Advanced Blocker Rule Creation Process: Secure Winget

A comprehensive guide to implementing enterprise-grade security controls for Winget, covering process mapping, rule configuration, and deployment strategies to prevent unauthorized software installations and potential attack vectors.

Written by Owen Parry

Updated at May 21st, 2025

+ More

Table of Contents

Preparation and Prerequisites Deployment Strategy Step 1: Audit Mode Setup Step 2: Review Execution Logs Step 3: Create Allow Rules Creating "Allow" Rules Step 4: Switch to Live Mode Before Going Live Step 5: Testing ## Deployment

This article is designed to guide you through the process of setting up more advanced rules for Blocker, using Winget as an example. Setting up Winget with enterprise security rules requires a strategic approach to ensure smooth software deployment while maintaining strong system protection. This guide helps you configure Winget with advanced security blocking mechanisms to prevent unauthorized software installations and potential living-off-the-land (LOTL) attack vectors. By following this guide, you can ensure that Winget operates smoothly within your AutoElevate-secured environment while maintaining strong security against LOTL attacks.

Important: Proper configuration is critical to prevent security vulnerabilities while maintaining software deployment efficiency.

Preparation and Prerequisites

  • Install AutoElevate security blocker
  • Confirm Winget installation on target machines
  • Ensure administrative access for configuration

Deployment Strategy

Step 1: Audit Mode Setup

1. Enable Audit Mode:
  - Log in to the AutoElevate management console.
  - Navigate to the Blocker settings.
  - Enable Audit Mode to monitor process activities without enforcing rules.

2. Run Winget Commands:
  - Execute common winget commands such as `winget install` and `winget upgrade --all`.
  - Monitor the audit logs to identify processes triggered by winget.

Step 2: Review Execution Logs

1. Access Audit Logs:
  - In the AutoElevate console, navigate to the audit logs section.
  - Review logs for entries related to winget and its child processes.

2. Identify Required Processes:
  - Note down any processes that winget triggers, such as `msiexec.exe`, `powershell.exe`, or `cmd.exe`.

Step 3: Create Allow Rules

1. Define Allow Rules:
  - In the Blocker settings, create rules to allow `winget.exe` and its required child processes.
  - Use parent-child process relationships to ensure winget can spawn necessary installers.

2. Example Rules:
  - Allow `winget.exe` to execute.
  - Allow `msiexec.exe` when triggered by `winget.exe`.
  - Allow `powershell.exe` when triggered by `winget.exe`.

Creating "Allow" Rules

Additional instructions on managing and creating rules, including “Allow” rules, can be found here: Managing Blocker Rules - CyberFOX

 

 

Step 4: Switch to Live Mode

1. Enable Live Mode:
  - Once confident in your allow rules, switch Blocker from Audit Mode to Live Mode.
  - This will enforce the rules and block any unauthorized processes.

Before Going Live

Please review additional recommendations before going “Live”, including using our Recommendation Engine first, here: Blocker Quickstart Guide - CyberFOX

 

 

Step 5: Testing

1. Test Winget Commands:
  - Run `winget upgrade --all` in an elevated PowerShell session.
  - Ensure that the command executes without triggering UAC prompts or being blocked.

2. Monitor Logs:
  - Continuously monitor the audit logs to ensure no legitimate processes are being blocked.

## Deployment


1. Deploy Configuration:
  - Apply the configured rules across all target machines in your enterprise environment.
  - Ensure all users are informed about the new configuration.

2. Regular Updates:
  - Regularly review and update the rules based on new audit logs and process activities.
  - Stay informed about updates to winget and AutoElevate Blocker features.

 

fortifying safeguarding

Related Articles

Expand