github HotCakeX/Harden-Windows-Security AppControlManager-v2.0.60.0
AppControl Manager v2.0.60.0
on GitHub

10 hours ago

Installation

install AppControl Manager from Microsoft Store

Install it from the Microsoft Store: https://apps.microsoft.com/detail/9png1jddtgp8

Documentation

What's New

This is the first update of the AppControl Manager in 2026 and is by far the biggest update to the app yet. It includes many improvements, addresses multiple features and changes that users have requested and has been through extensive tests to ensure all of the new changes and features work perfectly. As a result, it did take longer time to develop and prepare this release. Please don't hesitate to open an issue or discussion post on GitHub to ask for more features.

Tip

All wiki documents have been updated to reflect the changes made in this update.

App ID Tagging and Scalable Firewall Management 💥

  • All parts of the AppControl Manager now support App ID Tags.

  • You can now create App ID Tagging policies in the Create Policies page. Simply toggle the App ID Tagging switch and the created policy will be an AppIDTagging policy type. It will have the same rules as the template you selected. It's only available for Allow Microsoft and Default Windows templates. The created App ID Tagging policies will each have one default tag in them that are AllowMSFTTagKey and AllowMSFTTagKey respectively with the value of True.

  • Added Advanced Features section to the Policy Merger page where you can customize your App Control policies further, such as converting different policy types to App ID Tagging type or removing different signing scenarios from policies in a context-aware fashion that won't leave any associated orphan rules.

  • You can now view all of the App ID Tags in the loaded policy in Policy Editor. You also also delete any existing tags or add new ones by entering a pair of key-value in the provided text boxes.

Note

More features regarding AppIDTagging are on the way for the next versions!

Unelevated Usage Improvements 🎉

Users have asked for more functionality when not running as Admin, so in this update, many parts of the AppControl Manager have been unlocked and made available when running unelevated (running as Standard user). In each page, there can be certain features that are disabled when running unelevated, simply because they require elevation. This targeted approach no longer requires an entire page to be behind an Admin privilege check just because there is a "Deploy" button in it. A lot had to change under-the-hood to make this possible.

  • Creating base policies
    • No deployment (requires elevation)
  • Creating Supplemental policies
    • With the exception of Packaged apps section (requires elevation)
    • No deployment (requires elevation)
  • Creating Deny policies
    • With the exception of Packaged apps section (requires elevation)
    • No deployment (requires elevation)
  • Creating policies from MDE Advanced Hunting data
    • No deployment (requires elevation)
  • Creating policies from local Event Logs or EVTX files
    • No deployment (requires elevation)
    • No local logs deletion (requires elevation)
  • Simulation
  • Get Secure Policy Settings

Introducing Policies Library 🎊

  • A new section has been added to the Sidebar that provides a library for all of your policies. You can import as many policies to it as you want and use them in different parts of the app. Policies in the library exist in the app's memory at runtime. You can import both XML and CIP file types to the library.

  • From now on, any new policies that is created is added to this library. Policies are no longer saved to a file by default in the C:\Program Files\AppControl Manager path, instead they go to this new library section and you can save them as XML or CIP and do more actions to them.

  • When a new policy is added to the library, a distinct and unique animation is displayed to make it clear where the policy has been transferred to.

  • The Sidebar button on the toolbar displays the total count of the policies in the library.

  • The Automatic Assignment option has been removed from the Sidebar. All created policies already by default now go to the library.

  • You can enable persistence for the Policies Library so that the policies in the library will remain intact even after you close the app or restart your system. This option is on by default. You can turn it off and on via a toggle switch on the Sidebar.

    • Persistent Library feature does not prevent the policies to remain intact when you uninstall the AppControl Manager, so if you ever plan to uninstall the app, make sure you use the Backup All option under the Actions menu to create a backup.

  • When the library contains any policy, persistence is off and you attempt to close the app, you will encounter a notice reminding you that there are unsaved policies. You can configure this behavior in the app's settings page. At this point you can either enable persistence, save policies manually to files, or simply ignore the warning and confirm app closing dialog.

  • The library offers quick actions for every policy in it when you click or tap on it, such as:

    • Saving as XML (prompts for file picker so you can pick a location to save)
    • Saving as CIP (prompts for file picker so you can pick a location to save)
    • Opening in Policy Editor (The changes will be saved back to the same exact policy in the library)
    • Configuring Rule Options (The changes will be saved back to the same exact policy in the library)
    • Removing from the list (If persistence is enabled, this means it will be removed from the cache on the disk as well.)
    • Deploying on the system (only available when running the app as Admin)

  • Some of the quick actions described above are also available when swiping right or left on each policy in the animated list. (only available on devices with touch capability)

  • The Policies Library with all of its capabilities and persistence offers a seamless experience that just works out of the box, without adding any additional burden or responsibility to the user.

New Scan Level: File Name 🎈

Added a new Scan Level for local files and event logs which can be used for both signed and unsigned files. Rules created by this level are based on the file's details and not signatures. It can only be used for files that have certain properties such as OriginalFileName, FileDescription, InternalName or ProductName and also have a Version. When you set the Scan Level to File Name and a file does not have a Version then Hash rules will be created for it instead as a fall back level.

Using signature-based levels are generally more recommended due to security reasons but this File Name level can provide greater flexibility and a middle ground for users who want to create rules for Unsigned files but do not want to use Hash level (too strict) or File Path Levels (too loose).

