AppControl Manager 1.8.4.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Upgraded the .NET version and NuGet packages.

• Implemented ISG based Supplemental policy in the AppControl Manager. This is a new type of supplemental policy that doesn't explicitly allow anything, instead it only activates the usage of the ISG, Intelligent Security Graph, on the system so reputable files can be automatically authorized.

• Implemented initial support for translating the AppControl Manager to other languages.

• Implemented another protection when removing signed policies in AppControl Manager.

  • This new protection mechanism ensures the safe removal of signed policies. To complete the process securely, a system reboot is required after the first stage. The newly implemented protection verifies that the reboot has been performed before allowing the process to proceed to the final stage.

  • If the user forgets to reboot or is unsure whether it’s necessary, a prompt will appear to guide them through the process. This safeguard prevents accidental errors that could lead to boot failures, making the AppControl Manager even safer and more reliable when managing Signed App Control policies.

  • Wonder why Signed policies are important? Check out this article

• Implemented Strict Kernel-mode App Control Policy. It's a special type of policy that can protect against all BYOVD scenarios as well as protecting the kernel unauthorized access while letting regular user-mode files to function normally.

• Implemented Strict Kernel-mode Supplemental policy creation.

• All local file scans in the AppControl Manager now consider the Security Catalogs, improving accuracy.

• Added support for catalog signed files to the View File Certificates page. Many files are signed via Security Catalogs. So they seem unsigned if you investigate them individually, but Windows has access to the Security Catalogs where those files' signatures exist and now AppControl Manager can show you those details.

---

Auto Generated Release Notes

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.3.0 by @github-actions in #517
• Implemented ISG based Supplemental policy in the AppControl Manager by @HotCakeX in #520
• Adding initial support for translating app control manager into other languages by @HotCakeX in #521
• Implemented another protection when removing signed policies in AppControl Manager by @HotCakeX in #522
• Alignment of namespaces with folder structures in the AppControl Manager code base by @HotCakeX in #523
• Bump System.Management from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #530
• Bump System.Management from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #529
• Bump Microsoft.WindowsAppSDK from 1.6.241114003 to 1.6.250108002 in /AppControl Manager by @dependabot in #528
• Bump Microsoft.XmlSerializer.Generator from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #526
• Bump System.Security.Cryptography.Pkcs from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #527
• Bump System.Diagnostics.EventLog from 9.0.0 to 9.0.1 in /AppControl Manager by @dependabot in #525
• Implementing Strict Kernel-mode policy in AppControl Manager by @HotCakeX in #531
• Removing unused PowerShell logic from the deprecated WDACConfig module by @HotCakeX in #532
• Added support for catalog signed files in local file scans in the AppControl Manager by @HotCakeX in #533
• Bump System.DirectoryServices.AccountManagement from 9.0.0 to 9.0.1 in /Harden-Windows-Security Module by @dependabot in #534
• Version bump to 1.8.4.0 - AppControl Manager by @HotCakeX in #535
• Minor improvements before AppControl Manager v.0.1.8.4 release by @HotCakeX in #536
• Updating documents with new information by @HotCakeX in #537

Full Changelog: AppControlManager.v.1.8.3.0...AppControlManager.v.1.8.4.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.3.0

What's Changed

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the update mechanism, it will remove any related previous ASR rule exclusions instead of only those for the previous app version. The same improvement was previously implemented in the bootstrapper script and the Harden Windows Security module as well.

• Improved page behaviors, their states will now be preserved at all times even if you navigate away from them for any amount of time.

• Fixed NuGet connection (e.g., for downloading the SignTool.exe), it isn't always compatible with HTTP v.2

PR: #516

Harden Windows Security v.0.7.3

What's New

• Added a new section to the Apps | Features page where you can remove the pre-installed built-in network drivers that you do not use. Windows by default has WIFI and Ethernet network adapter drivers of Intel, Broadcom, Ralink, Realtek, Qualcomm and Marvel. If you do not have any of those hardware or you install your own drivers then you can remove the unnecessary ones, freeing up disk space and reducing the overall attack surface.

