From b966630f283298d169ca1a6caacc13a9a8fc0f02 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 22 Sep 2020 14:09:51 +0500
Subject: [PATCH 01/17] Update policy-csp-servicecontrolmanager.md
---
.../client-management/mdm/policy-csp-servicecontrolmanager.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 762c801e6c..b220e10a02 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -78,6 +78,9 @@ If you enable this policy setting, built-in system services hosted in svchost.ex
This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.
+> [!IMPORTANT]
+> Enabling of this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
+
If you disable or do not configure this policy setting, the stricter security settings will not be applied.
From 92ee7782db94206cd8742cbe64a1bb44bc55c14d Mon Sep 17 00:00:00 2001
From: brbrahm <43386070+brbrahm@users.noreply.github.com>
Date: Wed, 7 Oct 2020 10:41:50 -0700
Subject: [PATCH 02/17] WMI and GP alternative for deploying WDAC multi policy
Recommend customers use MDM bridge WMI provider
---
...e-windows-defender-application-control-policies.md | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index bf44f8cd81..99abb1a572 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -85,17 +85,18 @@ When merging, the policy type and ID of the leftmost/first policy specified is u
## Deploying multiple policies
-In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature. You cannot use the "Deploy Windows Defender Application Control" group policy setting to deploy multiple CI policies.
+In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature.
+
+Note that WMI and GP do not currently support multiple policies. Instead customers should use the [ApplicationControl CSP via the MDM Bridge WMI Provider.](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance)
### Deploying multiple policies locally
In order to deploy policies locally using the new multiple policy format you will need to:
-1. Ensure policies are copied to the right location
- - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
-2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip
- - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy
+1. Ensure binary policy files have the correct naming format of {PolicyGUID}.cip
+ - Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy
- For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+2. Copy binary policies to C:\Windows\System32\CodeIntegrity\CiPolicies\Active
3. Reboot the system
### Deploying multiple policies via ApplicationControl CSP
From 76f4587c63bcc9439470052d829c6ac7f2b0b6fa Mon Sep 17 00:00:00 2001
From: brbrahm <43386070+brbrahm@users.noreply.github.com>
Date: Wed, 7 Oct 2020 10:47:43 -0700
Subject: [PATCH 03/17] Add warning for MDM WMI Bridge
---
...multiple-windows-defender-application-control-policies.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 99abb1a572..c3b796cf52 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -87,8 +87,6 @@ When merging, the policy type and ID of the leftmost/first policy specified is u
In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature.
-Note that WMI and GP do not currently support multiple policies. Instead customers should use the [ApplicationControl CSP via the MDM Bridge WMI Provider.](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance)
-
### Deploying multiple policies locally
In order to deploy policies locally using the new multiple policy format you will need to:
@@ -102,3 +100,6 @@ In order to deploy policies locally using the new multiple policy format you wil
### Deploying multiple policies via ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+
+> [!NOTE]
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
\ No newline at end of file
From bdce156a229f89854ec66ed766bcda89d05904e3 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Mon, 19 Oct 2020 15:27:54 -0700
Subject: [PATCH 04/17] Added mfc40.dll to recommended block list
---
.../microsoft-recommended-block-rules.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 06d6ee7d8f..4561b40720 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -158,6 +158,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
@@ -896,6 +897,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
From 0b0786fd866118df010ca7b23b25b1ab7de04736 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Tue, 20 Oct 2020 14:32:35 -0700
Subject: [PATCH 05/17] Added contributor to the acknowledgements section
---
.../microsoft-recommended-block-rules.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 4561b40720..620cfbcd0b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Lasse Trolle Borup | Langkjaer Cyber Defence |
|Jimmy Bayne | @bohops |
|Philip Tsukerman | @PhilipTsukerman |
+|Brock Mammen| |
From 198e2f8b18484ae8fe1e493e2dcf9f3b2cbd5709 Mon Sep 17 00:00:00 2001
From: Tina McNaboe <53281468+TinaMcN@users.noreply.github.com>
Date: Mon, 2 Nov 2020 17:09:26 -0800
Subject: [PATCH 06/17] Update ie-edge-faqs.md
Fixed Localization Priority metadata
---
browsers/internet-explorer/kb-support/ie-edge-faqs.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
index 0257a9db03..5c29be5126 100644
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@@ -10,9 +10,7 @@ ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
ms.custom: CI=111020
-ms.localizationpriority: Normal
-# localization_priority: medium
-# ms.translationtype: MT
+ms.localizationpriority: medium
ms.date: 01/23/2020
---
# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
From 0e4ce05d012416e2daf174d4cb461397a1f956b8 Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Fri, 6 Nov 2020 15:18:45 +0100
Subject: [PATCH 07/17] Update enable-exploit-protection.md
Audit of mitigations is not always available via PS but is with other management options
---
.../enable-exploit-protection.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 2d44c8da7d..373ad6ff74 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -210,7 +210,7 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
-- | - | - | -
+-|-|-|-
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
@@ -225,20 +225,20 @@ Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreS
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\]
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\]
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\]
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\]
Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\]
\[1\]: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
+\[2\]: Audit for this mitigation is not available via Powershell CmdLet.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
From 30bedf7c74e426fdb6b56e9c3d407e11a54fd4b9 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 8 Nov 2020 07:44:42 +0500
Subject: [PATCH 08/17] Update
windows/client-management/mdm/policy-csp-servicecontrolmanager.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../client-management/mdm/policy-csp-servicecontrolmanager.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index b220e10a02..8f43acb2ab 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -79,7 +79,7 @@ If you enable this policy setting, built-in system services hosted in svchost.ex
This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.
