Skip to content

New DenyWDACConfig

Violet Hansen edited this page Dec 28, 2024 · 24 revisions

New-DenyWDACConfig available parameters

New-DenyWDACConfig -Drivers


    -PolicyName <String>
    [-ScanLocations <DirectoryInfo[]>]


Creates a Deny base policy by scanning a directory, this parameter uses DriverFile objects so it's best suitable for driver files. The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.


The scan uses WHQLFilePublisher level without any fallbacks, and includes both usermode and kernel mode drivers.



Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False


Accepts one or more comma separated folder paths. Supports argument completion, when you press tab, folder picker GUI will open allowing you to easily select a folder, you can then add a comma , and press tab again to select another folder path or paste a folder path manually, works both ways.

Type: DirectoryInfo[]
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False


Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

horizontal super thin rainbow RGB line

New-DenyWDACConfig -InstalledAppXPackages


    -PackageName <String>
    -PolicyName <String>


Creates a Deny base policy for one or more installed Windows Apps (Appx) based on their PFN (Package Family Name). The base policy will have 2 allow all rules, meaning it can be deployed as a standalone base policy, side-by-side any other Base/Supplemental policies.



Enter the package name of an installed app. Supports wildcard * character. e.g, *Edge* or "*Microsoft*".

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: True


Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False


Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False


Indicates that the cmdlet won't ask for confirmation and will proceed with creating the deny policy.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

horizontal super thin rainbow RGB line

New-DenyWDACConfig -PathWildCards

New-DenyWDACConfig -PathWildCards demo


    -PolicyName <String>
    -FolderPath <DirectoryInfo>


Creates a Deny standalone base policy for a folder using wildcards. The base policy created by this parameter can be deployed side by side any other base/supplemental policy.


This feature is also used internally by the Harden Windows Security Module.



Add a descriptive name for the Deny base policy. Accepts only alphanumeric and space characters.

Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False


A folder path that includes at least one wildcard * character. Press TAB to open the folder picker GUI. Once you selected a folder, you will see the path will have \* at the end of it. You can modify the selected path by adding/removing wildcards * to it before proceeding.

Type: DirectoryInfo
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: True


Indicates that the module will automatically deploy the Deny base policy after creation.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False


Clone this wiki locally