Creating new documentations for App Control (#543)

How To Upload App Control Policies To Intune Using AppControl Manager

How To Create and Maintain Strict Kernel‐Mode App Control Policy

Updated some other docs.

Wiki posts/App Control for Business/How To Create and Maintain Strict Kernel-Mode App Control Policy.md

@@ -0,0 +1,64 @@
+# How To Create and Maintain Strict Kernel-Mode App Control Policy
+
+A [**Strict Kernel-mode**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) App Control policy is a special kind of policy that only enforces Kernel-mode drivers without affecting user-mode files. [The AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) fully supports this unique policy and allows you to create and maintain it effortlessly.
+
+<br>
+
+## Creating the Base Policy
+
+Navigate to the [Create App Control policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-App-Control-Policy) page and scroll down to the `Create Strict Kernel-Mode Policy` section.
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/1df694f5fc413e27f9cf4621777d85cba60ef0d2/Pictures/PNG%20and%20JPG/How%20To%20Create%20and%20Maintain%20Strict%20Kernel-Mode%20App%20Control%20Policy/Creating%20the%20base%20policy.png" alt="creating new base strict kernel mode policy">
+
+<br>
+
+<br>
+
+* Toggle the `Audit` switch. We need to deploy the base policy in Audit mode first in order to generate audit logs that we will use later.
+
+* Toggle the `No flight root certificates` switch if you don't plan to use this policy on the insider builds of Windows on (Dev or Canary channels). Those builds are signed with a different certificate. Release Preview and Beta builds are signed with production certificates and they will work either way.
+
+* Toggle the `Deploy` button and finally press the `Create` button. In few seconds, the policy will be created and deployed in Audit mode on the system.
+
+> [!IMPORTANT]\
+> Restart your computer after deploying the policy. The reason we deploy it in Audit mode is that we need audit logs to be generated for kernel-mode drivers that belong to your hardware devices so we can create a supplemental policy for them to allow them to run.
+
+<br>
+
+## Creating the Supplemental Policy
+
+After restarting the system and relaunching the AppControl Manager, navigate to the [Create Supplemental Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Supplemental-App-Control-Policy#create-kernel-mode-supplemental-policy) page. Scroll down to the `Kernel-mode policy` section.
+
+<br>
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/6a635612aef4c1dbb00533689d568eaf7d52c98e/Pictures/PNG%20and%20JPG/How%20To%20Create%20and%20Maintain%20Strict%20Kernel-Mode%20App%20Control%20Policy/Creating%20supplemental%20policy.png" alt="Creating strict kernel mode supplemental policy">
+
+<br>
+
+<br>
+
+Press the `Scan for Kernel-mode Logs Since Last Reboot` button. It will begin fetching all kernel-mode Code Integrity logs that were generated since the last reboot that belong to signed files and will display the results in a data grid that is accessible by clicking/tapping on the `View detected kernel-mode files` section.
+
+<br>
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/733d7bafe220df3a484ad0d32172756364a57333/Pictures/PNG%20and%20JPG/How%20To%20Create%20and%20Maintain%20Strict%20Kernel-Mode%20App%20Control%20Policy/scanning%20for%20logs.png" alt="Scan for drivers since last reboot">
+
+<br>
+
+<br>
+
+While reviewing the detected kernel-mode drivers, you can right-click or tap + hold on a row to open a context menu that allows you to remove the driver from the list and it will be excluded from the supplemental policy.
+
+<br>
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/733d7bafe220df3a484ad0d32172756364a57333/Pictures/PNG%20and%20JPG/How%20To%20Create%20and%20Maintain%20Strict%20Kernel-Mode%20App%20Control%20Policy/Kernel%20Mode%20Drivers%20Results.png" alt="kernel mode drivers results review">
+
+<br>
+
+<br>
+
+After reviewing and confirming the results, return to the Supplemental Policy creation page. Locate the strict kernel-mode base policy XML file you created earlier by using the file browser. Enable the `Deploy After Creation` toggle, then click/tap the `Create Supplemental Policy` button. This will generate the Supplemental Policy and automatically deploy it to the system.
+
+In the future, you can follow the same steps to allow additional kernel-mode files in your base policy by creating separate Supplemental Policies as needed. Additionally, you can explore other powerful features of AppControl Manager, such as scanning the system for logs or authorizing new applications and drivers for streamlined policy management.
+
+<br>