> [!IMPORTANT]
-> Enabling of this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
+> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
If you disable or do not configure this policy setting, the stricter security settings will not be applied.
@@ -125,4 +125,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
-
From c1e3ce52385ea06f99f49dd03cd7817c3d7a4422 Mon Sep 17 00:00:00 2001
From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com>
Date: Tue, 10 Nov 2020 15:24:20 -0500
Subject: [PATCH 09/17] Item is missing from proxy/firewall requirements
Should be the same as this link (missing *.azure-automation.net). The *.azure-automation.net url is also called out and checked in the defender for endpoint connectivity analyzer.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#firewall-requirements
---
.../microsoft-defender-atp/configure-proxy-internet.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 6abe8ff951..48fd0bee7d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ
|------|---------|--------|--------|
|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.blob.core.windows.net |Port 443 |Outbound|Yes |
+|*.blob.core.windows.net |Port 443 |Outbound|Yes |
+|*.azure-automation.net |Port 443 |Outbound|Yes |
> [!NOTE]
From d291e049b1454d0121e74058450a1f368638b1fd Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Wed, 11 Nov 2020 19:13:24 +0100
Subject: [PATCH 10/17] Update
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/enable-exploit-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 373ad6ff74..d32e84b405 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -238,7 +238,7 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-\[2\]: Audit for this mitigation is not available via Powershell CmdLet.
+\[2\]: Audit for this mitigation is not available via Powershell cmdlets.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
From 3627397d9d4378249e7963165e0237b76b1ae28e Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Wed, 11 Nov 2020 23:23:52 +0200
Subject: [PATCH 11/17] Fix broken link
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8578
Used social technet link instead of web.archive one.
---
.../information-protection/bitlocker/bitlocker-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 131a256f82..2b79e081bc 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -62,7 +62,7 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
> [!IMPORTANT]
-> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/).
+> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
From 78eaf0bfa833e9f160ebc18a366886df93882aac Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+xl989@users.noreply.github.com>
Date: Fri, 13 Nov 2020 14:27:49 +0800
Subject: [PATCH 12/17] CI_125045_Update_credential-guard-manage.md
---
.../credential-guard/credential-guard-manage.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 742dd80951..1d0b90717a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard
2. Click **System Summary**.
-3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
+3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
Here's an example:
From 57d4a81f864e20be0868457bc01c3c9220fed7e3 Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Fri, 13 Nov 2020 17:28:00 +0100
Subject: [PATCH 13/17] Update configure-server-endpoints.md
Use the Workspace ID you obtained and replacing `WorkspaceID`
updated script as it did not work :)
---
.../microsoft-defender-atp/configure-server-endpoints.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index ad4b3d8853..0af0c2d391 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -249,12 +249,14 @@ To offboard the Windows server, you can use either of the following methods:
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
```powershell
+ $ErrorActionPreference = "SilentlyContinue"
# Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
- $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
+ $AgentCfg.RemoveCloudWorkspace("WorkspaceID")
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
+
```
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
From a8bfdbb3d3ad86781d5ed8b0c041c354b0bd8652 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:29:31 -0800
Subject: [PATCH 14/17] Update enable-exploit-protection.md
---
.../enable-exploit-protection.md | 70 +++++++++----------
1 file changed, 35 insertions(+), 35 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index d32e84b405..60e02d7bb1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -10,7 +10,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.reviewer:
+ms.reviewer: ksarens
manager: dansimp
---
@@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
@@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
-Enabled in **Program settings** | Enabled in **System settings** | Behavior
--|-|-
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+|Enabled in **Program settings** | Enabled in **System settings** | Behavior |
+|:---|:---|:---|
+|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
+|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
+|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
+|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
@@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
@@ -209,29 +209,29 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
--|-|-|-
-Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
-Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
-Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
-Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
-Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
-Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
-Disable extension points | App-level only | ExtensionPoint | Audit not available
-Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
-Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\]
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\]
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\]
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\]
-Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\]
+|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
+|:---|:---|:---|:---|
+|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
+|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
+|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
+|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
+|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
+|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
+|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+|Block remote images | App-level only | BlockRemoteImages | Audit not available
+|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+|Disable extension points | App-level only | ExtensionPoint | Audit not available
+|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
+|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
+|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] |
+||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] |
+|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] |
+|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] |
+|Validate handle usage | App-level only | StrictHandle | Audit not available |
+|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
+|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] |
\[1\]: Use the following format to enable EAF modules for DLLs for a process:
@@ -243,7 +243,7 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-## Related topics
+## See also
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
From f537f713a3ae332b1944c41305e4149343b44399 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:42:13 -0800
Subject: [PATCH 15/17] Update
deploy-multiple-windows-defender-application-control-policies.md
---
...-windows-defender-application-control-policies.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index c3b796cf52..fc4dacb214 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/16/2020
+ms.date: 11/13/2020
---
# Use multiple Windows Defender Application Control Policies
@@ -91,15 +91,15 @@ In order to deploy multiple WDAC policies, you must either deploy them locally b
In order to deploy policies locally using the new multiple policy format you will need to:
-1. Ensure binary policy files have the correct naming format of {PolicyGUID}.cip
+1. Ensure binary policy files have the correct naming format of `{PolicyGUID}.cip`.
- Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy
- - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
-2. Copy binary policies to C:\Windows\System32\CodeIntegrity\CiPolicies\Active
-3. Reboot the system
+ - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+2. Copy binary policies to `C:\Windows\System32\CodeIntegrity\CiPolicies\Active`.
+3. Reboot the system.
### Deploying multiple policies via ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
-> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
\ No newline at end of file
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
From c14c7f2a3616ed0435e8e3254899b97ce67568f5 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:48:16 -0800
Subject: [PATCH 16/17] Update
deploy-multiple-windows-defender-application-control-policies.md
---
...ndows-defender-application-control-policies.md | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index fc4dacb214..141e2ddbf0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -27,7 +27,7 @@ ms.date: 11/13/2020
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
+ - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- If two base policies exist on a device, an application has to be allowed by both to run
@@ -54,13 +54,13 @@ In order to allow multiple policies to exist and take effect on a single system,
New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
```
-Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
+Optionally, you can choose to make the new base policy allow for supplemental policies.
```powershell
Set-RuleOption -FilePath -Option 17
```
-For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
+For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers.
```powershell
Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] []
@@ -77,7 +77,8 @@ In order to create a supplemental policy, begin by creating a new policy in the
Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] []
```
-Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID.
+> [!NOTE]
+> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID.
### Merging policies
@@ -89,17 +90,17 @@ In order to deploy multiple WDAC policies, you must either deploy them locally b
### Deploying multiple policies locally
-In order to deploy policies locally using the new multiple policy format you will need to:
+To deploy policies locally using the new multiple policy format, follow these steps:
1. Ensure binary policy files have the correct naming format of `{PolicyGUID}.cip`.
- Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy
- - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+ - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip`.
2. Copy binary policies to `C:\Windows\System32\CodeIntegrity\CiPolicies\Active`.
3. Reboot the system.
### Deploying multiple policies via ApplicationControl CSP
-Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
From 8cb392bcc58a1f47baed766e2f2a23998b677bff Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:49:01 -0800
Subject: [PATCH 17/17] Update
deploy-multiple-windows-defender-application-control-policies.md
---
...oy-multiple-windows-defender-application-control-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 141e2ddbf0..31c3deaf6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -48,7 +48,7 @@ The restriction of only having a single code integrity policy active on a system
## Creating WDAC policies in Multiple Policy Format
-In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
```powershell
New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash