From 16043d7fb8e4855daf6e740fc560d5a7c98c0ef7 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 28 Mar 2018 12:11:31 -0700 Subject: [PATCH 1/7] added link to prerequisites --- .../application-management/app-v/appv-getting-started.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index c70689420c..447b1277d6 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -6,18 +6,18 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 03/28/2018 --- # Getting Started with App-V for Windows 10 **Applies to** -- Windows 10, version 1607 +- Windows 10 Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. -With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you are new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. For information about what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). +With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you are new to Windows 10 and App-V, review which versions of Windows are supported and have the necessary software preinstalled in the [App-V for Windows 10 Prerequisites](appv-prerequisites.md). If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). From ce67a7a1615992919bbac1e0cb888d3081ab4ff7 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 28 Mar 2018 12:53:43 -0700 Subject: [PATCH 2/7] added link to blog post --- .../device-guard/deploy-managed-installer-for-device-guard.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md index c3cefa3e19..b97a44ed0e 100644 --- a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md @@ -45,7 +45,9 @@ There are three primary steps to keep in mind: The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. Currently the AppLocker policy creation UI and cmdlets do not allow for directly specifying rules for the Managed Installer rule collection, however a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller". -An example of a valid Managed Installer rule collection is shown below. +An example of a valid Managed Installer rule collection is shown below. +For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application whitelisting with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/). + ```code From 73519b17a6381db7a1e0b4fc4aa0be54724dc0bf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 29 Mar 2018 13:18:59 -0700 Subject: [PATCH 3/7] move azure up --- ...ows-defender-advanced-threat-protection.md | 123 +++++++++--------- 1 file changed, 64 insertions(+), 59 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 67f8c2bdd0..0ced4ceb82 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -40,6 +40,70 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). + +### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher + +1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Select **Endpoint management** > **Clients** on the **Navigation pane**. + + b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. + + ![Endpoint onboarding](images/atp-mdm-onboarding-package.png) + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. + +3. Login to the [Microsoft Azure portal](https://portal.azure.com). + +4. From the Intune blade, choose **Device configuration**. + + ![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png) + +5. Under **Manage**, choose **Profiles** and click **Create Profile**. + + ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png) + +6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type. + + ![Image of naming a policy](images/atp-intune-custom.png) + +7. Click **Settings** > **Configure**. + + ![Image of settings](images/atp-intune-configure.png) + +8. Under Custom OMA-URI Settings, click **Add**. + + ![Image of configuration settings](images/atp-custom-oma-uri.png) + +9. Enter the following values, then click **OK**. + + ![Image of profile creation](images/atp-oma-uri-values.png) + + - **Name**: Type a name for the setting. + - **Description**: Type a description for the setting. + - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_ + - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded. + +10. Save the settings by clicking **OK**. + +11. Click **Create**. + + ![Image of the policy being created](images/atp-intune-create-policy.png) + +12. To deploy the Profile, click **Assignments**. + + ![Image of groups](images/atp-intune-assignments.png) + +13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**. + + ![Image of groups](images/atp-intune-group.png) + +14. Click **Save** to finish deploying the Configuration Profile. + + ![Image of deployment](images/atp-intune-save-deployment.png) + + + ### Onboard and monitor endpoints using the classic Intune console 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -117,66 +181,7 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De >[!TIP] > After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). -### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Select **Endpoint management** > **Clients** on the **Navigation pane**. - - b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. - - ![Endpoint onboarding](images/atp-mdm-onboarding-package.png) - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. - -3. Login to the [Microsoft Azure portal](https://portal.azure.com). - -4. From the Intune blade, choose **Device configuration**. - - ![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png) - -5. Under **Manage**, choose **Profiles** and click **Create Profile**. - - ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png) - -6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type. - - ![Image of naming a policy](images/atp-intune-custom.png) - -7. Click **Settings** > **Configure**. - - ![Image of settings](images/atp-intune-configure.png) - -8. Under Custom OMA-URI Settings, click **Add**. - - ![Image of configuration settings](images/atp-custom-oma-uri.png) - -9. Enter the following values, then click **OK**. - - ![Image of profile creation](images/atp-oma-uri-values.png) - - - **Name**: Type a name for the setting. - - **Description**: Type a description for the setting. - - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_ - - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded. - -10. Save the settings by clicking **OK**. - -11. Click **Create**. - - ![Image of the policy being created](images/atp-intune-create-policy.png) - -12. To deploy the Profile, click **Assignments**. - - ![Image of groups](images/atp-intune-assignments.png) - -13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**. - - ![Image of groups](images/atp-intune-group.png) - -14. Click **Save** to finish deploying the Configuration Profile. - - ![Image of deployment](images/atp-intune-save-deployment.png) ### Offboard and monitor endpoints From dbb55cad2f2758c5f8c381cfa31b8ce7f44420dc Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 30 Mar 2018 14:57:31 +0000 Subject: [PATCH 4/7] Merged PR 6780: Remove link to unpublished download --- devices/surface-hub/surface-hub-downloads.