From e4bccef761928b58dc77b2c521fad20d8d8e77b0 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Thu, 31 Oct 2019 15:47:14 -0700 Subject: [PATCH 1/5] Update Win32 on S with proper build info --- .../windows-defender-application-control/LOB-win32-apps-on-s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 268a9cf97b..d1fde8548c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -23,7 +23,7 @@ ms.date: 10/30/2019 - Windows 10 -Beginning in Windows 10 (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode (S mode) devices. +Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices. With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”. From 201d8a8f0154d9c61ca46dfc30e405d4701b5287 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Thu, 31 Oct 2019 15:47:46 -0700 Subject: [PATCH 2/5] WDAC remove duplicate path-based rules Information is contained in select-types-of-rules-to-create.md --- .../create-path-based-rules.md | 72 ------------------- 1 file changed, 72 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md deleted file mode 100644 index 4ac0c9fa6e..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Windows Defender Application Control path-based rules (Windows 10) -description: Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. -keywords: whitelisting, security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp -ms.date: 05/17/2019 ---- - -# Create Windows Defender Application Control path-based rules - -**Applies to:** - -- Windows 10 -- Windows Server 2016 - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. - -- New-CIPolicy parameters - - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) - - ```powershell - New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u - ``` - - Optionally, add -UserWriteablePaths to ignore user writeability - - - FilePathRule: create a rule where filepath string is directly set to value of \ - - ```powershell - New-CIPolicyRule -FilePathRule - ``` - - Useful for wildcards like C:\foo\\* - -- Usage follows the same flow as per-app rules: - - ```powershell - $rules = New-CIPolicyRule … - $rules += New-CIPolicyRule … - … - New-CIPolicyRule -f .\mypolicy.xml -u - ``` - -- Wildcards supported - - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - - One or the other, not both at the same time - - Does not support wildcard in the middle (ex. C:\\*\foo.exe) -- Supported Macros: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... - -- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: - - ```powershell - Set-RuleOption -o 18 .\policy.xml - ``` - From 2874183991c9c97a606e25a2cc3b6e9f5d5ed97a Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Thu, 31 Oct 2019 15:50:51 -0700 Subject: [PATCH 3/5] WDAC filepath rules page deletion update TOC --- .../windows-defender-application-control/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 321aa58e14..40e42e3eb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -13,7 +13,6 @@ ### [Types of devices](types-of-devices.md) ### Use WDAC with custom policies #### [Create an initial default policy](create-initial-default-policy.md) -#### [Create path-based rules](create-path-based-rules.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) From bcb34f2d02717deadaf37e537cc8ae6c3a21bf94 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 4 Nov 2019 10:31:12 -0800 Subject: [PATCH 4/5] Add filepath redirection Adding a redirect for the removed duplicate filepath article --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 9fa201861f..bc4a61677b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15340,6 +15340,11 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": false +}, +{ + "source_path": "windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create", + "redirect_document_id": true } ] } From 910654a374d62d7f9a3fa00002a6d9d83e4a06e9 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 4 Nov 2019 10:45:51 -0800 Subject: [PATCH 5/5] Fix redirect_document_id for path-based rules Multiple topics that redirect to the same page ask for carry-over of document id (redirect_document_id = true). Following files are detected to redirect to same content with redirect_document_id = true: windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md, windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md. --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bc4a61677b..65ab3c8637 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15344,7 +15344,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create", - "redirect_document_id": true + "redirect_document_id": false } ] }