CiTool -lp vs Confirm-WDACConfig -ListActivePolicies

[eraldinho]

Hello,

I try to have a deeper understanding of WDAC and I can't figure why these two commands don't return the same result :

Check each policy's IsEnforced state and return only the enforced policies

(CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"} |
Select-Object -Property PolicyID,FriendlyName | Format-List

and

Confirm-WDACConfig -ListActivePolicies

according to this pages https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands, Is Currently Enforced | Indicates whether the policy file is active.

is there a filter I can apply to CiTool -lp in order to get the same result as Confirm-WDACConfig -ListActivePolicies?

Thanks,

Erald

[HotCakeX]

Hi,
This command

(CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"} |
Select-Object -Property PolicyID,FriendlyName | Format-List

performs filtering on the result, so it only displays 2 properties of each policy: PolicyID and FriendlyName

 | Select-Object -Property PolicyID,FriendlyName | Format-List

To get the same result as the Confirm-WDACConfig -ListActivePolicies command, you need to use this command

(CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"}

[eraldinho]

hello,

I'm sorry my question was not enough accurate. In fact the difference is not with the property list but with the policies list.
here is the output of Confirm-WDACConfig -ListActivePolicies | Select-Object -Property PolicyID,FriendlyName | Format-List :

4 policies are deployed

PolicyID : a244370e-44c9-4c06-b551-f6016e563076
FriendlyName : Microsoft Windows Driver Policy - Enforced

PolicyID : fc250562-8808-47fd-9210-f4659684996f
FriendlyName : AllowMicrosoft - 10-25-2024

PolicyID : 396234d3-76d5-43b6-9310-14e53a99a7d7
FriendlyName : Microsoft Windows Recommended User Mode BlockList

PolicyID : 5bf1b4f0-402b-4199-bce7-1693b102e10c
FriendlyName : DefaultWindowsAudit - 10-25-2024

And here is the output of (CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$.IsEnforced -eq "True"}(CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$.IsEnforced -eq "True"} |

Select-Object -Property PolicyID,FriendlyName | Format-List :

PolicyID : a244370e-44c9-4c06-b551-f6016e563076
FriendlyName : Microsoft Windows Driver Policy - Enforced

PolicyID : 1283ac0f-fff1-49ae-ada1-8a933130cad6
FriendlyName : VerifiedAndReputableDesktopEvaluation

PolicyID : 784c4414-79f4-4c32-a6a5-f0fb42a51d0d
FriendlyName : Microsoft Windows Cross Certificates for Code Integrity Exceptions Policy

PolicyID : fc250562-8808-47fd-9210-f4659684996f
FriendlyName : AllowMicrosoft - 10-25-2024

PolicyID : 2678656c-05ef-481f-bc5b-ebd8c991502d
FriendlyName : VerifiedAndReputableDesktopEvaluationFlightSupplemental

PolicyID : d2bda982-ccf6-4344-ac5b-0b44427b6816
FriendlyName : Microsoft Windows Driver Policy

PolicyID : 396234d3-76d5-43b6-9310-14e53a99a7d7
FriendlyName : Microsoft Windows Recommended User Mode BlockList

PolicyID : 5bf1b4f0-402b-4199-bce7-1693b102e10c
FriendlyName : DefaultWindowsAudit - 10-25-2024

there are o lot more policies in the second output.

[HotCakeX]

Oh i see, it's because by default the confirm-WDACConfig -ListActivePolicies doesn't show system policies, to view system policies you can use this command confirm-WDACConfig -ListActivePolicies -OnlySystemPolicies

https://github.com/HotCakeX/Harden-Windows-Security/wiki/Confirm-WDACConfig

[eraldinho]

ok, thanks :)