mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
Merge branch 'master' into apps-in-windows-10-update
This commit is contained in:
Heidi Lohr
commit
20219b531a
@ -1,6 +1,46 @@
|
|||||||
{
|
{
|
||||||
"redirections": [
|
"redirections": [
|
||||||
{
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-enable-virtualization-based-security.md",
|
||||||
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/enable-virtualization-based-security",
|
||||||
|
"redirect_document_id": true
|
||||||
|
},
|
||||||
|
{
|
||||||
"source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md",
|
"source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md",
|
||||||
"redirect_url": "/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings",
|
"redirect_url": "/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings",
|
||||||
"redirect_document_id": true
|
"redirect_document_id": true
|
||||||
@ -1967,12 +2007,12 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"source_path": "windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
|
"source_path": "windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
|
||||||
"redirect_url": "/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard",
|
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
|
||||||
"redirect_document_id": true
|
"redirect_document_id": true
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md",
|
"source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md",
|
||||||
"redirect_url": "/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control",
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
|
||||||
"redirect_document_id": true
|
"redirect_document_id": true
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -4647,7 +4687,7 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"source_path": "windows/device-security/device-guard/deploy-code-integrity-policies-steps.md",
|
"source_path": "windows/device-security/device-guard/deploy-code-integrity-policies-steps.md",
|
||||||
"redirect_url": "/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control",
|
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
|
||||||
"redirect_document_id": true
|
"redirect_document_id": true
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -10997,7 +11037,7 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md",
|
"source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md",
|
||||||
"redirect_url": "/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard",
|
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
|
||||||
"redirect_document_id": true
|
"redirect_document_id": true
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|||||||
@ -24,7 +24,7 @@ To let people in your organization sign in to Surface Hub with their phones and
|
|||||||
|
|
||||||
- Make sure you have at minimum an Office 365 E3 subscription.
|
- Make sure you have at minimum an Office 365 E3 subscription.
|
||||||
|
|
||||||
- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected.
|
- [Configure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings). Make sure **Notification through mobile app** is selected.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -150,7 +150,7 @@ A provisioning package is a method for applying settings to Windows 10 without n
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
If the PC is past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings > Update & security > Recovery > Reset this PC**.
|
If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
|
||||||
|
|
||||||
2. Insert the USB drive into **Device B**. Windows will recognize the drive and automatically install the provisioning package.
|
2. Insert the USB drive into **Device B**. Windows will recognize the drive and automatically install the provisioning package.
|
||||||
3. When prompted, remove the USB drive. You can then use the USB drive to start provisioning another student PC.
|
3. When prompted, remove the USB drive. You can then use the USB drive to start provisioning another student PC.
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
# [Deploy and update Windows 10](https://docs.microsoft.com/en-us/windows/deployment)
|
# [Deploy and update Windows 10](https://docs.microsoft.com/en-us/windows/deployment)
|
||||||
|
## [Deploy Windows 10 with Microsoft 365](deploy-m365.md)
|
||||||
## [What's new in Windows 10 deployment](deploy-whats-new.md)
|
## [What's new in Windows 10 deployment](deploy-whats-new.md)
|
||||||
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
|
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
|
||||||
|
|
||||||
|
|||||||
66
windows/deployment/deploy-m365.md
Normal file
66
windows/deployment/deploy-m365.md
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
---
|
||||||
|
title: Deploy Windows 10 with Microsoft 365
|
||||||
|
description: Concepts about deploying Windows 10 for M365
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: deploy
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: deploy
|
||||||
|
keywords: deployment, automate, tools, configure, mdt, sccm, M365
|
||||||
|
ms.localizationpriority: high
|
||||||
|
ms.date: 04/23/2018
|
||||||
|
author: greg-lindsay
|
||||||
|
---
|
||||||
|
|
||||||
|
# Deploy Windows 10 with Microsoft 365
|
||||||
|
|
||||||
|
**Applies to**
|
||||||
|
|
||||||
|
- Windows 10
|
||||||
|
|
||||||
|
This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
|
||||||
|
|
||||||
|
[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS).
|
||||||
|
|
||||||
|
For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
|
||||||
|
|
||||||
|
- Windows AutoPilot
|
||||||
|
- In-place upgrade
|
||||||
|
- Deploying Windows 10 upgrade with Intune
|
||||||
|
- Deploying Windows 10 upgrade with System Center Configuration Manager
|
||||||
|
- Deploying a computer refresh with System Center Configuration Manager
|
||||||
|
|
||||||
|
## Free trial account
|
||||||
|
|
||||||
|
You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
|
||||||
|
|
||||||
|
1. Obtain a free EMS 90-day trial by visiting the following link. Provide your email address and answer a few simple questions.
|
||||||
|
|
||||||
|
[Free Trial - Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial)
|
||||||
|
|
||||||
|
2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
|
||||||
|
3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
|
||||||
|
|
||||||
|
That's all there is to it!
|
||||||
|
|
||||||
|
Examples of these two deployment advisors are shown below.
|
||||||
|
|
||||||
|
- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
|
||||||
|
- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
|
||||||
|
|
||||||
|
## Microsoft 365 deployment advisor example
|
||||||
|
|
||||||
|
|
||||||
|
## Windows Analytics deployment advisor example
|
||||||
|
|
||||||
|
|
||||||
|
## Related Topics
|
||||||
|
|
||||||
|
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
BIN
windows/deployment/images/m365da.PNG
Normal file
BIN
windows/deployment/images/m365da.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 242 KiB |
BIN
windows/deployment/images/wada.PNG
Normal file
BIN
windows/deployment/images/wada.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 223 KiB |
File diff suppressed because it is too large
Load Diff
@ -22,12 +22,12 @@ New or changed topic | Description
|
|||||||
## January 2018
|
## January 2018
|
||||||
|New or changed topic |Description |
|
|New or changed topic |Description |
|
||||||
|---------------------|------------|
|
|---------------------|------------|
|
||||||
|[Windows Defender Application Control](windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
|
|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
|
||||||
|
|
||||||
## November 2017
|
## November 2017
|
||||||
|New or changed topic |Description |
|
|New or changed topic |Description |
|
||||||
|---------------------|------------|
|
|---------------------|------------|
|
||||||
| [How to enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. |
|
| [How to enable virtualization-based protection of code integrity](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. |
|
||||||
|
|
||||||
|
|
||||||
## October 2017
|
## October 2017
|
||||||
|
|||||||
@ -1,33 +0,0 @@
|
|||||||
---
|
|
||||||
title: Deploy Windows Defender Device Guard - deploy code integrity policies (Windows 10)
|
|
||||||
description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10.
|
|
||||||
keywords: virtualization, security, malware
|
|
||||||
ms.prod: w10
|
|
||||||
ms.mktglfcycl: deploy
|
|
||||||
ms.localizationpriority: high
|
|
||||||
author: brianlic-msft
|
|
||||||
ms.date: 10/20/2017
|
|
||||||
---
|
|
||||||
|
|
||||||
# Deploy Windows Defender Application Control
|
|
||||||
|
|
||||||
**Applies to**
|
|
||||||
- Windows 10
|
|
||||||
- Windows Server 2016
|
|
||||||
|
|
||||||
This section includes the following topics:
|
|
||||||
|
|
||||||
- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
|
|
||||||
- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
|
|
||||||
- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
|
|
||||||
- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
|
|
||||||
- [Deploy Managed Installer for Windows Defender Application Control](deploy-managed-installer-for-device-guard.md)
|
|
||||||
|
|
||||||
To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with your Windows Defender Application Control (WDAC) policies.
