From a2650dd3b896d5660b81d05760dee7df7b0c6550 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Fri, 11 Nov 2022 12:02:52 -0800 Subject: [PATCH 1/7] remolve smb docset docset and redirects have been moved to the officedocs-pr repo --- smb/docfx.json | 63 ----------------------------- smb/includes/smb-content-updates.md | 11 ----- 2 files changed, 74 deletions(-) delete mode 100644 smb/docfx.json delete mode 100644 smb/includes/smb-content-updates.md diff --git a/smb/docfx.json b/smb/docfx.json deleted file mode 100644 index 15de5f0bb4..0000000000 --- a/smb/docfx.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "smb/**", - "**/includes/**" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "smb/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", - "uhfHeaderId": "MSDocsHeader-M365-IT", - "feedback_system": "None", - "hideEdit": true, - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "TechNet.smb", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "Kellylorenebaker", - "jborsecnik", - "tiburd", - "AngelaMotherofDragons", - "dstrome", - "v-dihans", - "garycentric" - ], - "titleSuffix": "Windows for Small to Midsize Business" - }, - "fileMetadata": {}, - "template": [], - "dest": "smb", - "markdownEngineName": "markdig" - } -} diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md deleted file mode 100644 index 4414b9e00b..0000000000 --- a/smb/includes/smb-content-updates.md +++ /dev/null @@ -1,11 +0,0 @@ - - - - -## Week of July 18, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 7/22/2022 | Deploy and manage a full cloud IT solution for your business | removed | -| 7/22/2022 | Windows 10/11 for small to midsize businesses | removed | From 1330bf6eb9a353916a240327e607c485da8b7137 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Nov 2022 13:26:24 -0800 Subject: [PATCH 2/7] Update configure-wdac-managed-installer.md --- .../configure-wdac-managed-installer.md | 81 +++++++++++-------- 1 file changed, 46 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 9eb2d45bf5..c18d896678 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -11,10 +11,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/14/2020 +ms.date: 11/11/2022 ms.technology: itpro-security --- @@ -29,21 +29,25 @@ ms.technology: itpro-security >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). -## Using fsutil to query SmartLocker EA +## Enabling managed installer and Intelligent Security Graph (ISG) logging events -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. +Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events. + +## Using fsutil to query extended attributes for Managed Installer (MI) + +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) enabled can use fsutil.exe to determine whether a file was created by a managed installer process. This verification is done by querying the Extended Attributes (EAs) on a file using fsutil.exe and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. Then, you can use the data from the first row of output to identify if the file was created by a managed installer. For example, let's look at the fsutil.exe output for a file called application.exe: **Example:** ```powershell -fsutil file queryEA C:\Users\Temp\Downloads\application.exe +fsutil.exe file queryEA C:\Users\Temp\Downloads\application.exe Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe: Ea Buffer Offset: 410 Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM Ea Value Length: 7e -0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ +0000: 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. * 0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\...... 0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:. @@ -53,40 +57,47 @@ Ea Value Length: 7e 0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e ``` -## Enabling managed installer logging events +From the output shown above, find the first row of data labeled "0000:", which is then followed by 16 two-character sets. Every four sets form a group known as a ULONG. The two-character set at the front of the first ULONG will always be "01" as shown here: -Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events. +0000: **`01` 00 00 00** 00 00 00 00 00 00 00 00 01 00 00 00 -## Deploying the Managed Installer rule collection +If there is "00" in the fifth position of the output (the start of the second ULONG), that indicates the EA is related to managed installer: -Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. +0000: 01 00 00 00 **`00` 00 00 00** 00 00 00 00 01 00 00 00 -1. Use the following command to deploy the policy. +Finally, the two-character set in the ninth position of the output (the start of the third ULONG) indicates whether the file was created by a process running as managed installer. A value of "00" means the file was directly written by a managed installer process and will run if your WDAC policy trusts managed installers. + +0000: 01 00 00 00 00 00 00 00 **`00` 00 00 00** 01 00 00 00 + +If instead the starting value for the third ULONG is "02", then that indicates a "child of child". "Child of child" is set on any files created by something that was installed by a managed installer. But, the file was created **after** the managed installer completed its work. So this file **wouldn't** be allowed to run unless there's some other rule in your policy to allow it. + +In rarer cases, you may see other values in this position, but that will also run if your policy trusts managed installer. + +## Using fsutil to query extended attributes for Intelligent Security Graph (ISG) + +When an installer runs that has good reputation according to the ISG, the files that the installer writes to disk will inherit the reputation from the installer. These files with ISG inherited trust will also have the KERNEL.SMARTLOCKER.ORIGINCLAIM EA set as described above for managed installers. You can identify that the EA