Merge pull request #6522 from MicrosoftDocs/main

Publish 05/02/2022 3:30 PM PT

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md

@@ -0,0 +1,56 @@
+---
+title: Testing and Debugging AppId Tagging Policies
+description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/29/2022
+ms.technology: windows-sec
+---
+
+# Testing and Debugging AppId Tagging Policies
+
+**Applies to:**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. 
+
+## Verifying Tags on Running Processes
+
+After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since WDAC can only tag processes created after the policy has been deployed. 
+
+1. Download and Install the Windows Debugger 
+
+	[Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes. 
+
+2. Get the Process ID (PID) of the process under validation
+
+	Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, we've located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step. 
+
+	![Using Task Manager to locate the process ID - PID.](../images/appid-pid-task-mgr.png)
+
+3. Use WinDbg to inspect the process
+
+	After opening WinDbg. select File followed by `Attach to Process`, and select the process with the PID identified in the step prior. Finally, select `Attach` to connect to the process. 
+
+	![Attach to the process using WinDbg.](../images/appid-pid-windbg.png)
+
+	Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
+
+	![Dump the security attributes on the process using WinDbg.](../images/appid-pid-windbg-token.png)

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md

@@ -0,0 +1,60 @@
+---
+title: Deploying Windows Defender Application Control AppId Tagging policies (Windows)
+description: How to deploy your WDAC AppId Tagging policies locally and globally within your managed environment
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/29/2022
+ms.technology: windows-sec
+---
+
+# Deploying Windows Defender Application Control AppId Tagging policies (Windows)
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
+
+1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
+1. [Deploy policies with MEMCM](#deploy-appid-tagging-policies-with-memcm)
+1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
+1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
+
+## Deploy AppId Tagging Policies with MDM
+
+Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). 
+
+## Deploy AppId Tagging Policies with MEMCM
+
+Custom AppId Tagging policies can deployed via MEMCM using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. 
+
+### Deploy AppId Tagging Policies via Scripting
+
+Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy WDAC policies using script article](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Only the method for deploying to version 1903 and above is applicable for AppId Tagging policies. 
+
+### Deploying policies via the ApplicationControl CSP
+
+Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+
+However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+
+For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use MEM Intune's Custom OMA-URI capability.
+
+> [!NOTE]
+> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md

@@ -0,0 +1,119 @@
+---
+title: Create your Windows Defender Application Control AppId Tagging Policies
+description: Create your Windows Defender Application Control AppId tagging policies for Windows devices.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/29/2022
+ms.technology: windows-sec
+---
+
+# Creating your WDAC AppId Tagging Policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+## Create the policy using the WDAC Wizard
+
+You can use the WDAC Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
+
+1. Create a new base policy using the templates:
+
+	Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The example below shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules. 
+
+	![Configuring the policy base and template.](../images/appid-wdac-wizard-1.png)
+
+2. 	Set the following rule-options using the Wizard toggles:
+
+	![Configuring the policy rule-options.](../images/appid-wdac-wizard-2.png)
+
+3. Create custom rules:
+
+	Selecting the `+ Custom Rules` button will open the Custom Rules panel. The Wizard supports five types of file rules: 
+
+	- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security. 
+	- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards. 
+	- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
+	- Package app name rules: Create a rule based off the package family name of an appx/msix.
+	- Hash rules: Create a rule based off the PE Authenticode hash of a file. 
+
+
+	For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../wdac-wizard-create-base-policy.md#creating-custom-file-rules).
+
+4. Convert to AppId Tagging Policy:
+
+	After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the usermode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
+
+	```powershell
+	Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
+	```
+	The policyID GUID will be returned by PowerShell if successful. 
+
+## Create the policy using PowerShell 
+
+Using this method, you'll create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
+
+1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
+
+	```powershell
+	$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application>
+	```
+2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario:
+
+	```powershell
+	New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
+	```
+3. Set the rule-options for the policy:
+
+	```powershell
+	Set-RuleOption -Option 0 .\AppIdPolicy.xml  # Usermode Code Integrity (UMCI)
+	Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot
+	Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
+	```
+
+	If you're using filepath rules, you'll likely want to set option 18. Otherwise, there's no need. 
+	
+4. Set the name and ID on the policy, which is helpful for future debugging:
+
+	```powershell
+	Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId"" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
+	```
+	The policyID GUID will be returned by PowerShell if successful. 
+
+## Deploy for Local Testing
+
+After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
+
+1. Depending on your deployment method, convert the xml to binary: 
+
+	```powershell
+	Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
+	```
+
+2. Optionally, deploy it for local testing:
+
+	```powershell
+		copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
+		./RefreshPolicy.exe
+	```
+
+	RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
+
+## Next Steps
+For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](./debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md). 

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md

@@ -0,0 +1,53 @@
+---
+title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies (Windows)
+description: How to design, create, manage and troubleshoot your WDAC AppId Tagging policies
+keywords: security, malware, firewall
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/27/2022
+ms.technology: windows-sec
+---
+
+# WDAC Application ID (AppId) Tagging guide
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+- Windows Server 2022 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+## AppId Tagging Feature Overview
+
+The Application ID (AppId) Tagging Policy feature, while based off WDAC, does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't. 
+
+## AppId Tagging Feature Availability
+
+The WDAC AppId Tagging feature is available on the following versions of the Windows platform: 
+
+Client: 
+- Windows 10 20H1, 20H2 and 21H1 versions only
+- Windows 11
+
+Server: 
+- Windows Server 2022
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
+| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
+| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |

windows/security/threat-protection/windows-defender-application-control/TOC.yml

@@ -46,9 +46,9 @@
             - name: Policy creation for common WDAC usage scenarios
               href: types-of-devices.md
               items: 
-                - name: Create a WDAC policy for lightly-managed devices
+                - name: Create a WDAC policy for lightly managed devices
                   href: create-wdac-policy-for-lightly-managed-devices.md
-                - name: Create a WDAC policy for fully-managed devices
+                - name: Create a WDAC policy for fully managed devices
                   href: create-wdac-policy-for-fully-managed-devices.md
                 - name: Create a WDAC policy for fixed-workload devices
                   href: create-initial-default-policy.md
@@ -101,7 +101,7 @@
           href: disable-windows-defender-application-control-policies.md
         - name: LOB Win32 Apps on S Mode
           href: LOB-win32-apps-on-s.md
-    - name: Windows Defender Application Control operational guide
+    - name: WDAC operational guide
       href: windows-defender-application-control-operational-guide.md
       items: 
         - name: Understanding Application Control event tags
@@ -114,6 +114,15 @@
           href: operations/known-issues.md
         - name: Managed installer and ISG technical reference and troubleshooting guide
           href: configure-wdac-managed-installer.md
+    - name: WDAC AppId Tagging guide
+      href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+      items:
+        - name: Creating AppId Tagging Policies
+          href: AppIdTagging/design-create-appid-tagging-policies.md
+        - name: Deploying AppId Tagging Policies
+          href: AppIdTagging/deploy-appid-tagging-policies.md
+        - name: Testing and Debugging AppId Tagging Policies
+          href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
     - name: AppLocker
       href: applocker\applocker-overview.md
       items: 

windows/security/threat-protection/windows-defender-application-control/feature-availability.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: denisebmsft
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
 ms.author: deniseb
 manager: dansimp
 ms.date: 07/29/2021
@@ -45,3 +45,4 @@ ms.technology: windows-sec
 | COM object configurability        | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md)  | Not available |
 | Packaged app rules                | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md)  | Available on Windows 8+   |
 | Enforceable file types       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
+| Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md)  | Not available |