|
|
||||||
- For requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
|
|
||||||
- For steps, see [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md).
|
|
||||||
|
|
||||||
## Related topics
|
|
||||||
|
|
||||||
[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
|
|
||||||
|
|
||||||
@ -1,38 +0,0 @@
|
|||||||
---
|
|
||||||
title: Windows Defender Device Guard deployment guide (Windows 10)
|
|
||||||
description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
|
|
||||||
ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
|
|
||||||
keywords: virtualization, security, malware
|
|
||||||
ms.prod: w10
|
|
||||||
ms.mktglfcycl: deploy
|
|
||||||
ms.localizationpriority: high
|
|
||||||
author: brianlic-msft
|
|
||||||
ms.date: 10/20/2017
|
|
||||||
---
|
|
||||||
|
|
||||||
# Windows Defender Device Guard deployment guide
|
|
||||||
|
|
||||||
**Applies to**
|
|
||||||
- Windows 10
|
|
||||||
- Windows Server 2016
|
|
||||||
|
|
||||||
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard describes a locked-down device configuration state that uses multiple enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. If the app isn’t trusted, it can’t run, period.
|
|
||||||
|
|
||||||
Windows Defender Device Guard also uses virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely.
|
|
||||||
|
|
||||||
|
|
||||||
## Related topics
|
|
||||||
|
|
||||||
[AppLocker overview](/windows/device-security/applocker/applocker-overview)
|
|
||||||
|
|
||||||
<!-- The following topic is EIGHT YEARS OLD, but I don't really see anything better out there on Code Integrity that existed before Windows 10. -->
|
|
||||||
|
|
||||||
[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
|
|
||||||
|
|
||||||
[Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard)
|
|
||||||
|
|
||||||
[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
|
|
||||||
|
|
||||||
[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
|
|
||||||
|
|
||||||
|
|
||||||
@ -5,8 +5,8 @@ keywords: virtualization, security, malware
|
|||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.localizationpriority: high
|
ms.localizationpriority: high
|
||||||
author: brianlic-msft
|
author: mdsakibMSFT
|
||||||
ms.date: 10/20/2017
|
ms.date: 04/19/2018
|
||||||
---
|
---
|
||||||
|
|
||||||
# Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
|
# Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
|
||||||
@ -15,73 +15,41 @@ ms.date: 10/20/2017
|
|||||||
- Windows 10
|
- Windows 10
|
||||||
- Windows Server 2016
|
- Windows Server 2016
|
||||||
|
|
||||||
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *Windows Defender Application Control (WDAC) policies*.
|
With Windows 10, we introduced Windows Defender Device Guard, a set of hardware and OS technologies that, when configured together, allow enterprises to lock down Windows systems so they operate with many of the properties of mobile devices.
|
||||||
|
In this configuration, Device Guard restricts devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
|
||||||
|
|
||||||
> [!NOTE]
|
Configurable CI has these advantages over other solutions:
|
||||||
> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
|
|
||||||
|
|
||||||
On hardware that includes CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT), Windows Defender Device Guard can also use Virtualization Based Security (VBS) to run the Code Integrity service alongside the kernel in a Windows hypervisor-protected container, which increases the security of code integrity policies. On hardware that includes input/output memory management units (IOMMUs), Windows Defender Device Guard can also help protect against DMA attacks. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats.
|
1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
|
||||||
|
2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
|
||||||
|
3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. Then changing the policy requires administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker or malware that managed to gain administrative privilege to alter the application control policy.
|
||||||
|
4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution.
|
||||||
|
|
||||||
When Windows Defender Application Control and hardware-based security features are combined, Windows Defender Device Guard provides a locked-down configuration for computers.
|
## (Re-)Introducing Windows Defender Application Control
|
||||||
|
|
||||||
## How Windows Defender Device Guard features help protect against threats
|
When we originally designed Device Guard it was built with a specific security promise in mind. Although there were no direct dependencies between its two main OS features, configurable CI and HVCI, we intentionally focused our marketing story around the Device Guard lockdown state you achieve when deploying them together.
|
||||||
|
|
||||||
The following table lists security threats and describes the corresponding Windows Defender Device Guard features:
|
However, this unintentionally left an impression for many customers that the two features were inexorably linked and could not be deployed separately.
|
||||||
|
And given that HVCI relies on the Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet.
|
||||||
|
|
||||||
| Security threat in the enterprise | How a Windows Defender Device Guard feature helps protect against the threat |
|
As a result, many customers assumed that they couldn’t use configurable CI either.
|
||||||
| --------------------------------- | ----------------------------------------------------------- |
|
But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many customers were wrongly denied the benefits of this powerful application control capability.
|
||||||
| **Exposure to new malware**, for which the "signature" is not yet known | **Windows Defender Application Control (WDAC)**: You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than constantly update a list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>Only code that is verified by WDAC, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.<br><br>**Specialized hardware required?** No security-related hardware features are required, but WDAC is strengthened by such features, as described in the next rows.<br><br> [!NOTE] Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies. |
|
|
||||||
| **Exposure to unsigned code** (most malware is unsigned) | **WDAC plus catalog files as needed**: Because most malware is unsigned, WDAC can immediately help protect against a large number of threats. For organizations that use unsigned line-of-business (LOB) applications, you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.<br><br>**Specialized hardware required?** No, but WDAC and catalogs are strengthened by the hardware features, as described in the next rows. |
|
|
||||||
| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based protection of code integrity**: This is protection that uses Windows 10’s new virtualization-based security (VBS) feature to help protect the kernel and other parts of the operating system. When virtualization-based protection of code integrity (also known as hypervisor-protected code integrity, or HVCI) is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With HVCI, even if malware gains access to the kernel, the effects can be severely limited because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). |
|
|
||||||
| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**: With this type of VBS protection, when the DMA-based attack makes a memory request, IOMMUs will evaluate the request and deny access.<br><br>**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
|
|
||||||
| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in the kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.<br><br>**Specialized hardware required?** UEFI Secure Boot has firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). |
|
|
||||||
|
|
||||||
In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with WDAC is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
|
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. So we are promoting configurable CI within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
|
||||||
|
We hope this branding change will help us better communicate options for adopting application control within an organization.
|
||||||
|
|
||||||
## New and changed functionality
|
Does this mean Windows Defender Device Guard is going away? Not at all. Device Guard will continue to exist as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), [HVCI](https://docs.microsoft.com/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity), and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original Device Guard scenario.
|
||||||
|
|
||||||
Prior to Windows 10, version 1709, Windows Defender Application Control (WDAC) was known as configurable code integrity policies.
|
## Related topics
|
||||||
|
|
||||||
Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](steps-to-deploy-windows-defender-application-control.md#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
|
- [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control)
|
||||||
|
|
||||||
## Tools for managing Windows Defender Device Guard features
|
- [HVCI](https://docs.microsoft.com/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity)
|
||||||
|
|
||||||
You can easily manage Windows Defender Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
|
[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
|
||||||
|
|
||||||
<!-- The item about "Intune" below could be updated at some point, when more information and a link are available. -->
|
[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
|
||||||
|
|
||||||
- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable WDAC policies for your organization. Another template allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these WDAC and hardware-based security features, you can use Group Policy to help you manage your catalog files.
