mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 13:23:36 +00:00
TASK 5358645 : Batch 02, Windows 11 Inclusion updates
Second batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria).
This commit is contained in:
Alekhya Jupudi
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10)
|
||||
title: Add rules for packaged apps to existing AppLocker rule-set (Windows)
|
||||
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
|
||||
ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# Add rules for packaged apps to existing AppLocker rule-set
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Administer AppLocker (Windows 10)
|
||||
title: Administer AppLocker (Windows)
|
||||
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
|
||||
ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# Administer AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker architecture and components (Windows 10)
|
||||
title: AppLocker architecture and components (Windows)
|
||||
description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
|
||||
ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# AppLocker architecture and components
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for IT professional describes AppLocker’s basic architecture and its major components.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker functions (Windows 10)
|
||||
title: AppLocker functions (Windows)
|
||||
description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
|
||||
ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# AppLocker functions
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker (Windows 10)
|
||||
title: AppLocker (Windows)
|
||||
description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
|
||||
ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
|
||||
ms.reviewer:
|
||||
@ -21,10 +21,15 @@ ms.technology: mde
|
||||
# AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
|
||||
|
||||
> [!NOTE]
|
||||
> AppLocker is unable to control processes running under the system account on any operating system.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker deployment guide (Windows 10)
|
||||
title: AppLocker deployment guide (Windows)
|
||||
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
|
||||
ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
|
||||
ms.reviewer:
|
||||
@ -22,8 +22,13 @@ ms.technology: mde
|
||||
# AppLocker deployment guide
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker design guide (Windows 10)
|
||||
title: AppLocker design guide (Windows)
|
||||
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
|
||||
ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# AppLocker design guide
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker policy use scenarios (Windows 10)
|
||||
title: AppLocker policy use scenarios (Windows)
|
||||
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
|
||||
ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# AppLocker policy use scenarios
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
|
||||
|
||||
@ -34,7 +39,7 @@ AppLocker can help you improve the management of application control and the mai
|
||||
|
||||
2. **Protection against unwanted software**
|
||||
|
||||
AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails.
|
||||
AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not identified by its publisher, installation path, or file hash, the attempt to run the application fails.
|
||||
|
||||
3. **Licensing conformance**
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: AppLocker processes and interactions (Windows 10)
|
||||
title: AppLocker processes and interactions (Windows)
|
||||
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
|
||||
ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
|
||||
ms.reviewer:
|
||||
@ -21,8 +21,13 @@ ms.technology: mde
|
||||
# AppLocker processes and interactions
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Policy creation for common WDAC usage scenarios (Windows 10)
|
||||
title: Policy creation for common WDAC usage scenarios (Windows)
|
||||
description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,9 +23,13 @@ ms.technology: mde
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described.
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described.
|
||||
|
||||
## Types of devices
|
||||
|
||||
@ -34,7 +38,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
|
||||
| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
|
||||
| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. |
|
||||
| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. |
|
||||
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. |
|
||||
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. |
|
||||
|
||||
## An introduction to Lamna Healthcare Company
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Understand Windows Defender Application Control policy design decisions (Windows 10)
|
||||
title: Understand Windows Defender Application Control policy design decisions (Windows)
|
||||
description: Understand Windows Defender Application Control policy design decisions.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,8 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment.
|
||||
|
||||
@ -70,7 +74,7 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
|
||||
| Possible answers | Design considerations |
|
||||
| - | - |
|
||||
| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
|
||||
| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
|
||||
| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
|
||||
|
||||
### Are there specific groups in your organization that need customized application control policies?
|
||||
|
||||
@ -79,7 +83,7 @@ Most business teams or departments have specific security requirements that pert
|
||||
| Possible answers | Design considerations |
|
||||
| - | - |
|
||||
| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally defined base policy.|
|
||||
| No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|
|
||||
| No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10 and Windows 11. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|
|
||||
|
||||
### Does your IT department have resources to analyze application usage, and to design and manage the policies?
|
||||
|
||||
@ -88,7 +92,7 @@ The time and resources that are available to you to perform the research and ana
|
||||
| Possible answers | Design considerations |
|
||||
| - | - |
|
||||
| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.|
|
||||
| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. |
|
||||
| No | Consider a focused and phased deployment for specific groups by using few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. |
|
||||
|
||||
### Does your organization have Help Desk support?
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use code signing to simplify application control for classic Windows applications (Windows 10)
|
||||
title: Use code signing to simplify application control for classic Windows applications (Windows)
|
||||
description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,12 +22,16 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic covers guidelines for using code signing control classic Windows apps.
|
||||
|
||||
## Reviewing your applications: application signing and catalog files
|
||||
## Reviewing your applications: application signing and catalog files
|
||||
|
||||
Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
|
||||
|
||||
@ -49,20 +53,20 @@ To use catalog signing, you can choose from the following options:
|
||||
|
||||
### Catalog files
|
||||
|
||||
Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
|
||||
Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
|
||||
|
||||
Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
|
||||
|
||||
After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
|
||||
|
||||
> [!NOTE]
|
||||
> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
|
||||
> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, Windows 2016 Server, or Windows Enterprise IoT.
|
||||
|
||||
For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
|
||||
|
||||
## Windows Defender Application Control policy formats and signing
|
||||
|
||||
When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file.
|
||||
When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file.
|
||||
|
||||
We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows 10)
|
||||
title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows)
|
||||
description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,11 +22,14 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2019
|
||||
- Windows Server 2016
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
|
||||
|
||||
## Sign your code integrity policy
|
||||
Before you get started, be sure to review these best practices:
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10)
|
||||
description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
|
||||
title: Use signed policies to protect Windows Defender Application Control against tampering (Windows)
|
||||
description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
@ -22,11 +22,14 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
|
||||
Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
|
||||
|
||||
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows 10)
|
||||
title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows)
|
||||
description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,8 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10)
|
||||
title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows)
|
||||
description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,8 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy.
|
||||
|
||||
|
||||
@ -23,14 +23,18 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Windows 10 includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
|
||||
|
||||
## Windows Defender Application Control
|
||||
|
||||
WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
|
||||
WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
|
||||
|
||||
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
|
||||
|
||||
@ -45,9 +49,9 @@ Note that prior to Windows 10 version 1709, Windows Defender Application Control
|
||||
|
||||
### WDAC System Requirements
|
||||
|
||||
WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above.
|
||||
WDAC policies can be created on any client edition of Windows 10 build 1903+, or Windows 11, or on Windows Server 2016 and above.
|
||||
|
||||
WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
|
||||
WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 and Windows 11 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
|
||||
|
||||
For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
|
||||
|
||||
|
||||
@ -22,8 +22,13 @@ ms.technology: mde
|
||||
# Creating a new Base Policy with the Wizard
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
|
||||
|
||||
@ -63,7 +68,7 @@ A description of each policy rule, beginning with the left-most column, is provi
|
||||
|**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
|
||||
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
|
||||
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
|
||||
| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
|
||||
| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows–compatible driver must be WHQL certified. |
|
||||
| **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
|
||||
| **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
|
||||
| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
|
||||
@ -82,7 +87,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru
|
||||
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
|
||||
| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
|
||||
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
|
||||
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
|
||||
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement. |
|
||||
|
||||
|
||||
|
||||
|
||||
@ -22,12 +22,17 @@ ms.technology: mde
|
||||
# Creating a new Supplemental Policy with the Wizard
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
|
||||
|
||||
Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
|
||||
|
||||
## Expanding a Base Policy
|
||||
|
||||
|
||||
@ -22,8 +22,13 @@ ms.technology: mde
|
||||
# Editing existing base and supplemental WDAC policies with the Wizard
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
|
||||
<ul>
|
||||
|
||||
@ -23,14 +23,18 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
|
||||
|
||||
## Downloading the application
|
||||
|
||||
The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
|
||||
The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
|
||||
|
||||
**Supported Clients**
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Deploying Windows Defender Application Control (WDAC) policies (Windows 10)
|
||||
title: Deploying Windows Defender Application Control (WDAC) policies (Windows)
|
||||
description: Learn how to plan and implement a WDAC deployment.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding.
|
||||
|
||||
## Plan your deployment
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Windows Defender Application Control design guide (Windows 10)
|
||||
description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows 10 devices.
|
||||
title: Windows Defender Application Control design guide (Windows)
|
||||
description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows devices.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
@ -22,19 +22,24 @@ ms.technology: mde
|
||||
# Windows Defender Application Control design guide
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.
|
||||
|
||||
## Plan for success
|
||||
|
||||
A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be very successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning:
|
||||
A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning:
|
||||
|
||||
- Executive sponsorship and organizational buy-in is in place.
|
||||
- There is a clear **business** objective for using application control and it is not being planned as a purely technical problem from IT.
|
||||
- The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps.
|
||||
- The organization has considered where application control can be most useful (e.g. securing sensitive workloads or business functions) and also where it may be difficult to achieve (e.g. developer workstations).
|
||||
- The organization has considered where application control can be most useful (for example, securing sensitive workloads or business functions) and also where it may be difficult to achieve (for example, developer workstations).
|
||||
|
||||
Once these business factors are in place, you are ready to begin planning your WDAC deployment. The following topics can help guide you through your planning process.
|
||||
|
||||
@ -46,6 +51,6 @@ Once these business factors are in place, you are ready to begin planning your W
|
||||
| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
|
||||
| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
|
||||
| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. |
|
||||
| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit and merge WDAC policies. |
|
||||
| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit, and merge WDAC policies. |
|
||||
|
||||
After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10)
|
||||
title: Managing and troubleshooting Windows Defender Application Control policies (Windows)
|
||||
description: Gather information about how your deployed Windows Defender Application Control policies are behaving.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
|
||||
|
||||
## WDAC Events Overview
|
||||
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
|
||||
|
||||
@ -37,7 +41,7 @@ Application control is a crucial line of defense for protecting enterprises give
|
||||
> [!NOTE]
|
||||
> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
|
||||
|
||||
Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
|
||||
Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
|
||||
|
||||
- **Windows Defender Application Control**; and
|
||||
- **AppLocker**
|
||||
|
||||
Reference in New Issue
Block a user