From 78878545f4b505b1d2394abc4b6da18fd3404463 Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Sun, 28 Feb 2021 04:06:53 -0600
Subject: [PATCH 1/9] Update
allow-com-object-registration-in-windows-defender-application-control-policy.md
---
...ows-defender-application-control-policy.md | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 1a451b7545..0719946e8e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -92,4 +92,55 @@ Example 3: Allows a specific COM object to register in PowerShell
```
+### How to configure the settings for the CLSIDs
+For example, you get an error in the Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) like below:
+
+Log Name: Microsoft-Windows-AppLocker/MSI and Script
+Source: Microsoft-Windows-AppLocker
+Date: 11/11/2020 1:18:11 PM
+Event ID: 8036
+Task Category: None
+Level: Error
+Keywords:
+User: S-1-5-21-3340858017-3068726007-3466559902-3647
+Computer: contoso.com
+Description:
+{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
+Event Xml:
+
+
+
+ 8036
+ 0
+ 2
+ 0
+ 0
+ 0x4000000000000000
+
+ 819347
+
+
+ Microsoft-Windows-AppLocker/MSI and Script
+ contoso.com
+
+
+
+ false
+ {f8d253d9-89a4-4daa-87b6-1168369f0b21}
+
+
+
+To add this CLSID to the existing policy, follow the steps below,
+1. Open the Powershell ISE with administrative priviledge.
+2. Now from the admin powershell ISE, type this command and run it. Considering the name of the policy is WDAC_policy.xml .
+PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
+
+Once the command is run, you will find that the following section is added to the policy xml.
+
+
+
+
+ true
+
+
From 6efb94c299f26d716526abae992c4c98bbf20e3c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 1 Mar 2021 11:58:03 -0800
Subject: [PATCH 2/9] Update
allow-com-object-registration-in-windows-defender-application-control-policy.md
---
...istration-in-windows-defender-application-control-policy.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 0719946e8e..0630c68598 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -10,11 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
-author: jsuther1974
+author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/21/2019
ms.technology: mde
---
From 97af8184425bfd3ce484420d4b82bca4253277a8 Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Mon, 1 Mar 2021 14:06:54 -0600
Subject: [PATCH 3/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...istration-in-windows-defender-application-control-policy.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 0630c68598..c9af678a85 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -136,10 +136,11 @@ PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_
Once the command is run, you will find that the following section is added to the policy xml.
+```XML
true
-
+```
From 30e6f9a79c49053152e7c787fe9a046759583f50 Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Mon, 1 Mar 2021 14:07:45 -0600
Subject: [PATCH 4/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...-windows-defender-application-control-policy.md | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index c9af678a85..81cde27871 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -129,12 +129,16 @@ Event Xml:
-To add this CLSID to the existing policy, follow the steps below,
-1. Open the Powershell ISE with administrative priviledge.
-2. Now from the admin powershell ISE, type this command and run it. Considering the name of the policy is WDAC_policy.xml .
-PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
+To add this CLSID to the existing policy, use the following steps:
-Once the command is run, you will find that the following section is added to the policy xml.
+1. Open PowerShell ISE with Administrative privileges.
+2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
+
+```PowerShell
+PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
+```
+
+Once the command has been run, you will find that the following section is added to the policy XML.
```XML
From ca5fbad68fc880ff636b9595ee89e4d4e33fae32 Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Mon, 1 Mar 2021 14:08:31 -0600
Subject: [PATCH 5/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...istration-in-windows-defender-application-control-policy.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 81cde27871..4a3a78f5df 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -106,6 +106,7 @@ Computer: contoso.com
Description:
{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event Xml:
+```XML
@@ -128,6 +129,8 @@ Event Xml:
{f8d253d9-89a4-4daa-87b6-1168369f0b21}
+```
+
To add this CLSID to the existing policy, use the following steps:
From 181c080c176fae74125dfc8fc0014354dd939d42 Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Mon, 1 Mar 2021 14:08:49 -0600
Subject: [PATCH 6/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...tion-in-windows-defender-application-control-policy.md | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 4a3a78f5df..2353588ab0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -100,12 +100,14 @@ Date: 11/11/2020 1:18:11 PM
Event ID: 8036
Task Category: None
Level: Error
-Keywords:
+Keywords:
User: S-1-5-21-3340858017-3068726007-3466559902-3647
-Computer: contoso.com
+Computer: contoso.com
Description:
{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
-Event Xml:
+
+Event XML:
+
```XML
From 334f10e5902c8a38ed9ed6369e0c01a7000d057d Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Mon, 1 Mar 2021 16:40:44 -0600
Subject: [PATCH 7/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...tration-in-windows-defender-application-control-policy.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 2353588ab0..77be4c9cfa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -91,8 +91,9 @@ Example 3: Allows a specific COM object to register in PowerShell
```
-### How to configure the settings for the CLSIDs
-For example, you get an error in the Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) like below:
+### How to configure settings for the CLSIDs
+
+Given the following example of an error in the Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script):
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
From a14099a5ca12a13caea6207f8452ecd14c299b7d Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Tue, 2 Mar 2021 18:40:11 -0600
Subject: [PATCH 8/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...gistration-in-windows-defender-application-control-policy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 77be4c9cfa..5bda9a2469 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -93,7 +93,7 @@ Example 3: Allows a specific COM object to register in PowerShell
```
### How to configure settings for the CLSIDs
-Given the following example of an error in the Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script):
+Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
From b0b159c1ee71ee95483be99e4af54e1c8cf332ee Mon Sep 17 00:00:00 2001
From: yogesh thangjam <53617154+TJ2215@users.noreply.github.com>
Date: Tue, 2 Mar 2021 18:40:41 -0600
Subject: [PATCH 9/9] Update
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...egistration-in-windows-defender-application-control-policy.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 5bda9a2469..e14bb95c30 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -134,7 +134,6 @@ Event XML:
```
-
To add this CLSID to the existing policy, use the following steps:
1. Open PowerShell ISE with Administrative privileges.