|
|
||||||
|
|
||||||
- For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic.
|
|
||||||
- For information about using Group Policy as a deployment tool, see:<br>[Deploy catalog files with Group Policy](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-group-policy)<br>[Deploy and manage WDAC with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
|
|
||||||
|
|
||||||
- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, WDAC policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-system-center-configuration-manager).
|
|
||||||
|
|
||||||
- **Microsoft Intune**. You can use Microsoft Intune to simplify deployment and management of WDAC policies, as well as provide version control. In a future release of Microsoft Intune, Microsoft is considering including features that will support the deployment and management of catalog files.
|
|
||||||
|
|
||||||
- **Windows PowerShell**. You can use Windows PowerShell to create and service WDAC policies. For more information, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
|
|
||||||
|
|
||||||
These options provide the same experience you're used to in order to manage your existing enterprise management solutions.
|
|
||||||
|
|
||||||
For more information about the deployment of Windows Defender Device Guard features, see:
|
|
||||||
- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
|
|
||||||
- [Deploy virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
|
|
||||||
|
|
||||||
## Other features that relate to Windows Defender Device Guard
|
|
||||||
|
|
||||||
### Windows Defender Device Guard with AppLocker
|
|
||||||
|
|
||||||
Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when WDAC cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which WDAC would be used alongside AppLocker rules. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
|
|
||||||
|
|
||||||
> **Note** One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
|
|
||||||
|
|
||||||
AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
|
|
||||||
|
|
||||||
### Windows Defender Device Guard with Windows Defender Credential Guard
|
|
||||||
|
|
||||||
Another Windows 10 feature that employs VBS is [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). Windows Defender Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity when HVCI is enabled. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Windows Defender Credential Guard (which is not a feature within Windows Defender Device Guard), see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard).
|
|
||||||
|
|
||||||
Windows Defender Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Windows Defender Credential Guard, organizations can gain additional protection against such threats.
|
|
||||||
|
|
||||||
|
[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1,78 +0,0 @@
|
|||||||
---
|
|
||||||
title: Planning and getting started on the Windows Defender Device Guard deployment process (Windows 10)
|
|
||||||
description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies.
|
|
||||||
keywords: virtualization, security, malware
|
|
||||||
ms.prod: w10
|
|
||||||
ms.mktglfcycl: deploy
|
|
||||||
ms.localizationpriority: high
|
|
||||||
author: brianlic-msft
|
|
||||||
ms.date: 10/20/2017
|
|
||||||
---
|
|
||||||
|
|
||||||
# Planning and getting started on the Windows Defender Device Guard deployment process
|
|
||||||
|
|
||||||
**Applies to**
|
|
||||||
- Windows 10
|
|
||||||
- Windows Server 2016
|
|
||||||
|
|
||||||
This topic provides a roadmap for planning and getting started on the Windows Defender Device Guard deployment process, with links to topics that provide additional detail. Planning for Windows Defender Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
|
|
||||||
|
|
||||||
## Planning
|
|
||||||
|
|
||||||
1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
|
|
||||||
|
|
||||||
2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
|
|
||||||
|
|
||||||
3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one Windows Defender Application Control (WDAC) policy for them. More variety across departments might mean you need to create and manage more WDAC policies. The following questions can help you clarify how many WDAC policies to create:
|
|
||||||
- How standardized is the hardware?<br>This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
|
|
||||||
|
|
||||||
- What software does each department or role need? Should they be able to install and run other departments’ software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
|
|
||||||
|
|
||||||
- Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
|
|
||||||
|
|
||||||
- Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline WDAC policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
|
|
||||||
|
|
||||||
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
|
|
||||||
In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. You can also fine-tune your control by using Windows Defender Application Control in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker).
|
|
||||||
|
|
||||||
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
|
|
||||||
|
|
||||||
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
|
|
||||||
|
|
||||||
Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
|
|
||||||
|
|
||||||
## Getting started on the deployment process
|
|
||||||
|
|
||||||
1. **Optionally, create a signing certificate for Windows Defender Application Control**. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
|
|
||||||
|
|
||||||
2. **Create WDAC policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly-distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a WDAC policy, and decide how to manage that policy. You can merge WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. For more information, see:
|
|
||||||
- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
|
|
||||||
- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)<br>
|
|
||||||
|
|
||||||
3. **Audit the WDAC policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
|
|
||||||
|
|
||||||
4. **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.
|
|
||||||
|
|
||||||
6. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies. For more information, see:
|
|
||||||
- [Create a Windows Defender Application Control policy that captures audit information from the event log](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-that-captures-audit-information-from-the-event-log)
|
|
||||||
- [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies)<br>
|
|
||||||
|
|
||||||
7. **Deploy WDAC policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly. For more information, see:
|
|
||||||
- [Enforce Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#enforce-windows-defender-application-control-policies)
|
|
||||||
- [Deploy and manage Windows Defender Application Control with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)<br>
|
|
||||||
|
|
||||||
8. **Enable desired virtualization-based security (VBS) features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
|
|
||||||
|
|
||||||
> [!WARNING]
|
|
||||||
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
|
|
||||||
|
|
||||||
For information about enabling VBS features, see [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md).
|
|
||||||
|
|
||||||
<br />
|
|
||||||
@ -149,6 +149,14 @@ We recommend that you keep the original XML file for use when you need to merge
|
|||||||
|
|
||||||
When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy.
|
When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy.
|
||||||
|
|
||||||
|
## msi-Http-installations are blocked by Device Guard
|
||||||
|
When you install msi-files over a Device Guard protected machine directly from the internet, it would fail.
|
||||||
|
If you try to install a msi-file using this command-line:
|
||||||
|
- msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
|
||||||
|
|
||||||
|
You need to download the MSI file and run it locally:
|
||||||
|
- Msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
|
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
|
||||||
|
|||||||
@ -1,72 +0,0 @@
|
|||||||
---
|
|
||||||
title: Enable virtualization-based protection of code integrity
|
|
||||||
description: This article explains the steps to opt in to using HVCI on Windows devices.
|
|
||||||
ms.prod: w10
|
|
||||||
ms.mktglfcycl: deploy
|
|
||||||
ms.localizationpriority: high
|
|
||||||
ms.author: justinha
|
|
||||||
author: brianlic-msft
|
|
||||||
ms.date: 11/28/2017
|
|
||||||
---
|
|
||||||
|
|
||||||
# Enable virtualization-based protection of code integrity
|
|
||||||
|
|
||||||
**Applies to**
|
|
||||||
|
|
||||||
- Windows 10
|
|
||||||
- Windows Server 2016
|
|
||||||
|
|
||||||
Virtualization-based protection of code integrity (herein referred to as hypervisor-protected code integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
|
|
||||||
Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
|
|
||||||
|
|
||||||
Some applications, including device drivers, may be incompatible with HVCI.
