mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #5538 from MicrosoftDocs/aljupudi-w11defender-branch01
TASK 5358645: Windows 11 Inclusion Update -01
This commit is contained in:
Rebecca Agiewich
GitHub
commit
3dc06dfbc0
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10)
|
||||
title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows)
|
||||
description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices.
|
||||
|
||||
With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
|
||||
|
||||
@ -42,18 +46,18 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy.
|
||||
|
||||
Below are a basic set of instructions for creating an S mode supplemental policy:
|
||||
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps)
|
||||
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
New-CIPolicy -MultiplePolicyFormat -ScanPath <path> -UserPEs -FilePath "<path>\SupplementalPolicy.xml" -Level Publisher -Fallback Hash
|
||||
```
|
||||
- Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
|
||||
- Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "<path>\SupplementalPolicy.xml"
|
||||
```
|
||||
Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID.
|
||||
- Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps)
|
||||
- Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 –Delete
|
||||
@ -64,7 +68,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
```powershell
|
||||
Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update
|
||||
```
|
||||
- Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
|
||||
- Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
ConvertFrom-CIPolicy -XmlFilePath "<path>\SupplementalPolicy.xml" -BinaryFilePath "<path>\SupplementalPolicy.bin>
|
||||
@ -81,7 +85,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device.
|
||||
|
||||
> [!Note]
|
||||
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number.
|
||||
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
|
||||
|
||||
## Standard Process for Deploying Apps through Intune
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Allow COM object registration in a WDAC policy (Windows 10)
|
||||
title: Allow COM object registration in a WDAC policy (Windows)
|
||||
description: You can allow COM object registration in a Windows Defender Application Control policy.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,11 +22,14 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2019
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
>Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
|
||||
The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use audit events to create then enforce WDAC policy rules (Windows 10)
|
||||
title: Use audit events to create then enforce WDAC policy rules (Windows)
|
||||
description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
|
||||
|
||||
While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use audit events to create WDAC policy rules (Windows 10)
|
||||
title: Use audit events to create WDAC policy rules (Windows)
|
||||
description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
|
||||
|
||||
While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure authorized apps deployed with a WDAC-managed installer (Windows 10)
|
||||
description: Explains how to configure a custom Manged Installer.
|
||||
title: Configure authorized apps deployed with a WDAC-managed installer (Windows)
|
||||
description: Explains about how to configure a custom Manged Installer.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
@ -23,7 +23,11 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2019
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
|
||||
|
||||
@ -73,7 +77,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
|
||||
|
||||
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
|
||||
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
|
||||
```powershell
|
||||
Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Configure a WDAC managed installer (Windows 10)
|
||||
title: Configure a WDAC managed installer (Windows)
|
||||
description: Explains how to configure a custom Manged Installer.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,7 +23,11 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2019
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
|
||||
There are three primary steps to keep in mind:
|
||||
@ -40,7 +44,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
|
||||
|
||||
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
|
||||
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
|
||||
```powershell
|
||||
Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
|
||||
@ -126,7 +130,7 @@ For example:
|
||||
In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
|
||||
This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
|
||||
|
||||
Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option.
|
||||
Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option.
|
||||
|
||||
1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create a code signing cert for Windows Defender Application Control (Windows 10)
|
||||
title: Create a code signing cert for Windows Defender Application Control (Windows)
|
||||
description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,7 +23,11 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
|
||||
|
||||
@ -75,7 +79,7 @@ When this certificate template has been created, you must publish it to the CA p
|
||||
|
||||
2. Select the WDAC Catalog signing certificate, and then click **OK**.
|
||||
|
||||
Now that the template is available to be issued, you must request one from the computer running Windows 10 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
|
||||
Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
|
||||
|
||||
1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
|
||||
title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows)
|
||||
description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,9 +23,13 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc...
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc.
|
||||
|
||||
For this example, you must initiate variables to be used during the creation process or use the full file paths in the command.
|
||||
Then create the WDAC policy by scanning the system for installed applications.
|
||||
@ -35,7 +39,7 @@ The policy file is converted to binary format when it gets created so that Windo
|
||||
|
||||
A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md).
|
||||
|
||||
Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
|
||||
Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed.
|
||||
|
||||
If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Create a WDAC policy for fully-managed devices (Windows 10)
|
||||
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
|
||||
title: Create a WDAC policy for fully managed devices (Windows)
|
||||
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in system core.
|
||||
keywords: security, malware
|
||||
ms.topic: conceptual
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -19,29 +19,33 @@ ms.date: 11/20/2019
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Create a WDAC policy for fully-managed devices
|
||||
# Create a WDAC policy for fully managed devices
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access.
