AppControl Manager 1.9.2.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The User Configurations directory name which has been WDACConfig in the Program Files directory is now changed to AppControl Manager to better reflect the product name. All of the files and directories in the previous directory will be automatically moved to the new directory upon application start. All of the paths in the User Configurations JSON file will be updated to reflect the new directory. The old directory will be removed at the end. This process only happens 1 time, is very fast and requires no user interaction.

  • WDACConfig was the name of a now deprecated PowerShell module and the directory name was a remnant of that which has been kept unchanged for the sake of interoperability that is no longer the case.

• Added a new feature to the Deploy App Control Policies page that lets you select one or more XML files and convert them to CIP files without deploying them.

• Added a new feature to the Deploy App Control Policies page that lets you create signed CIP files without deploying them. It will essentially create signed CIP files for you that you can then use to manually deploy them to any other system.

• Bumped version to 1.9.2.0.

• Improved logging across the app when an error occurs.

• Fixed an issue with Allow New Apps' sub-pages where data wouldn't be populated if you were in one of the pages with ListViews and you'd have to switch to the main page and then back to view the data. This was a regression in 1.9.1.0.

• Improved the column sorting and naming in pages with ListViews that show data from event logs. They now show more relevant data.

• Improved the XML deserialization logic.

• Adjusted the locations of all the Guide buttons in each page, they now all appear in the same place, improving consistency.

• Fixed an issue where if there was an error while a content dialog was open, the error message wouldn't be displayed. Now content dialogs are tracked globally and if an error occurs while one of them is open, they will be closed for the error message to be displayed in a dedicated content dialog.

PR: #617

How to verify the MSIXBundle's authenticity:

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget:

winget install --id GitHub.cli

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.9.1.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• ✅ The AppControl Manager is now fully Native AOT and Trimmed with 0 warning or error suppression. This change reduces the MSIX package file size from 85MB down to 33MB and the MSIXBundle package file size from 162MB down to 65MB (because it contains both ARM64 and X64 packages).

• ✅ The performance and launch time of the AppControl Manager has been substantially improved thanks to being natively compiled into machine code and favoring speed during compilation. That means more work is done during the packaging process and less time is spent on user's system.

• ✅ Modernized all of the Data Grids across the app. As a result, you no longer see a message in the Settings page of the app when running the app in a VM and animations are not enabled on the system. This change removes the ability to resize the columns, however, each column is precisely sized based on the content it shows so manual resizing is not necessary. The headers of the grids are no longer clickable for sorting, instead, a new flyout button has been added to the toolbar that allows you to sort the data.

• ✅ Increased the amount of information that is written to the log file in case there is an error in the app, it provides more information about the cause of it.

• ✅ Added Control Flow Guard support to the AppControl Manager. A great security feature that prevents certain exploits.

• ✅ Set Intel's Control-flow Enforcement Technology to explicitly enabled in the project.

• ✅ Updated Microsoft.IdentityModel.Abstractions NuGet dependency.

• ✅ Fixed an issue where there would be an error when listing installed apps and one of them would have an incorrect logo URI.

• ✅Improved the Configure Policy Rule Options page, it now shows details and description of each rule option, helping you to decide which one is suitable for your use case.

• ✅ Fixed an issue with wildcard file paths that you make for supplemental or deny policies by selecting the root of the drives such as C: or D:. Previously they would look like C:\\* in the policy XML file but now it's fixed by not adding the extra backward slash when drive root is selected.

• ✅ Significantly improved the ability of the AppControl Manager to be translated into other languages. Please refer to this page if you are interesting in helping translating the app into other languages.

• ✅Fixed a typo in a button label.

• ✅ Plus lots of miscellaneous code improvements.

---

PRs:

• AppControl-Manager-DownloadLink-Version-Update-Version-1.9.0.0 by @github-actions in #594
• Fixed a typo in a button label by @HotCakeX in #596
• Improving multilingual feature of AppControl Manager by @HotCakeX in #597
• Improved translation capability of AppControl Manager by @HotCakeX in #599
• Fixed wildcard file path rules for drive roots by @HotCakeX in #600
• Code refactor and improved resource file usage by @HotCakeX in #601
• AppControl Manager is now Native AOT and Fully Trimmed by @HotCakeX in #608
• improving the reliability of installed apps list fetching in the AppControl Manager by @HotCakeX in #612
• Finishing up work on AppControl Manager v.1.9.1.0 by @HotCakeX in #614

Full Changelog: AppControlManager.v.1.9.0.0...AppControlManager.v.1.9.1.0

How to verify the MSIXBundle's authenticity:

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget:

winget install --id GitHub.cli

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.9.0.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Updated NuGet dependencies to the latest version.

• Updated all transitive NuGet packages to the latest version.

• Updated .NET SDK to the latest version.