Remove Signed Policies Without Policy Files 🐦‍🔥

AppControl Manager now lets you remove the deployed Signed policies from the system without requiring you to provide the original policy file that was deployed on the system. Now, all you need to remove a Signed policy is to provide the certificate that was used to sign it.

This makes it a lot easier to manage signed policy deployments as you no longer need to keep the Signed policy files you deploy, you can safely delete the XML/CIP policies after deployment and you will still be able to successfully remove them from the system later whenever you want.

Other Changes 🪅

  • Noticeable performance improvements for policy creations.

  • Reduced the disk usage and temporary file creations by 95% by making a lot of actions done in memory; That means you will no longer see StagingArea directories created under C:\Program Files\AppControl Manager.

  • Added icons to the Clear buttons of selected files/folders fly-outs across the app.

  • Improved code quality.

  • General performance improvements.

  • When scanning event logs or parsing MDE Advanced Hunting data, the app's icon on the taskbar displays the busy overlay icon.

  • The file/directory picker dialogs now open by default in the current user's directory instead of C:\Program Files\AppControl Manager.

  • Updated dependencies to the latest versions.

  • In the Deployment page, when you select CIP files to be uploaded to Intune, they will now have the same metadata as if you selected XML files. This means no matter which file type you select to upload to Intune, the metadata will be always available in the Intune portal such as the policy ID, policy version, policy name, rule types in the policy and so on.

  • In the MDE Advanced Hunting page, you can now select as many CSV files as you want to scan at the same time, previously you could only select 1 file at a time.

  • In the MDE Advanced Hunting page, when duplicate data are detected, the item that is newer is kept. Previously, the deduplication logic only ensured 1 item exists without considering timestamp. Completes this feature request;

  • Fundamentally completed the following feature request in this update that was about avoiding replacing policies in the C:\Program Files\AppControl Manager directory with the same file name.

  • In the Policy Editor page, after performing searches, the column widths are now dynamically adjusted automatically for a better user experience.

  • In the app close confirmation dialog, the default selected button is now set to "No" instead of "Yes" to follow best practices.

  • Improved the accuracy of the Simulation for some edge cases when encountering certain signed files.

  • In the Certificates section of the Supplemental Policy creation page, you can now right-click or tap and hold on the certificates browse button to view the list of all certificate files you've selected and remove the ones you don't want or clear the entire list. It also gets highlighted when something is selected by you. This improves consistency with the rest of the user interface behaviors.

  • In the MDE Advanced Hunting and Event Logs scanning pages where you can browse for policy files, implemented additional flyouts that allow you to view the files you've selected and modify them if you need. The buttons that launch file pickers also get a highlight when something has been selected, serving as a visual cue to make it easier to know where you've already selected something.

    • Both pages now also support assigning policies from the Policies Library on the Sidebar to the sections of the page that need policy. For example, you can directly add Event Logs to a policy in the library, or create a new Supplemental policy from one of the base policies in the library based on MDE Advanced Hunting log, all without ever saving anything to the disk or creating any files, very quickly and efficiently.

  • In the MDE Advanced Hunting and Event Logs scanning pages, where you can enter a custom GUID for the Base policy ID of the Supplemental policy that will be created, there is now a new button to generate a random valid ID and fill the box for you. This can come in handy if you want to quickly create a policy from event logs or MDE AH logs and you don't want to browse for any policy files or you don't have any policies yet. You will have to assign the correct Base policy ID to the supplemental policy later on when you want to actually deploy it, which can be easily done in the Policy Editor.

  • Improved localizations.

  • When deploying the Signed and Reputable policy and Smart App Control is not off, you will see a warning reminding you to turn it off. Completes the following feature request.

  • Added support for decoding and viewing the full details of .p7b App Control policy types which usually can be found in C:\Windows\System32\CodeIntegrity. They appear in the System Information page and now when you use the Open in the Policy Editor button on them, they will be completely decoded and all of their information will be visible to you.

  • You can now browse for .p7b files in the Policy Editor in order to open them in the AppControl Manager and also add them to the Policies Library on the sidebar, or open them via CLI in the app.

  • When selecting a file save location via the picker in various section of the app, you always have the option to override the name of the file or its extension that is going to be saved to disk. Starting with this update, even if you accidentally remove it or type the wrong extension in the box, the extension will still correctly always be there.

  • In the Policy Editor you can now view and edit the Friendly Name of the selected policy.

  • In the Policy Merger page you can now assign policies from the sidebar's library to different section of the page directly.

  • Solved this issue by adding checks for when user tries to deploy policies so that when there is a Signed policy already deployed with the same PolicyID as the PolicyID of the Unsigned policy that user is trying to deploy on the local system, there will be an error to prevent that. This normally shouldn't happen but if user accidentally tries something like that, it won't happen. This new check has been implemented in all the places where deployment happens so they can be intercepted and go through this check first.

  • In the Supplemental Policy Creation and Deny Policy Creation pages, you can now assign policies directly from the Policies Library on the Sidebar to the "Add rules to Existing policy" section. This means you can quickly and efficiently expand any policy. Completes this request.

PRs


How to verify the MSIXBundle's authenticity: 

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget: 

winget install --id GitHub.cli

Check out latest releases or
releases around HotCakeX/Harden-Windows-Security AppControlManager-v2.0.60.0

Don't miss a new Harden-Windows-Security release

NewReleases is sending notifications on new releases.

Get notifications