  • You can view the full list of pre-installed network drivers via this PowerShell command: Get-WindowsCapability -Online

  • As always, detailed logs of each step of the operation will be generated and made available.

• Improved the dialog window design. It has a gradient dark background and will stay at top so user won't miss important message that is displayed.

• Added a check to display a message to the user when installing AppControl Manager and an incompatible policy is detected.

• Improved the module's compatibility with other modules that load the same Microsoft DLLs in the session through PowerShell profile. When Harden Windows Security detects such situations, it will automatically use the -NoProfile switch.

• Updated the Microsoft DLLs to the latest versions from NuGet.

• Improved the logging mechanism when using the Harden Windows Security in unattended/headless mode like this:

Protect-WindowsSecurity -Verbose -Categories MicrosoftSecurityBaselines,Microsoft365AppsSecurityBaselines,MicrosoftDefender,AttackSurfaceReductionRules,BitLockerSettings,TLSSecurity,DeviceGuard,LockScreen,UserAccountControl,WindowsFirewall,WindowsNetworking,WindowsUpdateConfigurations,MiscellaneousConfigurations,EdgeBrowserConfigurations,CertificateCheckingCommands,CountryIPBlocking,DownloadsDefenseMeasures,NonAdminCommands -Log -LogPath 'C:\Users\Admin\Desktop\Logs.txt' -Offline -MSFTDefender_SAC -MSFTDefender_BetaChannels -DeviceGuard_MandatoryVBS -WindowsNetworking_BlockNTLM -MiscellaneousConfigurations_ReducedTelemetry -MiscellaneousConfigurations_LongPathSupport -CountryIPBlocking_OFAC -DangerousScriptHostsBlocking -UAC_OnlyElevateSigned -LockScreen_CtrlAltDel -Miscellaneous_WindowsProtectedPrint -UAC_NoFastSwitching -MiscellaneousConfigurations_StrongKeyProtection -LockScreen_NoLastSignedIn -PathToLGPO 'C:\Users\Admin\Desktop\LGPO.zip' -PathToMSFT365AppsSecurityBaselines 'C:\Users\Admin\Desktop\Microsoft365SecurityBaseline.zip' -PathToMSFTSecurityBaselines 'C:\Users\Admin\Desktop\Windows 11 v24H2 Security Baseline.zip'

• That's an example command that will run all of the categories and sub-categories in unattended mode, completely offline, and log the output to a file. The log file will contain every details of the operation just like they are generated in the GUI mode.

• Previously the logs in this scenario would have very minimal content because the built-in PowerShell transcription feature was being used but now it's handled by the module itself.

• With a command like that, you can configure your systems/workstations in bulk and schedule that command to run periodically. That is a completely automated mechanism and if a new version of the module is available, it will download and install it and remove any older version.

• Documentation is available here.

• If you have any questions about the unattended/headless mode, feel free to ask here on GitHub.

PR: #515

Harden Windows Security v.0.7.2

What's New

This update is full of new features 🎉

Ability to Remove built-in pre-installed apps

Introduced the ability to remove built-in apps using the Harden Windows Security module. This functionality is available on a dedicated page. The list of removable apps is stored in a JSON file, providing flexibility and extensibility.

When apps are removed using the Harden Windows Security module, they are removed for all users, and they won't come back when you create a new user. They are re-installable from the Microsoft Store if necessary.

The JSON file currently includes 37 apps. More apps can easily be added to it in the future without requiring to modify the code.

Ability to Remove Individual Optional Windows Features and Capabilities

Added a new page for managing Optional Windows Features. While the Harden Windows Security module already includes an Optional Features category in the hardening measures section, this new page allows for granular control, enabling you to fine-tune which features to enable or disable. It also includes additional optional features that can be removed.