• Updated WinAppSDK to the latest version.

• Version bump to 1.9.0.0

• Updated build workflow to include C++ workload required by Native AOT compilation.

• Updated the AppControl Manager wiki document.

• Added tooltips and icons to all of the sidebar buttons.

• Added a new button to the sidebar that lets you quickly open the user configurations directory to view the files generated by the application such as XML policies, certificates and so on.

• File/Folder picker dialogs used to always open at the User Config directory, but now it starts there by default and then If you navigate to a different directory and select a file or folder, the next time the dialog will open right where you left off. No more wasting time navigating back to your preferred spot!

• Making more efforts towards full Native AOT compilation support of the AppControl Manager. This PR specifically targets XML serialization and deserialization by implementing custom handmade logic that does not rely on the reflection-based built-in de(serialization) logic. The outcome is a much more robust, high performance, predictable and maintainable code.

  • This allowed the XML serialization generator NuGet dependency to be removed since all the logic is statically available and an additional dll for that job is no longer produced.

How to verify the MSIXBundle's authenticity:

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget:

winget install --id GitHub.cli

Note

As mentioned at the top, please refer to this page for installation instructions.

PR: #592

AppControl Manager 1.8.9.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager can now be natively installed on non-X64 platforms such as ARM64. It no longer uses MSIX files, it uses MSIXBundle files which include the MSIX files for multiple platforms, making the installation simpler and more straightforward.

• The Logs page no longer has a file size limit. It will display log files of any size in an optimized and high-performance way.

• The Logs folder would previous be automatically cleaned up when it reached 100MB. The new limit is now set to 1GB.

• Removed the color pickers from the Logs page which resulted in the removal of an extra dependency package from the application. They were used to control the logs text color and highlight color which are no longer needed. Now, the text color is defined by your OS theme which makes it more accessible and readable, and the highlight color is defined by your OS accent color.

• Significantly improved the search experience in the Logs page.

• FilePath or Wildcard FilePath rules are no longer created for kernel-mode files because only user-mode files can be allowed/denied via File Path. Using FilePath rules for kernel-mode files simply has no effect.

• ✨You can now effortlessly swap any deployed policy in the System Information page. For example, if you have the "Allow Microsoft" policy deployed and you want to change it instantly to "Default Windows", you can select "Default Windows" from the dropdown menu and confirm the action. All of the supplemental policies associated with that base policy will continue to work. At the moment this feature only works for unsigned policies and will cover signed policies in a future version.

• In the MDE Advanced Hunting page, added a new section where you can view query examples that generate standard logs compatible with the AppControl Manager, as suggested here.

PRs:

• Improved build process and added ARM64 support by @HotCakeX in #585
• AppControl Manager v.1.8.9.0 by @HotCakeX in #588

Note

As mentioned at the top, please refer to this page for installation instructions.

Harden Windows Security v.0.7.4

What's New

✨ The Harden Windows Security now uses .NET 9 (PowerShell 7.5), that means:

• New appearance that is modern, based on Windows 11 fluent design
• Mica backdrop
• Better and more modern code
• Removal of all custom UI elements that belonged to the old WPF designs
• Faster startup time
• Support for light/dark theme in the OS
• Support for accent colors in the OS
• More accessible user experience
• Plus so much more benefits

Removed features:

• Custom background image.
• The ability to set custom background image.

Since Mica design is used for the background, there is no longer the need to set a custom color or custom background image.

Other Features

• You can now export the results of compliance check in the GUI using a new button that was added.

• Improved Username detection, making it more resilient.

• Further improved the GUI and code behinds to be more consistent.

• Improved the comments in the code to be more accurate.

• Updated the link to the Microsoft 365 apps security baselines to the latest version, 24H2. Previous version was 2306.

• Added a new design for when an error occurs in the app

  • This is of course a rare occurrence, but this feature is there whenever it's necessary. You no longer need to use PowerShell to copy the logs and no error is propagated there. Complete detail of the error is presented to you in the dialog that you see, and with 1 press of a button you can copy it to clipboard and report it on GitHub if you want.

• Added support for running the module in Windows Server. You can use all of the features of the Harden Windows Security module in Windows Server 2025 to harden it. This is the Phase 1 of completing this roadmap item.

• Applied more optimizations to the code.

• Updated Readme with info regarding the new Edge policeis.

• Updated the version number file.

• Update the required Microsoft DLLs.

• Removed the emoji text arts that appear at the end of the compliance check in the CLI experience.

• Improved the text colors in the Protect cmdlet in the CLI experience.

New Security Measures

Added 4 new policies to the Edge protection category

1. Added a policy that will keep support for Manifest V2 extensions enabled even after its depreciation. Manifest V2 extension support is vital for proper functioning of ublock origin (and similar extensions) which is beyond a simple adblocker and can provide lots of protection when browsing the web through its custom lists.