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
|
||||
|
||||
> [!NOTE]
|
||||
> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
|
||||
As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
|
||||
|
||||
**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
|
||||
|
||||
Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
|
||||
Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
|
||||
|
||||
## Define the "circle-of-trust" for fully-managed devices
|
||||
## Define the "circle-of-trust" for fully managed devices
|
||||
|
||||
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices:
|
||||
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices:
|
||||
|
||||
- All clients are running Windows 10 version 1903 or above;
|
||||
- All clients are running Windows 10 version 1903 or above or Windows 11;
|
||||
- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
|
||||
|
||||
> [!NOTE]
|
||||
@ -55,15 +59,15 @@ Alice's team develops a simple console application, called *LamnaITInstaller.exe
|
||||
|
||||
Based on the above, Alice defines the pseudo-rules for the policy:
|
||||
|
||||
1. **“Windows works”** rules which authorizes:
|
||||
1. **“Windows works”** rules that authorize:
|
||||
- Windows
|
||||
- WHQL (3rd party kernel drivers)
|
||||
- Windows Store signed apps
|
||||
|
||||
2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
|
||||
2. **"MEMCM works”** rules that include signer and hash rules for MEMCM components to properly function
|
||||
3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
|
||||
|
||||
The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
|
||||
The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
|
||||
|
||||
- Removal of the Intelligent Security Graph (ISG) option; and
|
||||
- Removal of filepath rules.
|
||||
@ -77,7 +81,7 @@ Alice follows these steps to complete this task:
|
||||
> [!NOTE]
|
||||
> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
|
||||
|
||||
1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
|
||||
1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11.
|
||||
|
||||
2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
|
||||
|
||||
@ -129,12 +133,12 @@ Alice follows these steps to complete this task:
|
||||
|
||||
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
|
||||
|
||||
## Security considerations of this fully-managed policy
|
||||
## Security considerations of this fully managed policy
|
||||
|
||||
Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
|
||||
Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
|
||||
|
||||
- **Users with administrative access**<br>
|
||||
Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
|
||||
Although applying to fewer users, Lamna still allows some IT staff to log in to its fully managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
|
||||
|
||||
Possible mitigations:
|
||||
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
|
||||
@ -160,7 +164,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
|
||||
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
|
||||
|
||||
Possible mitigations:
|
||||
- Use signed WDAC policies which allow authorized signed supplemental policies only.
|
||||
- Use signed WDAC policies that allow authorized signed supplemental policies only.
|
||||
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
|
||||
|
||||
## Up next
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create a WDAC policy for lightly-managed devices (Windows 10)
|
||||
title: Create a WDAC policy for lightly managed devices (Windows)
|
||||
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
|
||||
keywords: security, malware
|
||||
ms.topic: conceptual
|
||||
@ -19,29 +19,33 @@ ms.date: 11/15/2019
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Create a WDAC policy for lightly-managed devices
|
||||
# Create a WDAC policy for lightly managed devices
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics.
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics.
