From 2ec15d173352969d2c4cdfa1e14b5a7a862707a6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 2 May 2018 08:59:00 -0700 Subject: [PATCH 1/2] added known issue for msi files --- ...er-application-control-deployment-guide.md | 26 ++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index a4d05d50a0..5cd18cac3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/02/2018 --- # Planning and getting started on the Windows Defender Application Control deployment process @@ -60,5 +60,25 @@ This topic provides a roadmap for planning and getting started on the Windows De 8. Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control. - > [!WARNING] - > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). +## Known issues + +This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). +Test this configuration in your lab before enabling it in production. + +### MSI Installations are blocked by WDAC + +Installing .msi files directly from the internet to a computer protected by WDAC will fail. +For example, this command will not work: + +```code +msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi +``` + +As a workaround, download the MSI file and run it locally: + + +```code +msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi +``` + + From 5490b605f4ee316b40de443bdaac16184d0d5e2d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 16 May 2018 09:54:24 -0700 Subject: [PATCH 2/2] updated date --- .../windows-defender-application-control-deployment-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index d024620fc9..c61f2f8a64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: jsuther1974 -ms.date: 05/03/2018 +ms.date: 05/16/2018 --- # Planning and getting started on the Windows Defender Application Control deployment process