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index 33ef0f983f..71706b04fe 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -31,7 +31,7 @@ This topic provides links to useful Surface Hub documents, such as product datas | [Rolling Stand Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Rolling_Stands_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) | | [Mounts and Stands Datasheet (PDF)](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. | | [Surface Hub Stand and Wall Mount Specifications (PDF)](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. | -| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](http://download.microsoft.com/download/B/D/1/BD16D7C5-2662-4B7D-9C98-272CEB11A6F3/20160816%20SurfaceHub_Onsite%20Services%20FAQs%20FINAL.PDF) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. | + From c13a02748cf5c8989d0f9b0f9a429b992e7fd779 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 30 Mar 2018 10:03:54 -0700 Subject: [PATCH 5/7] fixed how to open GPEdit --- ...group-policy-management-console-to-windows-firewall.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 7ce6c1be29..c7078281bc 100644 --- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -18,10 +18,8 @@ ms.date: 08/17/2017 To open a GPO to Windows Defender Firewall: -1. Open the Active Directory Users and Computers console. +1. Open the Group Policy Management console. -2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**. +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. -3. Click the **Group Policy** tab, select your GPO, and then click **Edit**. - -4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**. \ No newline at end of file +3. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**. \ No newline at end of file From e00e7d0b0fe068c8bf570302076568e654e90680 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Fri, 30 Mar 2018 17:23:26 +0000 Subject: [PATCH 6/7] Merged PR 6783: Added warning about custom shell leading to undeployable image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added warning about custom shell leading to undeployable image - per request from partners, dev, and PMs. @ - can you take a look? I can forward you the thread that led to this request, if needed. Here's part of the thread, from Michael Niehaus: The “hide shell” setup is really just a “RunOnce” entry that never really finishes – it might reboot the machine and run again, and eventually runs out of commands to process so at that point it exits. So that is still using Explorer.exe as John said. There was a question on EShell.exe too: I believe that’s a creation of the Embedded team (I believe Suma has some background) that was later integrated into standard Windows SKUs. Back to John’s question though: is it fair to make the statement that setting a custom shell prior to OOBE won’t result in a deployable image? That’s been true for a couple of releases now, and I don’t think that necessarily directly impacts the scenarios that Michael has highlighted as uses of custom shell, but I want to confirm. Thanks, -Michael --- windows/configuration/setup-kiosk-digital-signage.md | 5 +++-- windows/configuration/wcd/wcd-smisettings.md | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md index 1d0f5bbcc6..c9b84f0646 100644 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ b/windows/configuration/setup-kiosk-digital-signage.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: high -ms.date: 03/23/2018 +ms.date: 03/30/2018 --- # Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education @@ -284,7 +284,8 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo >You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). >[!WARNING] ->Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. +>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. ### Requirements diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 9be7d411e7..fdc91f9f6c 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.date: 03/30/2018 --- # SMISettings (Windows Configuration Designer reference) @@ -94,6 +94,9 @@ When you **enable** KeyboardFilter, a number of other settings become available Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). +>[!WARNING] +>Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. + You can also configure ShellLauncher to launch different shell applications for different users or user groups. >[!IMPORTANT] From d9fdf65f41dbfd3d5a83be97e8658ef39f6fefb6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 30 Mar 2018 10:40:03 -0700 Subject: [PATCH 7/7] fixed links --- ...g-files-to-support-windows-defender-application-control.md | 2 +- ...efender-application-control-policy-rules-and-file-rules.md | 4 ++-- .../steps-to-deploy-windows-defender-application-control.md | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md index 1cdb8061a7..0d9c04fc68 100644 --- a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -146,7 +146,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy, 1. If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: +2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: ` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` diff --git a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md index 891d33a3be..909c8b6e52 100644 --- a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md +++ b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md @@ -105,13 +105,13 @@ Table 3. Windows Defender Application Control policy - file rule levels | **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. | | **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. | -> **Note**  When you create WDAC policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. +> **Note**  When you create WDAC policies with the [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. ## Example of file rule levels in use For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run. -To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers. +To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers. As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the WDAC policy so that the hash in the policy matches the hash of the updated internal application. diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index be8ccb2590..64881457e7 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -797,7 +797,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` -2. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a new WDAC policy by scanning the system for installed applications: +2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications: ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` @@ -887,7 +887,7 @@ Use the following procedure after you have been running a computer with a WDAC p ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` -3. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. +3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`