Online File Reputation Check via Smart App Control/SmartScreen through Microsoft Defender

Using Microsoft Defender, queries a file's reputation based on either the Smart App Control or SmartScreen, depending on whichever is in control. It doesn't need Admin privileges. It's in a new dedicated tab available in the GUI. Simply browse for a file and detect its reputation and some other advanced details. You can use this feature while other tasks in the Harden Windows Security module are running.

Added Reduced Telemetry Policies

Added reduced telemetry policies to the Miscellaneous Category in the Harden Windows Security module. They are a sub-category and include the following policies:

• Disable Online Tips. CSP

• Disable Find My Device feature. CSP

• Disable Automatic Update of Speech Data. CSP

• Turn off the advertising ID. CSP

• Turn off cloud optimized content. CSP

• Do not show Windows tips. CSP

• Do not show feedback notifications. CSP

• Turn off Automatic Download and Update of Map Data. CSP

• Disable Message Service Cloud Sync for cellular text messages. CSP

• Disable support for web-to-app linking with app URI handlers. CSP

• Disable "Continue experiences on this device" feature. CSP

• Disable Font Providers. CSP

• Don't search the web or display web results in Search. CSP

• Do not allow web search. More Info

AppControl Manager Installer Integration

You can now install the AppControl Manager right from the Harden Windows Security module. This is a very convenient way to install it as it only requires a click/tap of a button.

Other Changes

• Compliance Checking Enhancement: Added support for VBScript compliance checks.

• Code Improvements: Implemented several code enhancements and optimizations.

• UI Enhancements: Updated the button styles on the ASR Rules and Unprotect pages. The new design replaces the previous animated buttons with play icons, offering a cleaner and more modern look.

• Added description texts to the top of the pages.

• Changed Only Elevated Signed sub-category name to Only Elevate Signed, it was a typo.

• Updated the readme.

• Updated the demo gif to reflect the changes in the GUI.

---

Auto generated release notes 👇

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.2.0 by @github-actions in #500
• Implemented Apps and Windows Features Removal by @HotCakeX in #506
• Implemented online file reputation verification in the Harden Windows Security moulde by @HotCakeX in #507
• Added AppControl Manager native installer to the Harden Windows Security Module by @HotCakeX in #508
• Improved the bootstrapper script by @HotCakeX in #509
• Added reduced telemetry policies by @HotCakeX in #510

Full Changelog: AppControlManager.v.1.8.2.0...Hardening-Module-v.0.7.2

AppControl Manager 1.8.2.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added policy validation feature to the AppControl Manager. It's a dedicated page where user can browse for App Control XML files and validate them. Useful if user modified an XML file manually and wants to make sure the modifications are valid according to the official schema.

• A new page, View File Certificates, has been added. This page allows you to load any file and examine its certificates in a highly detailed format. It also supports CIP and CER files. Many of the details displayed for signed files, such as the TBS hash and precise identification of each policy type, are not readily available elsewhere.

• Added useful labels to the main navigation to offer a more categorized menu.

• Reduced the empty spaces in the documentation pages, dedicating more space to the web content.

• Added SHA3-384 and SHA3-512 hashes calculation to the Get Code Integrity Hashes page.

• Added new documentations for the new features.

• Set the minimum HTTP version to 2.0 so it no longer uses 1.1 as fallback and by default it tries the highest available version which is 3.0 at the moment.

• Added progress rings for each hash type in the Get Code Integrity Hashes page to display their individual progress.

---

Automated Change Logs

• Added XML policy file validation feature to the AppControl Manager by @HotCakeX in #495
• Added a feature to view advanced file cert details in AppControl Manager by @HotCakeX in #496
• Set minimum HTTP version to 2.0 by @HotCakeX in #497
• Version bump to 1.8.2.0 - AppControl Manager by @HotCakeX in #498
• Adding support for hashing very large file by @HotCakeX in #499

Full Changelog: Hardening-Module-v.0.7.1...AppControlManager.v.1.8.2.0

Note

As mentioned at the top, please refer to this page for installation instructions.

Harden Windows Security v.0.7.1

What's New

• During the compliance checking, MDM results that are not used by the module are no longer collected, improving the performance and speed, especially on lower end hardware.

• Adjusted the TLS Category's Intune Json config to match the new schema.

• Added a new sub-category for the TLS category, called "TLS for BattleNet". When selected, the TLS category will deploy the group policy that has the extra cipher suite TLS_RSA_WITH_AES_256_CBC_SHA which is less secure but required for BattleNet client to connect to its servers. Fixes -> #489

  • This means BattleNet client is no longer automatically detected on the system because there are times when it's installed in non-default location. Now the user is in control to decide whether to use the extra cipher suite or not.

• WDACConfig module is no longer used/installed for Downloads Defense Measures category. All the necessary logic for policy creation is now implemented natively. This substantially improves the performance and allows for full offline usage of this category and its sub-categories.

  • This also facilitates the deprecation of the WDACConfig module which is replaced with the new modern AppControl Manager.

PR: #494

AppControl Manager 1.8.1.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the UX (User Experience) in the Update page. When actions such as checking for update or installing a new version is happening, the page behind the update button becomes unavailable in order to keep things consistent.

• Improved the Allow New Apps page's experience. When filtering data from the DataGrids and then remove some items, they will show correctly after removing the filter.

• Also, in the Allow New Apps page when you reset, the path to the selected base policy will remain intact and you can begin creating a new policy right away for another program because the selected logs will be properly emptied.

• The app no longer allows the wrong certificate or common name to be used during signed policy deployment, re-deployment or removal. Such possible user accidents are caught very early on and communicated to the user with proper and clear messages so user can fix the mistake quickly. The goal is to never let AppControl Manager be used even intentionally to cause boot failure when dealing with signed policies.

  • Deployment of signed policies is very much recommended over unsigned ones, check this article to see why: https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies

  • AppControl Manager is the only app that's currently available that makes it the safest way to interact with signed policies and it keeps getting better quickly.

• The content dialogs that ask for user input for signing scenarios have better visuals now, and the focus is by default on the Verify button, which makes it easier and clearer what needs to be done. It also means you can press the enter key on the keyboard quickly to confirm the actions without using mouse.

• Improved DataGrid experience when removing items in MDE Advanced Hunting and Event Logs pages.

---

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.0.0 by @github-actions in #486
• Improving documentations for the AppControl Manager app by @HotCakeX in #487
• Various UI improvements in the AppControl Manager by @HotCakeX in #490
• Implemented more guardrails for signed scenarios in AppControl Manager by @HotCakeX in #492

Full Changelog: AppControlManager.v.1.8.0.0...AppControlManager.v.1.8.1.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.0.0

What's New

First of all, Merry Christmas and Happy Hanukkah ^^ 🎄🕎

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the deployment page by adding flyouts to the browse buttons to display the files you select. The page is also augmented with the Sidebar so it supports quick policy file assignment.

• 🎉 You can now deploy signed policies in the deployment page.

• The system information page now allows the removal of all non-system policies. Whenever you select a policy, it will automatically detect the type of it and will take the appropriate action.

• Many guardrails have been put in place to guide the user during policy signing and signed policy removal in order to prevent accidents or boot failures when dealing with signed policies.

• Reduced the empty spaces at the top of certain pages.

• Made the remaining regex expressions throughout the code source generated and compiled for improved performance.

• 🎉 You can now seamlessly use the Allow New Apps page with signed policies. These policies are automatically recognized, and users are prompted to provide any additional information required for policy signing.

• The Microsoft Defender for Endpoint Advanced Hunting menu option has been moved out from under the Audit Event Logs Creation menu. It is now a primary menu entry, consistent with other main menu items.

• The Sidebar's auto-assignment feature is now enabled by default to streamline user interactions.

• The check for updates at app startup is now on by default. It simply checks to see if a new version of the app is available and informs the user if there is by showing a small dot on the update page's icon.

  • Both changes only apply to new app installations. If you've already toggled their buttons off then they remain off.

