[Suggestion]: Create a WinUI3 version of the Harden Windows Security as a standalone app?

[HotCakeX]

Are you sure the Security measure is not already implemented?

• Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

• Just a proposal for now.
• Looking for lots of feedback.
• It won't be relying on PowerShell at all.

[agpt8]

For this one, I have a few items that I would like to see for the WinUI3 app version of this module:

1. Design being like AppControlManger

2. Ability to export configuration. Ideally, the configuration would be designed/exported in such a way so that I can use it as a template from command line something like Protect-WindowsSecurity -Template <template path> or while using an autounattended.xml file (since we can mention and run scripts during installation) during a fresh install giving me a secure and private PC from the very start or even when using a GUI, I can upload a template file and execute directly (useful for non-technical users)

   • Suppose I selected a few options in the protect tab and executed the script. I would want the ability to export this as a configuration so that I can use it as a template to execute in PC.

   • While exporting, I would have the ability to check what kind of protections I would like to include (ASR rules, Bitlocker, Apps | Features, DNS). Similarly, while importing, I would have the ability to apply only the protections I want in the new PC (useful for guiding non-technical users remotely, for example siblings/parents/SO).

   • Suppose I am using an already well protected PC (let's say my current setup), I would like for the GUI to retrieve the current applied policies and allow me to export it as a template (whichever were already applicable using the GUI). This would take the guess work out while building the template in case I ran the script a long time ago.

3. Built in way to configure DNS as well (I think WinSecureDNS should be included in the app version making it an all-rounder to secure windows)

   • The ability to manually provide DNS values for one off run or permanently add it to its user space in the GUI itself.

4. Ability to separately manage each windows telemetry and other privacy options (the ones recently added to the module) in a separate tab for a fine-tuned setup.

5. Parallel operations (as per my experience, correct me if I am wrong though, if something runs in one tab, another tab can only be viewed and not executed. I think having this build in C# would eliminate this issue)

This is of course a non-exhaustive list of things that can be included in the new app. I would like to see different perspectives on this.

[HotCakeX]

@agpt8 Thanks! those are interesting ideas,

The design will be like AppControl Manager ✅
WinSecureDNS module will be converted to C# and included ✅

I can try creating the template functionality in the module. If you want to run the module during OOBE you'll have to either have Internet or have the 3 Microsoft zip files.

Parallel operations can be done in the module too but i make sure only 1 operation can run at the same time because most of the time things depend on each other and 2 things access the same resource on the system so there could be conflicts or inaccurate results.

But some of the new features that were added can run simultaneously, i'll adjust them in the next update.

[agpt8]

Another suggestion that I would like to add to the above list is regarding policy files and their application using WinUI3 Hardening module. Many applications such as browsers, apps and programs publish group policy files along with the apps executables. While MSFT docs have guidelines on how to apply these policies, the process is not exactly straightforward for an average user.

What I would like to have is being able to manage and edit policy files for programs. Here is how this can work:

1. The GUI has a tab that would allow me to add/upload policy file(s) for the app.
2. The module processes it and displays all the applicable policies on the screen and allows me to configure it and apply the changes on that screen.
3. For each policy added, the module saves its state, allowing me to come back later and make changes (this is essentially an overlap with the GPO in windows, maybe this can be skipped...)
4. The GUI also allows me to remove the policies in its entirety if needed and return the app to its default state.
5. These changes also tie well into the whole export/import feature mentioned above.

I think AppControlManager already implements a lot of policy management logic which can be reused here. I ask for this specific feature to be implemented here as well as AppControlManager requires the machine to be in specific configuration, which sometimes is not exactly possible.

My rationale behind this is I would like to configure my browsers (similar to edge, instead of digging through flags and config pages of that specific browser) and apps that provide policy files in a standardised way and easy way.

[HotCakeX]

@agpt8
The policies that the AppControl Manager deals with are Application Control for Business (formerly known as WDAC) policies. They have totally different purposes, use cases and formats.

AppControl Manager doesn't need any specific configurations the machine to be in, it only needs a supported OS, there's no other requirement

I believe what you are looking for already exists. Can you please try it if you haven't already? (p.s it also exists in Windows Server)