Wiki posts/App Control for Business/How To Upload App Control Policies To Intune Using AppControl Manager.md

@@ -0,0 +1,71 @@
+# How To Upload App Control Policies To Intune Using AppControl Manager
+
+The [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) provides native support for Intune, enabling effortless deployment of App Control policies to your Intune-managed devices.
+
+To do that, navigate to the [Deploy App Control Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-App-Control-Policy) page, Click the `Sign In` button. A new browser tab will open, prompting you to sign into your Entra ID account.
+
+<div align="center">
+
+<br>
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/7ccc3793b4d21d2fe7d5a79b56d1cc78fa1d0aac/Pictures/PNG%20and%20JPG/How%20To%20Upload%20App%20Control%20Policies%20To%20Intune%20Using%20AppControl%20Manager/Sign%20In%20button.png" alt="Sign In button">
+
+<br>
+
+<br>
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/7ccc3793b4d21d2fe7d5a79b56d1cc78fa1d0aac/Pictures/PNG%20and%20JPG/How%20To%20Upload%20App%20Control%20Policies%20To%20Intune%20Using%20AppControl%20Manager/Azure%20SignIn%20page.png" Height="600" alt="Azure Sign in pages">
+
+<br>
+
+<br>
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/7ccc3793b4d21d2fe7d5a79b56d1cc78fa1d0aac/Pictures/PNG%20and%20JPG/How%20To%20Upload%20App%20Control%20Policies%20To%20Intune%20Using%20AppControl%20Manager/Permissions%20acceptance%20page.png" alt="Azure Permissions page">
+
+<br>
+
+<br>
+
+</div>
+
+Once signed in, you'll be redirected back to the AppControl Manager. 
+
+<br>
+
+## Permissions Required
+
+To successfully complete the sign-in process and deploy policies, your account must have the following permissions, ***adhering to the Principle of Least Privilege***:
+
+* [`Group.Read.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#groupreadall): Allows the AppControl Manager to read security groups and display them in the dropdown list.
+
+* [`DeviceManagementConfiguration.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#devicemanagementconfigurationreadwriteall): Grants the ability to create, upload, and assign App Control policies.
+
+By ensuring these permissions are in place, you can seamlessly deploy App Control policies through Intune while maintaining secure and minimal access.
+
+<br>
+
+## Select Policies To Deploy
+
+Select one or more XML files to deploy to Intune. You have the option to deploy them as-is (unsigned) or cryptographically sign them before deployment. Each XML file will be deployed as a separate Intune configuration policy, as Intune does not allow two OMA-URI custom policies to exist within the same configuration policy.
+
+The name defined in the XML file will become the name of the corresponding Intune configuration policy visible in the Intune portal.
+
+You can optionally use the `Refresh` button and select a group to assign to the policies you upload to Intune.
+
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/7ccc3793b4d21d2fe7d5a79b56d1cc78fa1d0aac/Pictures/PNG%20and%20JPG/How%20To%20Upload%20App%20Control%20Policies%20To%20Intune%20Using%20AppControl%20Manager/Group%20Names.png" alt="Intune Groups DropDown">
+
+<br>
+
+<br>
+
+## How To Change Tenant?
+
+If you want to change your tenant and sign into another account, press the `Sign Out` button and then use the `Sign In` button again to sign into a different tenant.
+
+<br>
+
+## Have Questions or Feature Requests?
+
+Feel free to [create a new discussion](https://github.com/HotCakeX/Harden-Windows-Security/discussions) to ask questions or request for extra features that don't currently exist in the AppControl Manager application.
+
+<br>

Wiki posts/App Control for Business/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md

@@ -142,17 +142,22 @@ You can put your endpoints into different groups and each group can receive diff
 