|
||||
|
||||
> [!NOTE]
|
||||
> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
|
||||
As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
|
||||
|
||||
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
|
||||
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
|
||||
|
||||
For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
|
||||
|
||||
## Define the "circle-of-trust" for lightly-managed devices
|
||||
## Define the "circle-of-trust" for lightly managed devices
|
||||
|
||||
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices:
|
||||
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices:
|
||||
|
||||
- All clients are running Windows 10 version 1903 or above;
|
||||
- All clients are running Windows 10 version 1903 and above, or Windows 11;
|
||||
- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
|
||||
|
||||
> [!NOTE]
|
||||
@ -53,12 +57,12 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
|
||||
|
||||
Based on the above, Alice defines the pseudo-rules for the policy:
|
||||
|
||||
1. **“Windows works”** rules which authorizes:
|
||||
1. **“Windows works”** rules that authorize:
|
||||
- Windows
|
||||
- WHQL (3rd party kernel drivers)
|
||||
- Windows Store signed apps
|
||||
|
||||
2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
|
||||
2. **"MEMCM works”** rules which include signer and hash rules for MEMCM components to properly function
|
||||
3. **Allow Managed Installer** (MEMCM configured as a managed installer)
|
||||
4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
|
||||
5. **Admin-only path rules** for the following locations:
|
||||
@ -68,14 +72,14 @@ Based on the above, Alice defines the pseudo-rules for the policy:
|
||||
|
||||
## Create a custom base policy using an example WDAC base policy
|
||||
|
||||
Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
|
||||
Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
|
||||
|
||||
Alice follows these steps to complete this task:
|
||||
|
||||
> [!NOTE]
|
||||
> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
|
||||
|
||||
1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
|
||||
1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
|
||||
|
||||
2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
|
||||
|
||||
@ -137,12 +141,12 @@ Alice follows these steps to complete this task:
|
||||
|
||||
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
|
||||
|
||||
## Security considerations of this lightly-managed policy
|
||||
## Security considerations of this lightly managed policy
|
||||
|
||||
In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
|
||||
|
||||
- **Users with administrative access**<br>
|
||||
By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
|
||||
By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
|
||||
|
||||
Possible mitigations:
|
||||
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
|
||||
@ -164,13 +168,13 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
|
||||
|
||||
Possible mitigations:
|
||||
- Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules.
|
||||
- Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
|
||||
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
|
||||
- **Supplemental policies**<br>
|
||||
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
|
||||
|
||||
Possible mitigations:
|
||||
- Use signed WDAC policies which allow authorized signed supplemental policies only.
|
||||
- Use signed WDAC policies that allow authorized signed supplemental policies only.
|
||||
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
|
||||
- **FilePath rules**<br>
|
||||
See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
|
||||
@ -181,5 +185,5 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
|
||||
## Up next
|
||||
|
||||
- [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
|
||||
- [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
|
||||
- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Deploy catalog files to support Windows Defender Application Control (Windows 10)
|
||||
title: Deploy catalog files to support Windows Defender Application Control (Windows)
|
||||
description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,7 +23,11 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use multiple Windows Defender Application Control Policies (Windows 10)
|
||||
title: Use multiple Windows Defender Application Control Policies (Windows)
|
||||
description: Windows Defender Application Control supports multiple code integrity policies for one device.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,8 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 version 1903 and above
|
||||
- Windows Server 2022 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Deploy WDAC policies via Group Policy (Windows 10)
|
||||
title: Deploy WDAC policies via Group Policy (Windows)
|
||||
description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,10 +23,14 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, we recommend using an alternative method for policy deployment.
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
> [!NOTE]
|
||||
> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
|
||||
|
||||
Single-policy format WDAC policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
|
||||
|
||||
@ -61,4 +65,4 @@ To deploy and manage a WDAC policy with Group Policy:
|
||||
> [!NOTE]
|
||||
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
|
||||
|
||||
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy.
|
||||
7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows 10)
|
||||
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
|
||||
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,13 +22,18 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
|
||||
|
||||
## Use Intune's built-in policies
|
||||
|
||||
Intune's built-in WDAC support allows you to configure Windows 10 client computers to only run:
|
||||
Intune's built-in WDAC support allows you to configure Windows client computers to only run:
|
||||
|
||||
- Windows components
|
||||
- 3rd party hardware and software kernel drivers
|
||||
@ -36,7 +41,7 @@ Intune's built-in WDAC support allows you to configure Windows 10 client compute
|
||||
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
|
||||
|
||||
> [!NOTE]
|
||||
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ as described later in this topic.
|
||||
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
|
||||
|
||||
> [!NOTE]
|
||||
> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP will always request a reboot when applying WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies rebootlessly.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Disable Windows Defender Application Control policies (Windows 10)
|
||||
title: Disable Windows Defender Application Control policies (Windows)
|
||||
description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,7 +23,11 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic covers how to disable unsigned or signed WDAC policies.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10)
|
||||
title: Enforce Windows Defender Application Control (WDAC) policies (Windows)
|
||||
description: Learn how to switch a WDAC policy from audit to enforced mode.