|
|
||||||
This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
|
|
||||||
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
|
|
||||||
|
|
||||||
## How to turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709)
|
|
||||||
|
|
||||||
These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
|
|
||||||
|
|
||||||
The following instructions are intended for Windows 10 client systems running the Fall Creators Update (version 1709) that have hypervisor support and that are not already using a [Windows Defender Application Control (WDAC)](https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-defender-application-control/) policy.
|
|
||||||
If your device already has a WDAC policy (SIPolicy.p7b), please contact your IT administrator to request HVCI.
|
|
||||||
|
|
||||||
> [!NOTE]
|
|
||||||
> You must be an administrator to perform this procedure.
|
|
||||||
|
|
||||||
1. Download the [Enable HVCI cabinet file](http://download.microsoft.com/download/7/A/F/7AFBCDD1-578B-49B0-9B27-988EAEA89A8B/EnableHVCI.cab).
|
|
||||||
|
|
||||||
2. Open the cabinet file.
|
|
||||||
|
|
||||||
3. Right-click the SIPolicy.p7b file and extract it. Then move it to the following location:
|
|
||||||
|
|
||||||
C:\Windows\System32\CodeIntegrity
|
|
||||||
|
|
||||||
> [!NOTE]
|
|
||||||
> Do not perform this step if a SIPolicy.p7b file is already in this location.
|
|
||||||
|
|
||||||
4. Turn on the hypervisor:
|
|
||||||
|
|
||||||
a. Click Start, type **Turn Windows Features on or off** and press ENTER.
|
|
||||||
|
|
||||||
b. Select **Hyper-V** > **Hyper-V Platform** > **Hyper-V Hypervisor** and click **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
c. After the installation completes, restart your computer.
|
|
||||||
|
|
||||||
5. To confirm HVCI was successfully enabled, open **System Information** and check **Virtualization-based security Services Running**, which should now display **Hypervisor enforced Code Integrity**.
|
|
||||||
|
|
||||||
|
|
||||||
## Troubleshooting
|
|
||||||
|
|
||||||
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
|
|
||||||
|
|
||||||
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
|
|
||||||
|
|
||||||
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
|
|
||||||
|
|
||||||
## How to turn off HVCI on the Windows 10 Fall Creators Update
|
|
||||||
|
|
||||||
1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
|
|
||||||
2. Restart the device.
|
|
||||||
3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
|
|
||||||
@ -19,8 +19,8 @@ Learn more about how to help protect against threats in Windows 10 and Windows
|
|||||||
|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
|
|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
|
||||||
|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
|
|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
|
||||||
|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
|
|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
|
||||||
|[Windows Defender Application Control](enable-virtualization-based-protection-of-code-integrity.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
|
|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
|
||||||
|[Enable HVCI](windows-defender-application-control.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
|
|[Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
|
||||||
|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
|
|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
|
||||||
|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
|
|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
|
||||||
|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
|
|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
|
||||||
|
|||||||
@ -85,7 +85,7 @@ In other words, the hotfix in each KB article provides the necessary code and fu
|
|||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
|
|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
|
||||||
|Earlier domain controller |-|-|No access check is performed by default.|
|
|Earlier domain controller |-|-|No access check is performed by default.|
|
||||||
|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>• Revision: 0x02 <br>• Size: 0x0020 <br>• Ace Count: 0x001 <br>• Ace[00]------------------------- <br> AceType:0x00 <br> (ACCESS\_ALLOWED_ACE_TYPE)<br> AceSize:0x0018 <br> InheritFlags:0x00 <br> Access Mask:0x00020000 <br> AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
|
|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>• Revision: 0x02 <br>• Size: 0x0020 <br>• Ace Count: 0x001 <br>• Ace[00]------------------------- <br> AceType:0x00 <br> (ACCESS\_ALLOWED_ACE_TYPE)<br> AceSize:0x0018 <br> InheritFlags:0x00 <br> Access Mask:0x00020000 <br> AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
|
||||||
|Earlier non-domain controller |-|-|No access check is performed by default.|
|
|Earlier non-domain controller |-|-|No access check is performed by default.|
|
||||||
|
|
||||||
## Policy management
|
## Policy management
|
||||||
@ -163,4 +163,4 @@ If the policy is defined, admin tools, scripts and software that formerly enumer
|
|||||||
|
|
||||||
[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
|
[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|||||||
@ -0,0 +1,68 @@
|
|||||||
|
|
||||||
|
# [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
|
||||||
|
|
||||||
|
## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
|
||||||
|
|
||||||
|
## [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
|
||||||
|
|
||||||
|
## [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md)
|
||||||
|
### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-windows-defender-antivirus.md)
|
||||||
|
|
||||||
|
|
||||||
|
## [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
|
||||||
|
|
||||||
|
|
||||||
|
## [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
|
||||||
|
### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
|
||||||
|
#### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
|
||||||
|
### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
|
||||||
|
#### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
|
||||||
|
### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
|
||||||
|
#### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
|
||||||
|
#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
|
||||||
|
#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
|
||||||
|
#### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
|
||||||
|
#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
|
||||||
|
|
||||||
|
|
||||||
|
## [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
|
||||||
|
### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
|
||||||
|
#### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
|
||||||
|
#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
|
||||||
|
#### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
|
||||||
|
#### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
|
||||||
|
#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
|
||||||
|
### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
|
||||||
|
#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
|
||||||
|
#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
|
||||||
|
### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
|
||||||
|
#### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
|
||||||
|
#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
|
||||||
|
#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
|
||||||
|
|
||||||
|
|
||||||
|
## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
|
||||||
|
### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
|
||||||
|
#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
|
||||||
|
#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
|
||||||
|
#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
|
||||||
|
### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
|
||||||
|
### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
|
||||||
|
### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
|
||||||
|
### [Configure and run scans](run-scan-windows-defender-antivirus.md)
|
||||||
|
### [Review scan results](review-scan-results-windows-defender-antivirus.md)
|
||||||
|
### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
|
||||||
|
|
||||||
|
|
||||||
|
## [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
|
||||||
|
### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
|
||||||
|
### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
|
||||||
|
### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
|
||||||
|
### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
|
||||||
|
### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
|
||||||
|
|
||||||
|
|
||||||
@ -65,6 +65,13 @@ Quarantine | Configure removal of items from Quarantine folder | Specify how man
|
|||||||
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
|
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
|
||||||
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
|
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
|
||||||
|
|
||||||
|
>[!IMPORTANT]
|
||||||
|
>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
|
||||||
|
></p>
|
||||||
|
>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md).
|
||||||
|
></p>
|
||||||
|
>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md).
|
||||||
|
|
||||||
|
|
||||||
Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
|
Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
|
||||||
|
|
||||||
|
|||||||
@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
title: Restore quarantined files in Windows Defender AV
|
||||||
|
description: You can restore files and folders that were quarantined by Windows Defender AV.
|
||||||
|
keywords:
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: manage
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.localizationpriority: medium
|
||||||
|
author: andreabichsel
|
||||||
|
ms.author: v-anbic
|
||||||
|
ms.date: 04/23/2018
|
||||||
|
---
|
||||||
|
|
||||||
|
# Restore quarantined files in Windows Defender AV
|
||||||
|
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
|
||||||
|
- Windows 10
|
||||||
|
- Windows Server 2016
|
||||||
|
|
||||||
|
**Audience**
|
||||||
|
|
||||||
|
- Enterprise security administrators
|
||||||
|
|
||||||
|
**Manageability available with**
|
||||||
|
|
||||||
|
- Windows Defender Security Center
|
||||||
|
|
||||||
|
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
|
||||||
|
|
||||||
|
1. Open **Windows Defender Security Center**.
|
||||||
|
2. Click **Virus & threat protection** and then click **Scan history**.
|
||||||
|
3. Under **Quarantined threats**, click **See full history**.
|
||||||
|
4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
|
||||||
|
- [Review scan results](review-scan-results-windows-defender-antivirus.md)
|
||||||
|
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
|
||||||
|
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
|
||||||
|
- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
|
||||||
|
|
||||||
@ -0,0 +1,120 @@
|
|||||||
|
# [Windows Defender Application Control](windows-defender-application-control.md)
|
||||||
|
|
||||||
|
## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md)
|
||||||
|
### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
|
||||||
|
### [Select the types of rules to create](select-types-of-rules-to-create.md)
|
||||||
|
### [Plan for WDAC policy management](plan-windows-defender-application-control-management.md)
|
||||||
|
#### [Document your application control management processes](document-your-windows-defender-application-control-management-processes.md)
|
||||||
|
### [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
|
||||||
|
### [Types of devices](types-of-devices.md)
|
||||||
|
### [Use WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
|
||||||
|
###Use WDAC with custom policies
|
||||||
|
#### [Create an initial default policy](create-initial-default-policy.md)
|
||||||
|
#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
|
||||||
|
### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
|
||||||
|
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
|
||||||
|
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
|
||||||
|
### [Deploy WDAC policies](deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||||
|
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
|
||||||
|
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
|
||||||
|
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
|
||||||
|
#### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
|
||||||
|
### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
|
||||||
|
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
|
||||||
|
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
|
||||||
|
#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
|
||||||
|
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
|
||||||
|
|
||||||
|
## [Windows Defender Application Control and AppLocker](windows-defender-application-control-and-applocker.md)
|
||||||
|
|
||||||
|
## [AppLocker](applocker\applocker-overview.md)
|
||||||
|
### [Administer AppLocker](applocker\administer-applocker.md)
|
||||||
|
#### [Maintain AppLocker policies](applocker\maintain-applocker-policies.md)
|
||||||
|
#### [Edit an AppLocker policy](applocker\edit-an-applocker-policy.md)
|
||||||
|
#### [Test and update an AppLocker policy](applocker\test-and-update-an-applocker-policy.md)
|
||||||
|
#### [Deploy AppLocker policies by using the enforce rules setting](applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
|
||||||
|
#### [Use the AppLocker Windows PowerShell cmdlets](applocker\use-the-applocker-windows-powershell-cmdlets.md)
|
||||||
|
#### [Use AppLocker and Software Restriction Policies in the same domain](applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md)
|
||||||
|
#### [Optimize AppLocker performance](applocker\optimize-applocker-performance.md)
|
||||||
|
#### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
|
||||||
|
#### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
|
||||||
|
#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
|
||||||
|
##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
|
||||||
|
##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
|
||||||
|
##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)
|
||||||
|
##### [Create AppLocker default rules](applocker\create-applocker-default-rules.md)
|
||||||
|
##### [Add exceptions for an AppLocker rule](applocker\configure-exceptions-for-an-applocker-rule.md)
|
||||||
|
##### [Create a rule for packaged apps](applocker\create-a-rule-for-packaged-apps.md)
|
||||||
|
##### [Delete an AppLocker rule](applocker\delete-an-applocker-rule.md)
|
||||||
|
##### [Edit AppLocker rules](applocker\edit-applocker-rules.md)
|
||||||
|
##### [Enable the DLL rule collection](applocker\enable-the-dll-rule-collection.md)
|
||||||
|
##### [Enforce AppLocker rules](applocker\enforce-applocker-rules.md)
|
||||||
|
##### [Run the Automatically Generate Rules wizard](applocker\run-the-automatically-generate-rules-wizard.md)
|
||||||
|
#### [Working with AppLocker policies](applocker\working-with-applocker-policies.md)
|
||||||
|
##### [Configure the Application Identity service](applocker\configure-the-application-identity-service.md)
|
||||||
|
##### [Configure an AppLocker policy for audit only](applocker\configure-an-applocker-policy-for-audit-only.md)
|
||||||
|
##### [Configure an AppLocker policy for enforce rules](applocker\configure-an-applocker-policy-for-enforce-rules.md)
|
||||||
|
##### [Display a custom URL message when users try to run a blocked app](applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
|
||||||
|
##### [Export an AppLocker policy from a GPO](applocker\export-an-applocker-policy-from-a-gpo.md)
|
||||||
|
##### [Export an AppLocker policy to an XML file](applocker\export-an-applocker-policy-to-an-xml-file.md)
|
||||||
|
##### [Import an AppLocker policy from another computer](applocker\import-an-applocker-policy-from-another-computer.md)
|
||||||
|
##### [Import an AppLocker policy into a GPO](applocker\import-an-applocker-policy-into-a-gpo.md)
|
||||||
|
##### [Add rules for packaged apps to existing AppLocker rule-set](applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
|
||||||
|
##### [Merge AppLocker policies by using Set-ApplockerPolicy](applocker\merge-applocker-policies-by-using-set-applockerpolicy.md)
|
||||||
|
##### [Merge AppLocker policies manually](applocker\merge-applocker-policies-manually.md)
|
||||||
|
##### [Refresh an AppLocker policy](applocker\refresh-an-applocker-policy.md)
|
||||||
|
##### [Test an AppLocker policy by using Test-AppLockerPolicy](applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md)
|
||||||
|
### [AppLocker design guide](applocker\applocker-policies-design-guide.md)
|
||||||
|
#### [Understand AppLocker policy design decisions](applocker\understand-applocker-policy-design-decisions.md)
|
||||||
|
#### [Determine your application control objectives](applocker\determine-your-application-control-objectives.md)
|
||||||
|
#### [Create a list of apps deployed to each business group](applocker\create-list-of-applications-deployed-to-each-business-group.md)
|
||||||
|
##### [Document your app list](applocker\document-your-application-list.md)
|
||||||
|
#### [Select the types of rules to create](applocker\select-types-of-rules-to-create.md)
|
||||||
|
##### [Document your AppLocker rules](applocker\document-your-applocker-rules.md)
|
||||||
|
#### [Determine the Group Policy structure and rule enforcement](applocker\determine-group-policy-structure-and-rule-enforcement.md)
|
||||||
|
##### [Understand AppLocker enforcement settings](applocker\understand-applocker-enforcement-settings.md)
|
||||||
|
##### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
|
||||||
|
##### [Document the Group Policy structure and AppLocker rule enforcement](applocker\document-group-policy-structure-and-applocker-rule-enforcement.md)
|
||||||
|
#### [Plan for AppLocker policy management](applocker\plan-for-applocker-policy-management.md)
|
||||||
|
### [AppLocker deployment guide](applocker\applocker-policies-deployment-guide.md)
|
||||||
|
#### [Understand the AppLocker policy deployment process](applocker\understand-the-applocker-policy-deployment-process.md)
|
||||||
|
#### [Requirements for Deploying AppLocker Policies](applocker\requirements-for-deploying-applocker-policies.md)
|
||||||
|
#### [Use Software Restriction Policies and AppLocker policies](applocker\using-software-restriction-policies-and-applocker-policies.md)
|
||||||
|
#### [Create Your AppLocker policies](applocker\create-your-applocker-policies.md)
|
||||||
|
##### [Create Your AppLocker rules](applocker\create-your-applocker-rules.md)
|
||||||
|
#### [Deploy the AppLocker policy into production](applocker\deploy-the-applocker-policy-into-production.md)
|
||||||
|
##### [Use a reference device to create and maintain AppLocker policies](applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
|
||||||
|
###### [Determine which apps are digitally signed on a reference device](applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
|
||||||
|
###### [Configure the AppLocker reference device](applocker\configure-the-appLocker-reference-device.md)
|
||||||
|
### [AppLocker technical reference](applocker\applocker-technical-reference.md)
|
||||||
|
#### [What Is AppLocker?](applocker\what-is-applocker.md)
|
||||||
|
#### [Requirements to use AppLocker](applocker\requirements-to-use-applocker.md)
|
||||||
|
#### [AppLocker policy use scenarios](applocker\applocker-policy-use-scenarios.md)
|
||||||
|
#### [How AppLocker works](applocker\how-applocker-works-techref.md)
|
||||||
|
##### [Understanding AppLocker rule behavior](applocker\understanding-applocker-rule-behavior.md)
|
||||||
|
##### [Understanding AppLocker rule exceptions](applocker\understanding-applocker-rule-exceptions.md)
|
||||||
|
##### [Understanding AppLocker rule collections](applocker\understanding-applocker-rule-collections.md)
|
||||||
|
##### [Understanding AppLocker allow and deny actions on rules](applocker\understanding-applocker-allow-and-deny-actions-on-rules.md)
|
||||||
|
##### [Understanding AppLocker rule condition types](applocker\understanding-applocker-rule-condition-types.md)
|
||||||
|
###### [Understanding the publisher rule condition in AppLocker](applocker\understanding-the-publisher-rule-condition-in-applocker.md)
|
||||||
|
###### [Understanding the path rule condition in AppLocker](applocker\understanding-the-path-rule-condition-in-applocker.md)
|
||||||
|
###### [Understanding the file hash rule condition in AppLocker](applocker\understanding-the-file-hash-rule-condition-in-applocker.md)
|
||||||
|
##### [Understanding AppLocker default rules](applocker\understanding-applocker-default-rules.md)
|
||||||
|
###### [Executable rules in AppLocker](applocker\executable-rules-in-applocker.md)
|
||||||
|
###### [Windows Installer rules in AppLocker](applocker\windows-installer-rules-in-applocker.md)
|
||||||
|
###### [Script rules in AppLocker](applocker\script-rules-in-applocker.md)
|
||||||
|
###### [DLL rules in AppLocker](applocker\dll-rules-in-applocker.md)
|
||||||
|
###### [Packaged apps and packaged app installer rules in AppLocker](applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
|
||||||
|
#### [AppLocker architecture and components](applocker\applocker-architecture-and-components.md)
|
||||||
|
#### [AppLocker processes and interactions](applocker\applocker-processes-and-interactions.md)
|
||||||
|
#### [AppLocker functions](applocker\applocker-functions.md)
|
||||||
|
#### [Security considerations for AppLocker](applocker\security-considerations-for-applocker.md)
|
||||||
|
#### [Tools to Use with AppLocker](applocker\tools-to-use-with-applocker.md)
|
||||||
|
##### [Using Event Viewer with AppLocker](applocker\using-event-viewer-with-applocker.md)
|
||||||
|
#### [AppLocker Settings](applocker\applocker-settings.md)
|
||||||
|
|
||||||
|
|
||||||
@ -0,0 +1,90 @@
|
|||||||
|
|
||||||
|
# [AppLocker](applocker-overview.md)
|
||||||
|
|
||||||
|
## [Administer AppLocker](administer-applocker.md)
|
||||||
|
### [Administer AppLocker using MDM](administer-applocker-using-mdm.md)
|
||||||
|
### [Maintain AppLocker policies](maintain-applocker-policies.md)
|
||||||
|
### [Edit an AppLocker policy](edit-an-applocker-policy.md)
|
||||||
|
### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
|
||||||
|
### [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
|
||||||
|
### [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)
|
||||||
|
### [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
|
||||||
|
### [Optimize AppLocker performance](optimize-applocker-performance.md)
|
||||||
|
### [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
|
||||||
|
### [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
|
||||||
|
### [Working with AppLocker rules](working-with-applocker-rules.md)
|
||||||
|
#### [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
|
||||||
|
#### [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
|
||||||
|
#### [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
|
||||||
|
#### [Create AppLocker default rules](create-applocker-default-rules.md)
|
||||||
|
#### [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
|
||||||
|
#### [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)
|
||||||
|
#### [Delete an AppLocker rule](delete-an-applocker-rule.md)
|
||||||
|
#### [Edit AppLocker rules](edit-applocker-rules.md)
|
||||||
|
#### [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
|
||||||
|
#### [Enforce AppLocker rules](enforce-applocker-rules.md)
|
||||||
|
#### [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
|
||||||
|
### [Working with AppLocker policies](working-with-applocker-policies.md)
|
||||||
|
#### [Configure the Application Identity service](configure-the-application-identity-service.md)
|
||||||
|
#### [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
|
||||||
|
#### [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
|
||||||
|
#### [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
|
||||||
|
#### [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
|
||||||
|
#### [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
|
||||||
|
#### [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
|
||||||
|
#### [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
|
||||||
|
#### [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
|
||||||
|
#### [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
|
||||||
|
#### [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
|
||||||
|
#### [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
|
||||||
|
#### [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
|
||||||
|
## [AppLocker design guide](applocker-policies-design-guide.md)
|
||||||
|
### [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
|
||||||
|
### [Determine your application control objectives](determine-your-application-control-objectives.md)
|
||||||
|
### [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
|
||||||
|
#### [Document your app list](document-your-application-list.md)
|
||||||
|
### [Select the types of rules to create](select-types-of-rules-to-create.md)
|
||||||
|
#### [Document your AppLocker rules](document-your-applocker-rules.md)
|
||||||
|
### [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||||
|
#### [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
|
||||||
|
#### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
|
||||||
|
#### [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)
|
||||||
|
### [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||||
|
## [AppLocker deployment guide](applocker-policies-deployment-guide.md)
|
||||||
|
### [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
|
||||||
|
### [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)
|
||||||
|
### [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)
|
||||||
|
### [Create Your AppLocker policies](create-your-applocker-policies.md)
|
||||||
|
#### [Create Your AppLocker rules](create-your-applocker-rules.md)
|
||||||
|
### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
|
||||||
|
#### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
|
||||||
|
#### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
|
||||||
|
### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
|
||||||
|
## [AppLocker technical reference](applocker-technical-reference.md)
|
||||||
|
### [What Is AppLocker?](what-is-applocker.md)
|
||||||
|
### [Requirements to use AppLocker](requirements-to-use-applocker.md)
|
||||||
|
### [AppLocker policy use scenarios](applocker-policy-use-scenarios.md)
|
||||||
|
### [How AppLocker works](how-applocker-works-techref.md)
|
||||||
|
#### [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
|
||||||
|
#### [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
|
||||||
|
#### [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
|
||||||
|
#### [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
|
||||||
|
#### [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
|
||||||
|
##### [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
|
||||||
|
##### [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
|
||||||
|
##### [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
|
||||||
|
#### [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||||
|
##### [Executable rules in AppLocker](executable-rules-in-applocker.md)
|