 <br>
 
+> [!TIP]\
+> You can use [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Upload-App-Control-Policies-To-Intune-Using-AppControl-Manager) to seamlessly deploy your App Control policies to the Intune.
+
+<br>
+
 ## Strict Kernel Mode Code Integrity Policy Scenario
 
-I've created a scenario where you can strictly control what is allowed to run in Kernel mode, without blocking any user mode applications. [**You can read all about this scenario in here**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection). Using the WDACConfig module and MDE Advanced Hunting intel, you can deploy this scenario across your entire fleet of endpoints.
+I've created a scenario where you can strictly control what is allowed to run in Kernel mode, without blocking any user mode applications. [**You can read all about this scenario in here**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection). Using the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) and MDE Advanced Hunting intel, you can deploy this scenario across your entire fleet of endpoints.
 
 This approach demands very minimal upkeep as it exclusively manages Kernel-mode activities, yet it offers an exceptional degree of security. A significant benefit of this method is the safeguarding of your endpoints from all Bring Your Own Vulnerable Driver (BYOVD) threats.
 
 <br>
 
 ## Feedback and Support
 
-If you have any questions, feature requests or feedback regarding this guide or the WDACConfig module, please feel free to reach out to me on GitHub by opening a new issue or discussion.
+If you have any questions, feature requests or feedback regarding this guide or the AppControl Manager, please feel free to reach out to me on GitHub by opening a new issue or discussion.
 
 <br>
 

Wiki posts/App Control for Business/Introduction.md

@@ -123,6 +123,10 @@ If a policy is not deployed in audit mode, it is considered to be in enforced mo
 
 * [The Strength of Signed App Control Policies](https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies)
 
+* [How To Upload App Control Policies To Intune Using AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Upload-App-Control-Policies-To-Intune-Using-AppControl-Manager)
+
+* [How To Create and Maintain Strict Kernel‐Mode App Control Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-and-Maintain-Strict-Kernel%E2%80%90Mode-App-Control-Policy)
+
 * [Fast and Automatic Microsoft Recommended Driver Block Rules updates](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates)
 
 * [App Control Notes](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes)

Wiki posts/App Control for Business/WDAC policy for BYOVD Kernel mode only protection.md

@@ -1,4 +1,4 @@
-# WDAC Policy for BYOVD Kernel Mode Only Protection
+# App Control Policy for BYOVD Kernel Mode Only Protection
 
 This scenario involves removing the trust to any Kernel mode driver, whether they are vulnerable or not. It does not affect User-mode binaries or drivers. Any 3rd party software/hardware Kernel mode driver will need to be explicitly allowed. This scenario protects against all **BYOVD** scenarios and much more.
 
@@ -18,18 +18,6 @@ People who seek to obtain code signing certificates, even for Extended Validatio
 
 <br>
 
-<p align="center">
-<b>YOUTUBE VIDEO: How to easily protect against BYOVD attack scenarios with App Control policy in Windows</b><br><br>
-  <a href="https://www.youtube.com/watch?v=SQCo9l2P7uw">
-    <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/YouTubeLogoBYOVD.png" width="700"
-         alt="YOUTUBE VIDEO: How to easily protect against BYOVD attack scenarios with App Control policy in Windows - Windows Defender">
-  </a>
-  </p>
-
-<br>
-
-<br>
-
 <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
 
 <br>
@@ -306,7 +294,8 @@ Remove this item which is for Windows Store EKU
 
 ## How to Use and Automate This Entire Process
 
-**Use the [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New%E2%80%90KernelModeWDACConfig)** to automatically Audit and deploy the Strict Kernel-mode App Control policies.
+> [!IMPORTANT]\
+> **Use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-and-Maintain-Strict-Kernel%E2%80%90Mode-App-Control-Policy)** to automatically Audit and deploy the Strict Kernel-mode App Control policies.
 
 As mentioned earlier, this policy only enforces and applies to Kernel-mode drivers, so your non-Kernel mode files are unaffected. Keep in mind that Kernel-mode does not mean programs that require Administrator privileges, those 2 categories are completely different. Also, not all drivers are Kernel mode, [**there are user-mode drivers too.**](https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode)
 
@@ -328,21 +317,21 @@ Now the Allow all rules that exist in the first policy are neutralized. [Only ap
 
 So far, we've only been doing Kernel-mode administration. We can use User-mode App Control policies as well.
 