|
||||
keywords: security, malware
|
||||
ms.prod: m365-security
|
||||
@ -21,12 +21,16 @@ ms.localizationpriority: medium
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
|
||||
|
||||
> [!NOTE]
|
||||
> Some of the steps described in this article only apply to Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
> Some of the steps described in this article only apply to Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
|
||||
## Convert WDAC **base** policy from audit to enforced
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Example Windows Defender Application Control (WDAC) base policies (Windows 10)
|
||||
title: Example Windows Defender Application Control (WDAC) base policies (Windows)
|
||||
description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
|
||||
keywords: security, malware
|
||||
ms.topic: article
|
||||
@ -24,8 +24,12 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service.
|
||||
|
||||
## Example Base Policies
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Feature Availability
|
||||
title: Windows Defender Application Control Feature Availability
|
||||
description: Compare WDAC and AppLocker feature availability.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -19,20 +19,24 @@ ms.custom: asr
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# WDAC and AppLocker feature availability
|
||||
# Windows Defender Application Control and AppLocker feature availability
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
|
||||
|
||||
| Capability | WDAC | AppLocker |
|
||||
|-------------|------|-------------|
|
||||
| Platform support | Available on Windows 10 | Available on Windows 8+ |
|
||||
| Platform support | Available on Windows 10 and Windows 11 | Available on Windows 8+ |
|
||||
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
|
||||
| Management solutions | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
|
||||
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
|
||||
| Kernel mode policies | Available on all Windows 10 versions | Not available |
|
||||
| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available |
|
||||
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
|
||||
| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
|
||||
| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Manage packaged apps with WDAC (Windows 10)
|
||||
title: Manage packaged apps with WDAC (Windows)
|
||||
description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,7 +23,11 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Merge Windows Defender Application Control policies (WDAC) (Windows 10)
|
||||
title: Merge Windows Defender Application Control policies (WDAC) (Windows)
|
||||
description: Learn how to merge WDAC policies as part of your policy lifecycle management.
|
||||
keywords: security, malware
|
||||
ms.prod: m365-security
|
||||
@ -21,8 +21,12 @@ ms.localizationpriority: medium
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
|
||||
|
||||
> [!NOTE]
|
||||
@ -87,7 +91,7 @@ Now that you have your new, merged policy, you can convert and deploy the policy
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> In the sample commands above, for policies targeting Windows 10 version 1903+, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
|
||||
> In the sample commands above, for policies targeting Windows 10 version 1903+ or Windows 11, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
|
||||
|
||||
2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Microsoft recommended block rules (Windows 10)
|
||||
title: Microsoft recommended block rules (Windows)
|
||||
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,7 +23,11 @@ ms.date: 08/23/2021
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 or later
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Microsoft recommended driver block rules (Windows 10)
|
||||
title: Microsoft recommended driver block rules (Windows)
|
||||
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
|
||||
keywords: security, malware, kernel mode, driver
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -22,9 +22,13 @@ ms.date:
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
|
||||
|
||||
- Hypervisor-protected code integrity (HVCI) enabled devices
|
||||
- Windows 10 in S mode (S mode) devices
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Plan for WDAC policy management (Windows 10)
|
||||
title: Plan for WDAC policy management (Windows)
|
||||
description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
@ -23,8 +23,12 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
|
||||
|
||||
## Policy XML lifecycle management
|
||||
@ -49,10 +53,10 @@ To effectively manage WDAC policies, you should store and maintain your policy X
|
||||
|
||||
### Set PolicyName, PolicyID, and Version metadata for each policy
|
||||
|
||||
Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system auto-generate a unique ID for the policy.
|
||||
Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
|
||||
|
||||
> [!NOTE]
|
||||
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
|
||||
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
|
||||
> PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy.
|
||||
|
||||
In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0").
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows 10)
|
||||
description: Learn how WDAC policy rules and file rules can control your Windows 10 computers.
|
||||
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows)
|
||||
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
@ -23,9 +23,13 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
|
||||
|
||||
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
|
||||
|
||||
## Windows Defender Application Control policy rules
|
||||
|
||||
@ -58,10 +62,10 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
|
||||
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
|
||||
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and the certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes |
|
||||
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | Yes |
|
||||
| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | No |
|
||||
| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement. | No |
|
||||
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
|
||||
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
|
||||
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | No |
|
||||
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
|
||||
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
|
||||
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
|
||||
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
|
||||
|
||||
@ -46,7 +46,7 @@ In the next set of topics, we will explore each of the above scenarios using a f
|
||||
|
||||
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
|
||||
|
||||
Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
|
||||
Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
|
||||
|
||||
> [!NOTE]
|
||||
> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user