   • Note that this is something being pushed by Google through their controlling power of Chromium, not Microsoft.

2. Added a policy that will prevent websites to even request access to the local connected USB devices.

3. Added a policy that automatically denies the window management permission to sites by default. This limits the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

4. Added a policy that will disable dynamic code in Edge browser which is a security feature that prevents the browser process from creating dynamic code. The default value of this policy is not explicitly defined, it could be enable or could be disabled. Setting it explicitly to enabled via this policy ensures that no dynamic code is created by the browser process.

PRs

• #570
• #571
• #564
• #572

AppControl Manager 1.8.8.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager now seamlessly integrates Microsoft Defender for Endpoint Advanced Hunting, allowing you to perform queries directly within the app. You can retrieve and analyze hunting results with advanced filtering and sorting options. From there, you can effortlessly create App Control policies and deploy them via Intune—all without ever leaving the app.

  • Technical details: the implemented code is fully compatible with the ahead of time compilation (Native AOT), resulting in high performance source generated code. So whether you are using CSV files from your local system or retrieving the results from the cloud, they are processes very quickly.

  • AppControl Manager employs MediumIL (Medium Integrity Level) when running as an Administrator, ensuring that non-elevated processes cannot access its memory or attach debuggers. Given that the app handles sensitive information—such as Microsoft 365 authentication tokens stored in private variables—this design decision safeguards these tokens from unauthorized, unelevated access or tampering.

  • AppControl Manager leverages MSAL from Microsoft to manage Microsoft 365 authentications. This industry-standard library adheres to best practices for secure authentication token management.

  • Following the Least Privilege Access, the only required permission is ThreatHunting.Read.All

• Bumped version to 1.8.8.0

• Improved the toolbar menus in Event logs page and MDE Advanced Hunting page.

• Adjusted the margin of the titles in the pages to reduce the empty spaces.

• Updated the documents to cover the new changes and features introduced in this version.

• Improved the About section in the settings page. The links are now dynamically relocated based on the app window's width.

PR: #580

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.7.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added flyouts with buttons to the EVTX file path selector buttons in the Create Policy From Event Logs page. Now whenever you select EVTX files, a small flyout will open, displaying the path you selected and offers a Clear button so you can clear the selected path if you want. This is aligned with the rest of the browse button behaviors throughout the AppControl Manager's UI.

• Added the same flyout feature to the MDE Advanced Hunting page for the browse for CSV button.

• ✨In the AppControl Manager, all buttons that allow you to browse for files and folders already feature flyouts—small pop-up areas that display the selected files or folders. Previously, these flyouts would only appear after a left-click or tap on the browse buttons, which would first launch the file/folder picker and then display the flyout. In this update, the flyouts can now also be triggered by right-clicking the buttons or, on touch-enabled devices, by tapping and holding the buttons. This enhancement improves your experience by making it easier to view your selected content without needing to click the browse button again to launch the file/folder picker.

• Version bump from 1.8.6.0 to 1.8.7.0

• Added JSON source generation support for the Intune class, making it Native AOT/Trim friendly and faster.

• The Simulation page's folder picker now supports picking multiple folders. Previously it only supported picking 1 folder.

• The Configure Policy Rule Options page now automatically shows you the available rule options in the XML file you select by checking/unchecking any boxes in the UI, they are dynamically updated to reflect the XML file's rule options.

  • The buttons were also simplified and there are no longer any Add/Remove/Select All buttons. They were replaced by "Apply the changes" and "Retrieve Rules Status" buttons.

  • Additionally, the entire row containing each checkbox is now clickable, making interaction easier.

  • When using a template, checkboxes update automatically in real time, reflecting the latest changes instantly. These enhancements significantly improve usability and efficiency.

PRs

• AppControl Manager v.1.8.7.0 by @HotCakeX in #573

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.6.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The AppControl Manager now supports 3 more rule types for both Supplemental policies and Deny base policies:

  • File path rules for each file.
  • File path rules based on wildcards for each folder (that means any file that resides in the selected folder will be automatically allowed).
  • PFN based rules for packaged apps (Package Family Name)

• With these 3 additional rule types, you can allow your apps, files and folders in new ways that suit your needs.

• Keep in mind that the most secure rule types are signature based ones such as FilePublisher.

  • Read more about rule type security in this article: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Rule-Levels-Comparison-and-Guide

• Removed the static color for text highlights in flyout text boxes. The colors are now dynamically set based on the Windows accent color.

• The "Get Configuration" button in the Settings page now automatically expands the section to make the configurations visible, reducing extra clicks/taps needed.

• The Create policy page's deploy buttons are now consistent with the rest of the deploy buttons in the app.

• Improved consistency in the codebase and UI elements.

