deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-28 08:43:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into repo_sync_working_branch

Browse Source
This commit is contained in:
Diana Hanson
2021-08-09 12:31:21 -06:00
committed by GitHub
parent e1a1bd85da e3b8978168
commit 12f4377630
1 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -87,30 +87,30 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
```
## System Integrity Policy Options
The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
| Bit Address | Policy Rule Option |
|-------|------|
| 2 | Enabled:UMCI |
| 3 | Enabled:Boot Menu Protection |
| 4 | Enabled:Intelligent Security Graph Authorization |
| 5 | Enabled:Invalidate EAs on Reboot |
| 7 | Required:WHQL |
| 10 | Enabled:Allow Supplemental Policies |
| 11 | Disabled:Runtime FilePath Rule Protection |
| 13 | Enabled:Revoked Expired As Unsigned |
| 16 | Enabled:Audit Mode (Default) |
| 17 | Disabled:Flight Signing |
| 18 | Enabled:Inherit Default Policy |
| 19 | Enabled:Unsigned System Integrity Policy (Default) |
| 20 | Enabled:Dynamic Code Security |
| 21 | Required:EV Signers |
| 22 | Enabled:Boot Audit on Failure |
| 23 | Enabled:Advanced Boot Options Menu |
| 24 | Disabled:Script Enforcement |
| 25 | Required:Enforce Store Applications |
| 27 | Enabled:Managed Installer |
| 28 | Enabled:Update Policy No Reboot |
| 2 | `Enabled:UMCI` |
| 3 | `Enabled:Boot Menu Protection` |
| 4 | `Enabled:Intelligent Security Graph Authorization` |
| 5 | `Enabled:Invalidate EAs on Reboot` |
| 7 | `Required:WHQL` |
| 10 | `Enabled:Allow Supplemental Policies` |
| 11 | `Disabled:Runtime FilePath Rule Protection` |
| 13 | `Enabled:Revoked Expired As Unsigned` |
| 16 | `Enabled:Audit Mode (Default)` |
| 17 | `Disabled:Flight Signing` |
| 18 | `Enabled:Inherit Default Policy` |
| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
| 20 | `Enabled:Dynamic Code Security` |
| 21 | `Required:EV Signers` |
| 22 | `Enabled:Boot Audit on Failure` |
| 23 | `Enabled:Advanced Boot Options Menu` |
| 24 | `Disabled:Script Enforcement` |
| 25 | `Required:Enforce Store Applications` |
| 27 | `Enabled:Managed Installer` |
| 28 | `Enabled:Update Policy No Reboot` |
## Appendix
A list of other relevant event IDs and their corresponding description.