What's New

• The ConvertTo-WDACPolicy command now shows blocked and audited events by default unless you use the -LogType parameter to narrow it down. The previous default behavior was Audit logs only.

• The ConvertTo-WDACPolicy now has a new optional parameter called -Level. The level determining rule generation can be one of the following: Auto, FilePublisher, Publisher, or Hash.

  • The fallback level is always Hash.

  • By default, which is the same as not using this parameter, the most secure levels are prioritized. If a log contains the requisite details for the FilePublisher level, it will be utilized. If not, the Publisher level will be attempted. Should this also fail, the Hash level will be employed.

  • Enterprises and organizations typically favor the Publisher level over FilePublisher for its streamlined maintenance, making this adjustment particularly advantageous for these user groups.

• The Edit-SignedWDACConfig and Edit-WDACConfig commands now support the same levels that the ConvertTo-WDACPolicy supports when creating policy based on the event logs.

• Improved globalization to ensure compatibility with any culture.

• Provided ready to use Visual Studio solution (.NET 9).

• ConvertTo-WDACPolicy -PolicyToAddLogsTo now supports policies that contain Macros.

PR: #312