• Added documentation for creating Deny policies => https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy

• When parsing the Microsoft Defender for Endpoint Advanced Hunting logs, Blocked events would show as Audit events in the data grid, that is now fixed.

---

Automated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.5.0 by @github-actions in #545
• The old WDACConfig PowerShell module has been fully deprecated by @HotCakeX in #553
• Implementing FilePath and PFN based rules in AppControl Manager by @HotCakeX in #554
• Fixed Audit/Block categorization of the MDE Advanced Hunting data by @HotCakeX in #557
• docs: remove empty image tag from WDAC Notes.md by @HryshcIlya in #558
• Code refactoring and general improvements by @HotCakeX in #560
• Version bump to 1.8.6.0 - AppControl Manager by @HotCakeX in #561

Full Changelog: AppControlManager.v.1.8.5.0...AppControlManager.v.1.8.6.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.5.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• You can now use AppControl Manager to deploy App Control policies with 1 click/tap to your entire Intune-managed fleet of workstations. Simply authenticate with your tenant and then deploy the policies in the app as you normally would. The entire process is very simple, automated and fast. Both signed and unsigned policies are supported for cloud deployment.

  • Full documentation available here

• Added documentation for Strict Kernel-mode policy creation and management

• Updated NuGet dependencies.

---

Automated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.4.0 by @github-actions in #538
• Bump dotnet-sdk from 9.0.1 to 9.0.102 in /AppControl Manager by @dependabot in #539
• Added direct Intune cloud deployment to AppControl Manager by @HotCakeX in #542
• Creating new documentations for App Control by @HotCakeX in #543
• AppControl Manager has reduced permissions for Intune and better policyID in Intune by @HotCakeX in #544

Full Changelog: AppControlManager.v.1.8.4.0...AppControlManager.v.1.8.5.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.4.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Upgraded the .NET version and NuGet packages.

• Implemented ISG based Supplemental policy in the AppControl Manager. This is a new type of supplemental policy that doesn't explicitly allow anything, instead it only activates the usage of the ISG, Intelligent Security Graph, on the system so reputable files can be automatically authorized.

• Implemented initial support for translating the AppControl Manager to other languages.

• Implemented another protection when removing signed policies in AppControl Manager.

  • This new protection mechanism ensures the safe removal of signed policies. To complete the process securely, a system reboot is required after the first stage. The newly implemented protection verifies that the reboot has been performed before allowing the process to proceed to the final stage.

  • If the user forgets to reboot or is unsure whether it’s necessary, a prompt will appear to guide them through the process. This safeguard prevents accidental errors that could lead to boot failures, making the AppControl Manager even safer and more reliable when managing Signed App Control policies.

  • Wonder why Signed policies are important? Check out this article

• Implemented Strict Kernel-mode App Control Policy. It's a special type of policy that can protect against all BYOVD scenarios as well as protecting the kernel unauthorized access while letting regular user-mode files to function normally.

• Implemented Strict Kernel-mode Supplemental policy creation.

• All local file scans in the AppControl Manager now consider the Security Catalogs, improving accuracy.

• Added support for catalog signed files to the View File Certificates page. Many files are signed via Security Catalogs. So they seem unsigned if you investigate them individually, but Windows has access to the Security Catalogs where those files' signatures exist and now AppControl Manager can show you those details.

---

Auto Generated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.3.0 by @github-actions in #517
• Implemented ISG based Supplemental policy in the AppControl Manager by @HotCakeX in #520
• Adding initial support for translating app control manager into other languages by @HotCakeX in #521
• Implemented another protection when removing signed policies in AppControl Manager by @HotCakeX in #522
• Alignment of namespaces with folder structures in the AppControl Manager code base by @HotCakeX in #523
• Bump System.Management from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #530
• Bump System.Management from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #529
• Bump Microsoft.WindowsAppSDK from 1.6.241114003 to 1.6.250108002 in /AppControl Manager by @dependabot in #528
• Bump Microsoft.XmlSerializer.Generator from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #526
• Bump System.Security.Cryptography.Pkcs from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #527
• Bump System.Diagnostics.EventLog from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #525
• Implementing Strict Kernel-mode policy in AppControl Manager by @HotCakeX in #531
• Removing unused PowerShell logic from the deprecated WDACConfig module by @HotCakeX in #532
• Added support for catalog signed files in local file scans in the AppControl Manager by @HotCakeX in #533
• Bump System.DirectoryServices.AccountManagement from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #534
• Version bump to 1.8.4.0 - AppControl Manager by @HotCakeX in #535
• Minor improvements before AppControl Manager v.0.1.8.4 release by @HotCakeX in #536
• Updating documents with new information by @HotCakeX in #537

Full Changelog: AppControlManager.v.1.8.3.0...AppControlManager.v.1.8.4.0

Note

As mentioned at the top, please refer to this page for installation instructions.