• 🎉 Added Microsoft Recommended Block Rules auto update mechanism to the Create Policy page. It uses a scheduled task that runs weekly to keep it up to date.

• Updated wiki documents to reflect the new auto update mechanism.

• Improved the app's name appearance in the title bar. It was too white in the light theme that made it hard to read.

• Added a horizontal separator line in the Code integrity information page to separate CI info from App Control info for better readability.

• 🎉 Added Application Control Status to the System Information page in the AppControl Manager.

  • It display the status of User Mode and Kernel Mode Application Control on the system. Valid values are:
    • Enforced Mode
    • Audit Mode
    • Disabled/Not Running

• 🎉 Improved the performance of file enumeration/indexing. This affects how fast files in a directory are found by the AppControl Manager.

Automated Release Notes

From now on each feature will have its own PR in order to make it easier to code review and track changes and to follow a more standard approach.

• AppControl-Manager-DownloadLink-Version-Update-Version-1.7.0.0 by @github-actions in #463
• Switch to file scoped namespace and other minor improvements by @HotCakeX in #465
• Bump Microsoft.Graphics.Win2D and Microsoft.WindowsAppSDK in /AppControl Manager by @dependabot in #468
• Bump actions/attest-build-provenance from 1 to 2 by @dependabot in #467
• Bump actions/attest-sbom from 1 to 2 by @dependabot in #466
• Implemented property pattern matching by @HotCakeX in #469
• Improving file enumeration in AppControl Manager by @HotCakeX in #470
• Added Application Control Status to the System Information page by @HotCakeX in #471
• Added Microsoft Recommended Block Rules auto update by @HotCakeX in #472
• Removed unused PowerShell logic belonging to WDACConfig by @HotCakeX in #473
• Configured default app settings by @HotCakeX in #475
• Implementing signed policy scenarios by @HotCakeX in #474
• Removing unused PowerShell logic for WDACCofig module by @HotCakeX in #483
• Adding signed policy support when allowing new apps in AppControl Manager by @HotCakeX in #482
• Improved Merge operation by @HotCakeX in #484

Full Changelog: AppControlManager.v.1.7.0.0...AppControlManager.v.1.8.0.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.7.0.0

What's New

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Navigation

• New Sidebar: Added a sidebar on the right side of the app, hosting multiple useful features for improved accessibility and functionality.

• Search Bar Relocation: Moved the search bar to the center of the title bar for a more consistent experience with other Windows apps.

• Enhanced Search: Improved search functionality to support spaces after keywords for more accurate results.

• Resizable Navigation: Made the main navigation on the left side resizable with a draggable area for better customization.

• Breadcrumb Navigation: Introduced a breadcrumb bar that displays the current path and allows easy navigation to previous pages, similar to Windows Settings.

• Title Bar Enhancements: Added the app logo and app title to the title bar. The title is responsive and adapts to window width changes.

• Menu & Back Button Relocation: Moved the menu and back buttons to the title bar to make better use of available space.

• Sidebar Toggle Button: Added a button to the title bar to quickly open and close the sidebar. Its icon and text is dynamic based on the sidebar state.

• Navigation Bug Fix: Fixed an issue where the main navigation would become unresponsive to width changes if you switched the navigation style from "left" to "top" and back to "left" in the settings.

• Navigation Logic Improvements: Substantially improved the internal logic for the main navigation.

• Menu Selection Fix: Resolved an issue where navigating back to Settings or one of the footer pages using the back button wouldn't update the menu's selected item properly.

• Improved Menu Flyout in the System Information page -> #452

Sidebar

The AppControl Manager features a versatile Sidebar designed to streamline user interactions and enhance productivity. With the Sidebar, you can select a base policy path once and seamlessly reuse it throughout the app, eliminating the need to repeatedly browse for the file.

Pages within AppControl Manager that require an XML policy file automatically recognize when a path has been selected in the Sidebar. As you navigate to these pages, subtle indicators appear, prompting you to open the Sidebar and quickly access the pre-selected file path.