-After using those 2 Kernel-mode policies, I deploy a 3rd policy which is going to authorize and validate User-mode binaries too. I choose the [Lightly managed App Control policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-for-Lightly-Managed-Devices) that utilizes [ISG (Intelligent Security Graph)](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph). This policy applies to both Kernel and User modes, but since we already know the logic and learned that only applications allowed by all base policies are allowed to run, we're confident that our Strict Kernel-mode base policy is the only one in charge of authorizing and validating Kernel-mode files/drivers. Our User-mode App Control policy that utilizes ISG validates User-mode binaries only.
+After using those 2 Kernel-mode policies, we can deploy a 3rd policy which is going to authorize and validate User-mode binaries too, such as the [`Allow Microsoft` policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-App-Control-Policy). This policy applies to both Kernel and User mode files, but since we already know the logic and learned that only applications allowed by all base policies are allowed to run, we're confident that our Strict Kernel-mode base policy is the only one in charge of authorizing and validating Kernel-mode files/drivers.
 
 <br>
 
 ### A rule of thumb
 
-The strictest policy wins the race in multiple base policy deployments, which in this case is the Strict Kernel-Mode policy. Even though ISG policy which uses Allow Microsoft rules and allows all the WHQL signed drivers, they still won't be able to run unless the Kernel-Mode policy authorizes them, because for a Kernel driver to be allowed to run in this scenario, all base policies must allow it.
+The strictest policy wins the race in multiple base policy deployments, which in this case is the Strict Kernel-Mode policy. Even though the `Allow Microsoft` policy allows all WHQL signed drivers, they still won't be able to run unless the Strict Kernel-Mode policy authorizes them as well, because for a Kernel driver to be allowed to run in this scenario, all base policies must allow it.
 
 So only the policy that has the least allow listings in common with all other policies takes priority.
 
 <br>
 
 ### Supplemental policy
 
-Each of the deployed policies (except for the automatically deployed block rules by HVCI) support having supplemental policies. So, whenever you feel the need to allow additional files that are Kernel-mode drivers or User-mode binaries blocked by ISG, you can add a Supplemental policy for them.
+Each of the deployed policies (except for the automatically deployed block rules by HVCI) support having supplemental policies. So, whenever you feel the need to allow additional files that are Kernel-mode drivers or User-mode binaries, you can add a Supplemental policy for them.
 
 <br>
 

Wiki posts/AppControl Manager/Deploy App Control Policy.md

@@ -49,3 +49,9 @@ Once you've provided all 3 items, press the **Verify** button. It will verify yo
 All of the information you submit will be saved in app settings so that the next time they will be automatically populated for you.
 
 <br>
+
+## Intune Cloud Deployment
+
+Please [**refer to this page**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Upload-App-Control-Policies-To-Intune-Using-AppControl-Manager) for details on how to upload App Control Policies to Intune using AppControl Manager.
+
+<br>

Wiki posts/Home Index.md

@@ -39,6 +39,8 @@
 - <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [How To Generate Audit Logs via App Control Policies](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Generate-Audit-Logs-via-App-Control-Policies)
 - <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [How To Create an App Control Supplemental Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-an-App-Control-Supplemental-Policy)
 - <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [The Strength of Signed App Control Policies](https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies)
+- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [How To Upload App Control Policies To Intune Using AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Upload-App-Control-Policies-To-Intune-Using-AppControl-Manager)
+- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [How To Create and Maintain Strict Kernel‐Mode App Control Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-and-Maintain-Strict-Kernel%E2%80%90Mode-App-Control-Policy)
 - <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [App Control Notes](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes)
 - <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [How to use Windows Server to Create App Control Code Signing Certificate](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control)
 - <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/wings/yellowwings.gif" width="35"> [Fast and Automatic Microsoft Recommended Driver Block Rules updates](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates)