons in the Create Policy From Event Logs page. Now whenever you select EVTX files, a small flyout will open, displaying the path you selected and offers a Clear button so you can clear the selected path if you want. This is aligned with the rest of the browse button behaviors throughout the AppControl Manager's UI.

• Added the same flyout feature to the MDE Advanced Hunting page for the browse for CSV button.

• ✨In the AppControl Manager, all buttons that allow you to browse for files and folders already feature flyouts—small pop-up areas that display the selected files or folders. Previously, these flyouts would only appear after a left-click or tap on the browse buttons, which would first launch the file/folder picker and then display the flyout. In this update, the flyouts can now also be triggered by right-clicking the buttons or, on touch-enabled devices, by tapping and holding the buttons. This enhancement improves your experience by making it easier to view your selected content without needing to click the browse button again to launch the file/folder picker.

• Version bump from 1.8.6.0 to 1.8.7.0

• Added JSON source generation support for the Intune class, making it Native AOT/Trim friendly and faster.

• The Simulation page's folder picker now supports picking multiple folders. Previously it only supported picking 1 folder.

• The Configure Policy Rule Options page now automatically shows you the available rule options in the XML file you select by checking/unchecking any boxes in the UI, they are dynamically updated to reflect the XML file's rule options.

  • The buttons were also simplified and there are no longer any Add/Remove/Select All buttons. They were replaced by "Apply the changes" and "Retrieve Rules Status" buttons.

  • Additionally, the entire row containing each checkbox is now clickable, making interaction easier.

  • When using a template, checkboxes update automatically in real time, reflecting the latest changes instantly. These enhancements significantly improve usability and efficiency.

PRs

• AppControl Manager v.1.8.7.0 by @HotCakeX in #573

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.6.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager now supports 3 more rule types for both Supplemental policies and Deny base policies:

  • File path rules for each file.
  • File path rules based on wildcards for each folder (that means any file that resides in the selected folder will be automatically allowed).
  • PFN based rules for packaged apps (Package Family Name)

• With these 3 additional rule types, you can allow your apps, files and folders in new ways that suit your needs.

• Keep in mind that the most secure rule types are signature based ones such as FilePublisher.

  • Read more about rule type security in this article: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Rule-Levels-Comparison-and-Guide

• Removed the static color for text highlights in flyout text boxes. The colors are now dynamically set based on the Windows accent color.

• The "Get Configuration" button in the Settings page now automatically expands the section to make the configurations visible, reducing extra clicks/taps needed.

• The Create policy page's deploy buttons are now consistent with the rest of the deploy buttons in the app.

• Improved consistency in the codebase and UI elements.

• Added documentation for creating Deny policies => https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy

• When parsing the Microsoft Defender for Endpoint Advanced Hunting logs, Blocked events would show as Audit events in the data grid, that is now fixed.

---

Automated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.5.0 by @github-actions in #545
• The old WDACConfig PowerShell module has been fully deprecated by @HotCakeX in #553
• Implementing FilePath and PFN based rules in AppControl Manager by @HotCakeX in #554
• Fixed Audit/Block categorization of the MDE Advanced Hunting data by @HotCakeX in #557
• docs: remove empty image tag from WDAC Notes.md by @HryshcIlya in #558
• Code refactoring and general improvements by @HotCakeX in #560
• Version bump to 1.8.6.0 - AppControl Manager by @HotCakeX in #561

Full Changelog: AppControlManager.v.1.8.5.0...AppControlManager.v.1.8.6.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.5.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• You can now use AppControl Manager to deploy App Control policies with 1 click/tap to your entire Intune-managed fleet of workstations. Simply authenticate with your tenant and then deploy the policies in the app as you normally would. The entire process is very simple, automated and fast. Both signed and unsigned policies are supported for cloud deployment.

  • Full documentation available here

• Added documentation for Strict Kernel-mode policy creation and management

• Updated NuGet dependencies.

---

Automated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.4.0 by @github-actions in #538
• Bump dotnet-sdk from 9.0.1 to 9.0.102 in /AppControl Manager by @dependabot in #539
• Added direct Intune cloud deployment to AppControl Manager by @HotCakeX in #542
• Creating new documentations for App Control by @HotCakeX in #543
• AppControl Manager has reduced permissions for Intune and better policyID in Intune by @HotCakeX in #544

Full Changelog: AppControlManager.v.1.8.4.0...AppControlManager.v.1.8.5.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.4.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Upgraded the .NET version and NuGet packages.

• Implemented ISG based Supplemental policy in the AppControl Manager. This is a new type of supplemental policy that doesn't explicitly allow anything, instead it only activates the usage of the ISG, Intelligent Security Graph, on the system so reputable files can be automatically authorized.

• Implemented initial support for translating the AppControl Manager to other languages.

• Implemented another protection when removing signed policies in AppControl Manager.

  • This new protection mechanism ensures the safe removal of signed policies. To complete the process securely, a system reboot is required after the first stage. The newly implemented protection verifies that the reboot has been performed before allowing the process to proceed to the final stage.

  • If the user forgets to reboot or is unsure whether it’s necessary, a prompt will appear to guide them through the process. This safeguard prevents accidental errors that could lead to boot failures, making the AppControl Manager even safer and more reliable when managing Signed App Control policies.

  • Wonder why Signed policies are important? Check out this article

• Implemented Strict Kernel-mode App Control Policy. It's a special type of policy that can protect against all BYOVD scenarios as well as protecting the kernel unauthorized access while letting regular user-mode files to function normally.

• Implemented Strict Kernel-mode Supplemental policy creation.

• All local file scans in the AppControl Manager now consider the Security Catalogs, improving accuracy.

• Added support for catalog signed files to the View File Certificates page. Many files are signed via Security Catalogs. So they seem unsigned if you investigate them individually, but Windows has access to the Security Catalogs where those files' signatures exist and now AppControl Manager can show you those details.

---

Auto Generated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.3.0 by @github-actions in #517
• Implemented ISG based Supplemental policy in the AppControl Manager by @HotCakeX in #520
• Adding initial support for translating app control manager into other languages by @HotCakeX in #521
• Implemented another protection when removing signed policies in AppControl Manager by @HotCakeX in #522
• Alignment of namespaces with folder structures in the AppControl Manager code base by @HotCakeX in #523
• Bump System.Management from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #530
• Bump System.Management from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #529
• Bump Microsoft.WindowsAppSDK from 1.6.241114003 to 1.6.250108002 in /AppControl Manager by @dependabot in #528
• Bump Microsoft.XmlSerializer.Generator from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #526
• Bump System.Security.Cryptography.Pkcs from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #527
• Bump System.Diagnostics.EventLog from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #525
• Implementing Strict Kernel-mode policy in AppControl Manager by @HotCakeX in #531
• Removing unused PowerShell logic from the deprecated WDACConfig module by @HotCakeX in #532
• Added support for catalog signed files in local file scans in the AppControl Manager by @HotCakeX in #533
• Bump System.DirectoryServices.AccountManagement from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #534
• Version bump to 1.8.4.0 - AppControl Manager by @HotCakeX in #535
• Minor improvements before AppControl Manager v.0.1.8.4 release by @HotCakeX in #536
• Updating documents with new information by @HotCakeX in #537

Full Changelog: AppControlManager.v.1.8.3.0...AppControlManager.v.1.8.4.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.3.0

What's Changed

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the update mechanism, it will remove any related previous ASR rule exclusions instead of only those for the previous app version. The same improvement was previously implemented in the bootstrapper script and the Harden Windows Security module as well.

• Improved page behaviors, their states will now be preserved at all times even if you navigate away from them for any amount of time.

• Fixed NuGet connection (e.g., for downloading the SignTool.exe), it isn't always compatible with HTTP v.2

PR: #516

Harden Windows Security v.0.7.3

What's New

• Added a new section to the Apps | Features page where you can remove the pre-installed built-in network drivers that you do not use. Windows by default has WIFI and Ethernet network adapter drivers of Intel, Broadcom, Ralink, Realtek, Qualcomm and Marvel. If you do not have any of those hardware or you install your own drivers then you can remove the unnecessary ones, freeing up disk space and reducing the overall attack surface.

  • You can view the full list of pre-installed network drivers via this PowerShell command: Get-WindowsCapability -Online

  • As always, detailed logs of each step of the operation will be generated and made available.

• Improved the dialog window design. It has a gradient dark background and will stay at top so user won't miss important message that is displayed.

• Added a check to display a message to the user when installing AppControl Manager and an incompatible policy is detected.

• Improved the module's compatibility with other modules that load the same Microsoft DLLs in the session through PowerShell profile. When Harden Windows Security detects such situations, it will automatically use the -NoProfile switch.

• Updated the Microsoft DLLs to the latest versions from NuGet.

• Improved the logging mechanism when using the Harden Windows Security in unattended/headless mode like this:

Protect-WindowsSecurity -Verbose -Categories MicrosoftSecurityBaselines,Microsoft365AppsSecurityBaselines,MicrosoftDefender,AttackSurfaceReductionRules,BitLockerSettings,TLSSecurity,DeviceGuard,LockScreen,UserAccountControl,WindowsFirewall,WindowsNetworking,WindowsUpdateConfigurations,MiscellaneousConfigurations,EdgeBrowserConfigurations,CertificateCheckingCommands,CountryIPBlocking,DownloadsDefenseMeasures,NonAdminCommands -Log -LogPath 'C:\Users\Admin\Desktop\Logs.txt' -Offline -MSFTDefender_SAC -MSFTDefender_BetaChannels -DeviceGuard_MandatoryVBS -WindowsNetworking_BlockNTLM -MiscellaneousConfigurations_ReducedTelemetry -MiscellaneousConfigurations_LongPathSupport -CountryIPBlocking_OFAC -DangerousScriptHostsBlocking -UAC_OnlyElevateSigned -LockScreen_CtrlAltDel -Miscellaneous_WindowsProtectedPrint -UAC_NoFastSwitching -MiscellaneousConfigurations_StrongKeyProtection -LockScreen_NoLastSignedIn -PathToLGPO 'C:\Users\Admin\Desktop\LGPO.zip' -PathToMSFT365AppsSecurityBaselines 'C:\Users\Admin\Desktop\Microsoft365SecurityBaseline.zip' -PathToMSFTSecurityBaselines 'C:\Users\Admin\Desktop\Windows 11 v24H2 Security Baseline.zip'

• That's an example command that will run all of the categories and sub-categories in unattended mode, completely offline, and log the output to a file. The log file will contain every details of the operation just like they are generated in the GUI mode.

• Previously the logs in this scenario would have very minimal content because the built-in PowerShell transcription feature was being used but now it's handled by the module itself.

• With a command like that, you can configure your systems/workstations in bulk and schedule that command to run periodically. That is a completely automated mechanism and if a new version of the module is available, it will download and install it and remove any older version.

• Documentation is available here.

• If you have any questions about the unattended/headless mode, feel free to ask here on GitHub.

PR: #515

Harden Windows Security v.0.7.2

What's New

This update is full of new features 🎉

Ability to Remove built-in pre-installed apps

Introduced the ability to remove built-in apps using the Harden Windows Security module. This functionality is available on a dedicated page. The list of removable apps is stored in a JSON file, providing flexibility and extensibility.

When apps are removed using the Harden Windows Security module, they are removed for all users, and they won't come back when you create a new user. They are re-installable from the Microsoft Store if necessary.

The JSON file currently includes 37 apps. More apps can easily be added to it in the future without requiring to modify the code.

Ability to Remove Individual Optional Windows Features and Capabilities

Added a new page for managing Optional Windows Features. While the Harden Windows Security module already includes an Optional Features category in the hardening measures section, this new page allows for granular control, enabling you to fine-tune which features to enable or disable. It also includes additional optional features that can be removed.

Online File Reputation Check via Smart App Control/SmartScreen through Microsoft Defender

Using Microsoft Defender, queries a file's reputation based on either the Smart App Control or SmartScreen, depending on whichever is in control. It doesn't need Admin privileges. It's in a new dedicated tab available in the GUI. Simply browse for a file and detect its reputation and some other advanced details. You can use this feature while other tasks in the Harden Windows Security module are running.

Added Reduced Telemetry Policies

Added reduced telemetry policies to the Miscellaneous Category in the Harden Windows Security module. They are a sub-category and include the following policies:

• Disable Online Tips. CSP

• Disable Find My Device feature. CSP

• Disable Automatic Update of Speech Data. CSP

• Turn off the advertising ID. CSP

• Turn off cloud optimized content. CSP

• Do not show Windows tips. CSP

• Do not show feedback notifications. CSP

• Turn off Automatic Download and Update of Map Data. CSP

• Disable Message Service Cloud Sync for cellular text messages. CSP

• Disable support for web-to-app linking with app URI handlers. CSP

• Disable "Continue experiences on this device" feature. CSP

• Disable Font Providers. CSP

• Don't search the web or display web results in Search. CSP

• Do not allow web search. More Info

AppControl Manager Installer Integration

You can now install the AppControl Manager right from the Harden Windows Security module. This is a very convenient way to install it as it only requires a click/tap of a button.

Other Changes

• Compliance Checking Enhancement: Added support for VBScript compliance checks.

• Code Improvements: Implemented several code enhancements and optimizations.

• UI Enhancements: Updated the button styles on the ASR Rules and Unprotect pages. The new design replaces the previous animated buttons with play icons, offering a cleaner and more modern look.

• Added description texts to the top of the pages.

• Changed Only Elevated Signed sub-category name to Only Elevate Signed, it was a typo.

• Updated the readme.

• Updated the demo gif to reflect the changes in the GUI.

---

Auto generated release notes 👇

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.2.0 by @github-actions in #500
• Implemented Apps and Windows Features Removal by @HotCakeX in #506
• Implemented online file reputation verification in the Harden Windows Security moulde by @HotCakeX in #507
• Added AppControl Manager native installer to the Harden Windows Security Module by @HotCakeX in #508
• Improved the bootstrapper script by @HotCakeX in #509
• Added reduced telemetry policies by @HotCakeX in #510

Full Changelog: AppControlManager.v.1.8.2.0...Hardening-Module-v.0.7.2