||||||
|
##### [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
|
||||||
|
##### [Script rules in AppLocker](script-rules-in-applocker.md)
|
||||||
|
##### [DLL rules in AppLocker](dll-rules-in-applocker.md)
|
||||||
|
##### [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
|
||||||
|
### [AppLocker architecture and components](applocker-architecture-and-components.md)
|
||||||
|
### [AppLocker processes and interactions](applocker-processes-and-interactions.md)
|
||||||
|
### [AppLocker functions](applocker-functions.md)
|
||||||
|
### [Security considerations for AppLocker](security-considerations-for-applocker.md)
|
||||||
|
### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
|
||||||
|
#### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
|
||||||
|
### [AppLocker Settings](applocker-settings.md)
|
||||||
|
|
||||||
|
|
||||||
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
title: Administering AppLocker by using Mobile Device Management (MDM) (Windows 10)
|
||||||
|
description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
|
||||||
|
ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: deploy
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
author: brianlic-msft
|
||||||
|
ms.date: 03/01/2018
|
||||||
|
---
|
||||||
|
|
||||||
|
# Administering AppLocker by using Mobile Device Management (MDM)
|
||||||
|
|
||||||
|
**Applies to**
|
||||||
|
- Windows 10
|
||||||
|
- Windows Server
|
||||||
|
|
||||||
|
|
||||||
@ -32,6 +32,7 @@ AppLocker helps administrators control how users can access and use files, such
|
|||||||
|
|
||||||
| Topic | Description |
|
| Topic | Description |
|
||||||
| - | - |
|
| - | - |
|
||||||
|
| [Administer AppLocker using Mobile Device Management (MDM)](administer-applocker-using-mdm.md) | This topic describes how to used MDM to manage AppLocker policies. |
|
||||||
| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
|
| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
|
||||||
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
|
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
|
||||||
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
|
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
|
||||||
@ -37,7 +37,6 @@ The following are prerequisites or recommendations to deploying policies:
|
|||||||
- [Select types of rules to create](select-types-of-rules-to-create.md)
|
- [Select types of rules to create](select-types-of-rules-to-create.md)
|
||||||
- [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
- [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||||
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||||
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
|
|
||||||
|
|
||||||
## Contents of this guide
|
## Contents of this guide
|
||||||
|
|
||||||
@ -33,7 +33,7 @@ To understand if AppLocker is the correct application control solution for your
|
|||||||
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
|
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
|
||||||
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
|
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
|
||||||
| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
|
| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
|
||||||
| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. |
|
|
||||||
|
|
||||||
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
|
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
|
||||||
|
|
||||||
@ -31,7 +31,7 @@ You can develop an application control policy plan to guide you in making succes
|
|||||||
5. [Select the types of rules to create](select-types-of-rules-to-create.md)
|
5. [Select the types of rules to create](select-types-of-rules-to-create.md)
|
||||||
6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||||
7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||||
8. [Create your AppLocker planning document](create-your-applocker-planning-document.md)
|
|
||||||
|
|
||||||
## Step 2: Create your rules and rule collections
|
## Step 2: Create your rules and rule collections
|
||||||
|
|
||||||
@ -124,6 +124,6 @@ The following table includes the sample data that was collected when you determi
|
|||||||
|
|
||||||
After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
|
After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
|
||||||
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||||
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
|
|
||||||
|
|
||||||
|
|
||||||
@ -118,4 +118,3 @@ For each rule, determine whether to use the allow or deny option. Then, three ta
|
|||||||
|
|
||||||
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||||
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||||
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
|
|
||||||
@ -20,11 +20,15 @@ This topic for IT professionals describes the steps required to modify an AppLoc
|
|||||||
|
|
||||||
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
|
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
|
||||||
|
|
||||||
There are two methods you can use to edit an AppLocker policy:
|
There are three methods you can use to edit an AppLocker policy:
|
||||||
|
|
||||||
|
- [Editing an AppLocker policy by using Mobile Device Management (MDM)](#bkmk-editapppolinmdm)
|
||||||
- [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo)
|
- [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo)
|
||||||
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
|
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
|
||||||
|
|
||||||
|
## <a href="" id="bkmk-editapppolinmdm"></a>Editing an AppLocker policy by using Mobile Device Management (MDM)
|
||||||
|
|
||||||
|
|
||||||
## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy
|
## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy
|
||||||
|
|
||||||
The steps to edit an AppLocker policy distributed by Group Policy include the following:
|
The steps to edit an AppLocker policy distributed by Group Policy include the following:
|
||||||
|
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 22 KiB |
|
Before Width: | Height: | Size: 35 KiB After Width: | Height: | Size: 35 KiB |
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 16 KiB |
@ -27,21 +27,26 @@ Common AppLocker maintenance scenarios include:
|
|||||||
- An app appears to be allowed but should be blocked.
|
- An app appears to be allowed but should be blocked.
|
||||||
- A single user or small subset of users needs to use a specific app that is blocked.
|
- A single user or small subset of users needs to use a specific app that is blocked.
|
||||||
|
|
||||||
There are two methods you can use to maintain AppLocker policies:
|
There are three methods you can use to maintain AppLocker policies:
|
||||||
|
|
||||||
|
- [Maintaining AppLocker policies by using Mobile Device Management (MDM)](#bkmk-applkr-use-mdm)
|
||||||
- [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp)
|
- [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp)
|
||||||
- [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin)
|
- [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin)
|
||||||
|
|
||||||
|
## <a href="" id="bkmk-applkr-use-mdm"></a>Maintaining AppLocker policies by using Mobile Device Management (MDM)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
|
||||||
|
|
||||||
|
For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
|
||||||
|
|
||||||
As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.
|
As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.
|
||||||
|
|
||||||
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create
|
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create
|
||||||
versions of GPOs.
|
versions of GPOs.
|
||||||
|
|
||||||
>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
|
>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
|
||||||
|
|
||||||
## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
|
|
||||||
|
|
||||||
For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
|
|
||||||
|
|
||||||
### Step 1: Understand the current behavior of the policy
|
### Step 1: Understand the current behavior of the policy
|
||||||
|
|
||||||
@ -22,7 +22,7 @@ Once you set rules and deploy the AppLocker policies, it is good practice to det
|
|||||||
|
|
||||||
### <a href="" id="bkmk-applkr-disc-effect-pol"></a>Discover the effect of an AppLocker policy
|
### <a href="" id="bkmk-applkr-disc-effect-pol"></a>Discover the effect of an AppLocker policy
|
||||||
|
|
||||||
You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
|
You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
|
||||||
|
|
||||||
- **Analyze the AppLocker logs in Event Viewer**
|
- **Analyze the AppLocker logs in Event Viewer**
|
||||||
|
|
||||||
@ -104,12 +104,215 @@ A file could be blocked for three reasons:
|
|||||||
|
|
||||||
Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=160269) (https://go.microsoft.com/fwlink/p/?LinkId=160269).
|
Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=160269) (https://go.microsoft.com/fwlink/p/?LinkId=160269).
|
||||||
|
|
||||||
## Next steps
|
## Record your findings
|
||||||
|
|
||||||
After deciding how your organization will manage your AppLocker policy, record your findings.
|
To complete this AppLocker planning document, you should first complete the following steps:
|
||||||
|
|
||||||
- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary.
|
1. [Determine your application control objectives](determine-your-application-control-objectives.md)
|
||||||
- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
|
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
|
||||||
- **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined.
|
3. [Select the types of rules to create](select-types-of-rules-to-create.md)
|
||||||
|
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||||
|
5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||||
|
|
||||||
|
The three key areas to determine for AppLocker policy management are:
|
||||||
|
|
||||||
|
1. Support policy
|
||||||
|
|
||||||
|
Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.
|
||||||
|
|
||||||
|
2. Event processing
|
||||||
|
|
||||||
|
Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.
|
||||||
|
|
||||||
|
3. Policy maintenance
|
||||||
|
|
||||||
|
Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
|
||||||
|
|
||||||
|
The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
|
||||||
|
|
||||||
|
<table style="width:100%;">
|
||||||
|
<colgroup>
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
<col width="11%" />
|
||||||
|
</colgroup>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th align="left">Business group</th>
|
||||||
|
<th align="left">Organizational unit</th>
|
||||||
|
<th align="left">Implement AppLocker?</th>
|
||||||
|
<th align="left">Apps</th>
|
||||||
|
<th align="left">Installation path</th>
|
||||||
|
<th align="left">Use default rule or define new rule condition</th>
|
||||||
|
<th align="left">Allow or deny</th>
|
||||||
|
<th align="left">GPO name</th>
|
||||||
|
<th align="left">Support policy</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td align="left"><p>Bank Tellers</p></td>
|
||||||
|
<td align="left"><p>Teller-East and Teller-West</p></td>
|
||||||
|
<td align="left"><p>Yes</p></td>
|
||||||
|
<td align="left"><p>Teller Software</p></td>
|
||||||
|
<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
|
||||||
|
<td align="left"><p>File is signed; create a publisher condition</p></td>
|
||||||
|
<td align="left"><p>Allow</p></td>
|
||||||
|
<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
|
||||||
|
<td align="left"><p>Web help</p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Windows files</p>
|
||||||
|
<p></p></td>
|
||||||
|
<td align="left"><p>C:\Windows</p></td>
|
||||||
|
<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
|
||||||
|
<td align="left"><p>Allow</p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Help desk</p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td align="left"><p>Human Resources</p></td>
|
||||||
|
<td align="left"><p>HR-All</p></td>
|
||||||
|
<td align="left"><p>Yes</p></td>
|
||||||
|
<td align="left"><p>Check Payout</p></td>
|
||||||
|
<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
|
||||||
|
<td align="left"><p>File is signed; create a publisher condition</p></td>
|
||||||
|
<td align="left"><p>Allow</p></td>
|
||||||
|
<td align="left"><p>HR-AppLockerHRRules</p></td>
|
||||||
|
<td align="left"><p>Web help</p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Time Sheet Organizer</p></td>
|
||||||
|
<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
|
||||||
|
<td align="left"><p>File is not signed; create a file hash condition</p></td>
|
||||||
|
<td align="left"><p>Allow</p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Web help</p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Internet Explorer 7</p></td>
|
||||||
|
<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
|
||||||
|
<td align="left"><p>File is signed; create a publisher condition</p></td>
|
||||||
|
<td align="left"><p>Deny</p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Web help</p>
|
||||||
|
<p></p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Windows files</p></td>
|
||||||
|
<td align="left"><p>C:\Windows</p></td>
|
||||||
|
<td align="left"><p>Use the default rule for the Windows path</p></td>
|
||||||
|
<td align="left"><p>Allow</p></td>
|
||||||
|
<td align="left"><p></p></td>
|
||||||
|
<td align="left"><p>Help desk</p></td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
|
||||||
|
|
||||||
|
**Event processing policy**
|
||||||
|
|
||||||
|
One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
|
||||||
|
|
||||||
|
The following table is an example of what to consider and record.
|
||||||
|
|
||||||
|
<table>
|
||||||
|
<colgroup>
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
</colgroup>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th align="left">Business group</th>
|
||||||
|
<th align="left">AppLocker event collection location</th>
|
||||||
|
<th align="left">Archival policy</th>
|
||||||
|
<th align="left">Analyzed?</th>
|
||||||
|
<th align="left">Security policy</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td align="left"><p>Bank Tellers</p></td>
|
||||||
|
<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
|
||||||
|
<td align="left"><p>Standard</p></td>
|
||||||
|
<td align="left"><p>None</p></td>
|
||||||
|
<td align="left"><p>Standard</p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td align="left"><p>Human Resources</p></td>
|
||||||
|
<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
|
||||||
|
<td align="left"><p>60 months</p></td>
|
||||||
|
<td align="left"><p>Yes, summary reports monthly to managers</p></td>
|
||||||
|
<td align="left"><p>Standard</p></td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
**Policy maintenance policy**
|
||||||
|
When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
|
||||||
|
The following table is an example of what to consider and record.
|
||||||
|
<table>
|
||||||
|
<colgroup>
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
<col width="20%" />
|
||||||
|
</colgroup>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th align="left">Business group</th>
|
||||||
|
<th align="left">Rule update policy</th>
|
||||||
|
<th align="left">Application decommission policy</th>
|
||||||
|
<th align="left">Application version policy</th>
|
||||||
|
<th align="left">Application deployment policy</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td align="left"><p>Bank Tellers</p></td>
|
||||||
|
<td align="left"><p>Planned: Monthly through business office triage</p>
|
||||||
|
<p>Emergency: Request through help desk</p></td>
|
||||||
|
<td align="left"><p>Through business office triage</p>
|
||||||
|
<p>30-day notice required</p></td>
|
||||||
|
<td align="left"><p>General policy: Keep past versions for 12 months</p>
|
||||||
|
<p>List policies for each application</p></td>
|
||||||
|
<td align="left"><p>Coordinated through business office</p>
|
||||||
|
<p>30-day notice required</p></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td align="left"><p>Human Resources</p></td>
|
||||||
|
<td align="left"><p>Planned: Monthly through HR triage</p>
|
||||||
|
<p>Emergency: Request through help desk</p></td>
|
||||||
|
<td align="left"><p>Through HR triage</p>
|
||||||
|
<p>30-day notice required</p></td>
|
||||||
|
<td align="left"><p>General policy: Keep past versions for 60 months</p>
|
||||||
|
<p>List policies for each application</p></td>
|
||||||
|
<td align="left"><p>Coordinated through HR</p>
|
||||||
|
<p>30-day notice required</p></td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md).
|
|
||||||
@ -224,7 +224,7 @@ Because the effectiveness of application control policies is dependent on the ab
|
|||||||
|
|
||||||
## Record your findings
|
## Record your findings
|
||||||
|
|
||||||
The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
|
The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, you can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
|
||||||
|
|
||||||
- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
|
- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
|
||||||
- For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md).
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user