The Sidebar also includes a toggle switch that, when enabled, automatically assigns newly created base policy paths to the Sidebar. This feature further accelerates workflow and minimizes manual input.

By default, the Sidebar displays the XML policy path specified in the App settings, ensuring immediate access to the main policy you work with.

Dedicated document page

Deny Policy Creation

Use AppControl Manager to create Deny App Control policies. Keep in mind that App Control is inherently a whitelisting feature so anything that is not allowed by a policy is already automatically blocked.

All Deny policies have Base policy types as other types such as Supplemental cannot have Deny rules in them.

All Deny policies have 2 allow all rules so that anything not denied by them will be allowed. This is mandatory for the policy to work. This also allows Deny policies to be deployed side by side with other policies, because for a file to be allowed, it must be allowed by all deployed policies. Read more about side-by-side deployment here.

Continue reading here

Local File Scan

• Improved the local file scan feature to handle files with corrupt Opus data more effectively.

• Gracefully handles files with tampered certificates and hash mismatches by creating hash-based rules for them. Previously, such files would trigger an error, but they are now processed smoothly. When encountered during scans, these files are logged accordingly.

• Improved the local file scan feature to manage inaccessible, unavailable, and non-existent files, including OS drives, kernel-protected drives, files in use by other processes, and volatile or temporary files that no longer exist during the scan phase. Each of these files is logged with a clear reason for being skipped.

• Substantially enhanced file enumeration logic with more efficient, multi-threaded algorithms. For example, the entire OS drive containing millions of files can now be enumerated in a significantly shorter period of time. Use the Scalability gauge in Supplemental or Deny policy creation pages to control the number of threads used for file scans. Together, they allow you to create a policy for the entire OS drive in just a few minutes.

Other Changes

• The AppControl Manager can now be updated when installed on Windows Sandbox or when you try to use a custom MSIX file as update source on it.

• Adding, removing and setting rule options in the "Configure Policy Rule Options" page are now asynchronous and responsive. Also removed the text box that shows the selected XML policy path. The browse button's behavior is now consistent with the rest of the UI. You will see the selected file path after you use the browse button as a flyout with a clear button.

• Added depth and subtle shadows to the "Allow New Apps" page borders to make the currently active section more obvious.

Technical Changes

• Switched to file-scoped namespace declarations.

• Implemented new code style enforcements.

• Changed folder structures to match namespaces.

Note

As mentioned at the top, please refer to this page for installation instructions.

PR: #459

Harden Windows Security v.0.7.0

What's New

• Added Encryption Percentage, Protection Status, Key Protector and Encryption Method properties to the BitLocker tab's Backup section. Those properties are now displayed in the data grid for each drive and will be included in the backup file that you create. This is very useful when you need to view detailed info about the BitLocker protected drives on your system.

• Made Audit policy checks available for all System cultures instead of only supporting English-US. This is for the compliance checking feature.

• Improved buttons and their positions in BitLocker and Exclusions tabs.

• Added a short description to the Exclusions tab.

• Slightly improved the performance and speed of compliance checking.

• Made lots of performance, quality and security related improvements to the code base.

• Fixed this issue -> #449

• Added Long path support policy to the Miscellaneous Category's Intune JSON configuration.

• Added the following 3 new policies to the User Account Control Intune JSON configuration:

  • Behavior Of The Elevation Prompt For Administrator Protection: Prompt for credentials on the secure desktop
  • Type Of Admin Approval Mode: Admin Approval Mode with Administrator protection
  • Use Admin Approval Mode: Enabled

• Changed this policy in the User Account Control Intune JSON configuration:

  • Changed this from automatically Deny to "Prompt for credentials on the secure desktop": Behavior Of The Elevation Prompt For Standard Users Prompt for credentials on the secure desktop

• Updated the required PowerShell version from 7.4.4 to 7.4.5. The latest available version is 7.4.6 at the moment, which was released over a month ago.

PR: #453