Release notes and what's new in each version of MDE Toolkit.
App Control Deep-Dive: six new workflow features and a completely rebuilt ticket-attachment export pipeline. This is the biggest App Control release since 3.1.0.
.cip is actually signed.*.json snapshot next to the report(s) β useful when Tier III wants to re-analyze the collection.%LocalAppData%\MDE-Monitoring-App\export-prefs.json).Single self-contained .html file β no frameworks, no external assets, no CDN references. Same "attach it to a ticket, no assets folder" story as the PDF.
scroll-margin-top so anchors don't land under the sticky nav).<details> β WDAC policies collapse by default so a 20-policy machine still opens on one screen.prefers-color-scheme.The Triage Report's HTML output now uses the same visual language as the Export Report β dark-mode, sticky TOC, verdict banner, collapsible sections, sortable tables, in-page search. The Save-File dialog now defaults to HTML with Markdown as the second option. Markdown output is unchanged for pasting into ticket bodies (still renders natively in ServiceNow, Azure DevOps, GitHub, Confluence).
The silent-mode App.xaml.cs handlers are now rewired through the same ExportReportAsync pipeline the GUI uses. Everything the dialog offers is exposed as a flag:
--export-html <file> β HTML mirror of --export-pdf.--format <pdf|html|both> β explicit format selection.--include-json β also emit the raw *.json snapshot.--redact <list> β comma list: none / all / machine / upn / ip / serial.--include-sections <list> β comma list of section names, or all / default / none.Backwards compatible: --export-pdf alone still produces exactly one PDF at the given path. Batch mode (--machines-file / --export-dir) now honours every new flag; per-host filenames get the appropriate extensions when --format both is used.
scroll-margin-top.PolicyObject.Rules for OptionType.EnabledAuditMode.MinHeight / MinWidth plus a bounded picker..cip policies.MDE-Toolkit-3.2.0.msiHKLM\SOFTWARE\MDE-Toolkit\Version = 3.2.0msiexec /i MDE-Toolkit-3.2.0.msi /qn--collect / --upload tasks are unchanged. New export flags are additive.MainViewModel.ExportPdfAsync remains available for existing automation. New code should prefer ExportReportAsync.Focus release: the policies the Advanced Hunting page exports now actually compile and enforce. A pile of rule-quality, accuracy, and usability fixes built on top of 3.1.1.
ConvertFrom-CIPolicy for you and drops the binary .cip file next to the .xml. No more switching to PowerShell.SigningScenarios wiring that tells WDAC which rules apply to user-mode binaries vs kernel drivers, so the policy compiled but did nothing. Now every Allow / Deny / Signer is correctly wired into the right scenario (UMCI for .exe / .dll, KMCI for .sys).ConvertFrom-CIPolicy with "There is an error in XML document" or "the signer ID is incorrect". The recommender walks the next fallback level instead.<Allow> elements without any matching constraint.MDE-Toolkit-3.1.2.msiHKLM\SOFTWARE\MDE-Toolkit\Version = 3.1.2msiexec /i MDE-Toolkit-3.1.2.msi /qnConfigCI module (built into Windows 11) or RSAT-WDAC (Windows Server). If neither is installed the toggle stays available but the export reports a clear "module not available" message and leaves the .xml for manual compilation.New App Control for Business → Advanced Hunting sub-page that pulls live WDAC events from Microsoft Defender for Endpoint, compares them against your local or custom App Control policies, and recommends the right allow rules to author β with the same -Level / -Fallback precedence semantics as PowerShell New-CIPolicy.
DeviceTvmInfoGathering, audit / enforced blocks, signing-info, script blocks) from the Microsoft Defender for Endpoint Advanced Hunting API. All four sovereign clouds are supported out of the box: Commercial, US Gov GCC, US Gov GCC High, and US Gov DoD — the right endpoint and authority host are picked automatically.Consolas so they line up.ActionType filter via regex so your custom WHERE clauses survive. Save / load .kql files to share queries with the team..cip in C:\Windows\System32\CodeIntegrity\CIPolicies\Active plus SiPolicy.p7b in one click, or browse to a folder of .cip / .p7b / .xml policies (recursive optional). Each event is evaluated as Allowed, Denied (explicit), or Would Still Block across every selected policy. Explicit Deny wins over Allow anywhere in the set, matching how WDAC merges policies at runtime.-Level / -Fallback)Hash, FileName, FilePath, SignedVersion, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher, and PFN.-Level and the rest become -Fallback in order. A live Consolas-styled preview shows the resulting PowerShell-equivalent command. Order is persisted to %LOCALAPPDATA%\MDE-Toolkit\advanced-hunting-prefs.json.New-CIPolicy. Defaults to Microsoft’s recommended FilePublisher β Publisher β SignedVersion β FileName β Hash β FilePath on first launch.<Allow> per algorithm (SHA256, SHA1, and their Authenticode variants). App Control evaluates the strongest hash first and ignores any algorithm the running kernel can’t compute, so emitting every variant maximises match rate — exactly what PowerShell New-CIPolicy -Level Hash produces.<!-- WARNING --> comment instead of an empty Hash="".%LOCALAPPDATA% is no longer flagged — Hash pins exact bytes regardless of where the file lives. The RISK badge now only appears for FilePath rules in user-writable folders, FileAttribute / FileName rules for unsigned files in user-writable folders, or anything kernel-mode (.sys)..xml exporter now emits one short section header per rule type (Publisher / FileAttribute / FilePath / Hash) instead of repeating each fragment’s own multi-line comment dozens of times. Files exported with lots of Hash recommendations are dramatically smaller while still being valid input for ConvertFrom-CIPolicy.AdvancedHuntingService built on Microsoft.Identity.Client 4.76.0 (interactive auth, FOCI client ID, per-cloud authority + resource URIs, legacy WDATP endpoint fallback).AppControlPolicyComparerService uses Microsoft.Security.CodeIntegrity 3.1.1 to parse .cip / .p7b / .xml policies; sanitises unknown <Option> values so newer Wizard-generated policies load cleanly.MDE-Toolkit-3.1.1.msiHKLM\SOFTWARE\MDE-Toolkit\Version = 3.1.1msiexec /i MDE-Toolkit-3.1.1.msi /qn%LOCALAPPDATA%\MDE-Toolkit\advanced-hunting-prefs.json stores the chosen cloud, tenant, KQL window, custom policy folder, and the rule-precedence order.Focused on scrolling quality of life across every page and grid in the app.
gpupdate /force button now uses a "document with text" icon for better visual clarity.MDE-Toolkit-3.1.0.msiHKLM\SOFTWARE\MDE-Toolkit\Version = 3.1.0msiexec /i MDE-Toolkit-3.1.0.msi /qnFull release notes and downloads for older versions live on the GitHub releases page.