was created by the ISG by looking for the value "01" in the fifth position of the output (the start of the second ULONG) from fsutil: + +0000: 01 00 00 00 **`01` 00 00 00** 00 00 00 00 01 00 00 00 + +## More troubleshooting steps for Managed Installer and ISG + +Both managed installer and the ISG depend on AppLocker to provide some functionality. Use the following steps to confirm that AppLocker is configured and running correctly. + +1. Check that AppLocker services are running. From an elevated PowerShell window, run the following and confirm the STATE shows as RUNNING for both appidsvc and AppLockerFltr: + + ```powershell + sc.exe query appidsvc + sc.exe query AppLockerFltr + ``` + + If not, run *appidtel start* from the elevated PowerShell window and check again. + +2. For managed installer, check for AppCache.dat and other *.AppLocker files created under %windir%\System32\AppLocker. There should minimally be a ".AppLocker" file created for each of EXE, DLL, and MANAGEDINSTALLER rule collections. If you don't see these files created, proceed to the next step to confirm the AppLocker policy has been correctly applied. + +3. For managed installer troubleshooting, check that the AppLocker effective policy is correct. From an elevated PowerShell window: ```powershell - $policyFile= - @" - Raw_AppLocker_Policy_XML - "@ - Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue + Get-AppLockerPolicy -Effective -XML > $env:USERPROFILE\Desktop\AppLocker.xml ``` -2. Verify Deployment of the ruleset was successful - - ```powershell - Get-AppLockerPolicy -Local - - Version RuleCollections RuleCollectionTypes - ------- --------------- ------------------- - 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} - ``` - - Verify the output shows the ManagedInstaller rule set. - -3. Get the policy XML (optional) using PowerShell: - - ```powershell - Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue - ``` - - This command will show the raw XML to verify the individual rules that were set. + Then open the XML file created and confirm it contains the rules you expect. In particular, the policy should include at least one rule for each of the EXE, DLL, and MANAGEDINSTALLER RuleCollections. The RuleCollections can either be set to AuditOnly or Enabled. Additionally, the EXE and DLL RuleCollections must include the RuleCollectionExtensions configuration as shown in [Automatically allow apps deployed by a managed installer with Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls). From e0bac91608bb84eba233e354cbe43c1ea411bed6 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Nov 2022 14:18:19 -0800 Subject: [PATCH 3/7] Moved location of citool doc to operations guide --- .../{ => operations}/citool-commands.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/windows-defender-application-control/{ => operations}/citool-commands.md (100%) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md similarity index 100% rename from windows/security/threat-protection/windows-defender-application-control/citool-commands.md rename to windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md From f00bb5a1cc38ed156b73583c10d46f5c297cac09 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Nov 2022 14:20:48 -0800 Subject: [PATCH 4/7] Update TOC.yml --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2c063bad24..637286af55 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -88,7 +88,7 @@ - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md - name: Managing WDAC Policies with CI Tool - href: citool-commands.md + href: operations/citool-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: From 9ed0e2259228a4c7132b3a5e225d1e08ee60900b Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Nov 2022 14:26:21 -0800 Subject: [PATCH 5/7] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c1588e64bc..cae74d63a4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -420,6 +420,11 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/citool-commands.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands", + "redirect_document_id": false + }, { "source_path": "devices/hololens/hololens-whats-new.md", "redirect_url": "/hololens/hololens-release-notes", From 5edc3d800e9840d6104da5715ddb971a4a7b4645 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Nov 2022 14:28:21 -0800 Subject: [PATCH 6/7] Update TOC.yml --- .../windows-defender-application-control/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 637286af55..71ed7b8d83 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -87,8 +87,6 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md - - name: Managing WDAC Policies with CI Tool - href: operations/citool-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: @@ -117,6 +115,8 @@ href: operations/known-issues.md - name: Managed installer and ISG technical reference and troubleshooting guide href: configure-wdac-managed-installer.md + - name: Managing WDAC Policies with CI Tool + href: operations/citool-commands.md - name: WDAC AppId Tagging guide href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md items: From 8543f8478bb7ff0bad758a0280be20dc175207d3 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Nov 2022 14:54:44 -0800 Subject: [PATCH 7/7] Update configure-wdac-managed-installer.md --- .../configure-wdac-managed-installer.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index c18d896678..c24b6295c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -87,8 +87,24 @@ Both managed installer and the ISG depend on AppLocker to provide some functiona ```powershell sc.exe query appidsvc + SERVICE_NAME: appidsvc + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 sc.exe query AppLockerFltr - ``` + SERVICE_NAME: applockerfltr + TYPE : 1 KERNEL_DRIVER + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + ``` If not, run *appidtel start* from the elevated PowerShell window and check again.