From f15dc57cec8e7faf3b315edd31f31cbd39f81ec6 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 11:56:00 -0600 Subject: [PATCH 1/2] Raise acro score sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480 --- .../event-id-explanations.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index ff7f78475a..185e7af3d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -91,26 +91,26 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | Bit Address | Policy Rule Option | |-------|------| -| 2 | Enabled:UMCI | -| 3 | Enabled:Boot Menu Protection | -| 4 | Enabled:Intelligent Security Graph Authorization | -| 5 | Enabled:Invalidate EAs on Reboot | -| 7 | Required:WHQL | -| 10 | Enabled:Allow Supplemental Policies | -| 11 | Disabled:Runtime FilePath Rule Protection | -| 13 | Enabled:Revoked Expired As Unsigned | -| 16 | Enabled:Audit Mode (Default) | -| 17 | Disabled:Flight Signing | -| 18 | Enabled:Inherit Default Policy | -| 19 | Enabled:Unsigned System Integrity Policy (Default) | -| 20 | Enabled:Dynamic Code Security | -| 21 | Required:EV Signers | -| 22 | Enabled:Boot Audit on Failure | -| 23 | Enabled:Advanced Boot Options Menu | -| 24 | Disabled:Script Enforcement | -| 25 | Required:Enforce Store Applications | -| 27 | Enabled:Managed Installer | -| 28 | Enabled:Update Policy No Reboot | +| 2 | `Enabled:UMCI` | +| 3 | `Enabled:Boot Menu Protection` | +| 4 | `Enabled:Intelligent Security Graph Authorization` | +| 5 | `Enabled:Invalidate EAs on Reboot` | +| 7 | `Required:WHQL` | +| 10 | `Enabled:Allow Supplemental Policies` | +| 11 | `Disabled:Runtime FilePath Rule Protection` | +| 13 | `Enabled:Revoked Expired As Unsigned` | +| 16 | `Enabled:Audit Mode (Default)` | +| 17 | `Disabled:Flight Signing` | +| 18 | `Enabled:Inherit Default Policy` | +| 19 | `Enabled:Unsigned System Integrity Policy (Default)` | +| 20 | `Enabled:Dynamic Code Security` | +| 21 | `Required:EV Signers` | +| 22 | `Enabled:Boot Audit on Failure` | +| 23 | `Enabled:Advanced Boot Options Menu` | +| 24 | `Disabled:Script Enforcement` | +| 25 | `Required:Enforce Store Applications` | +| 27 | `Enabled:Managed Installer` | +| 28 | `Enabled:Update Policy No Reboot` | ## Appendix A list of other relevant event IDs and their corresponding description. From b299fca18a551f536ccb9cbddf7a655ea4decfe6 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 11:57:38 -0600 Subject: [PATCH 2/2] Fix Warning Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 185e7af3d1..d9a41c8eff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ``` ## System Integrity Policy Options -The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). +The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). | Bit Address | Policy Rule Option | |-------|------|