mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 05:13:40 +00:00
split steps
This commit is contained in:
Justin Hall
@ -14,97 +14,3 @@ ms.date: 02/27/2018
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a WDAC policy, and *file rules* (or *file rule levels*) that specify the level at which applications will be identified and trusted.
|
||||
|
||||
## Overview of the process of creating Windows Defender Application Control policies
|
||||
|
||||
A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
|
||||
|
||||
> **Note** Each computer can have only **one** WDAC policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your WDAC policies.
|
||||
|
||||
Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
|
||||
|
||||
If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
|
||||
|
||||
## Windows Defender Application Control policy rules
|
||||
|
||||
To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
|
||||
|
||||
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
|
||||
|
||||
` Set-RuleOption -FilePath <Path to policy> -Option 0`
|
||||
|
||||
Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Application Control will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
|
||||
|
||||
- To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command:
|
||||
|
||||
` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
|
||||
|
||||
You can set several rule options within a WDAC policy. Table 2 describes each rule option.
|
||||
|
||||
> [!NOTE]
|
||||
> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
|
||||
|
||||
**Table 2. Windows Defender Application Control policy - policy rule options**
|
||||
|
||||
| Rule option | Description |
|
||||
|------------ | ----------- |
|
||||
| **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
|
||||
| **1 Enabled:Boot Menu Protection** | This option is not currently supported. |
|
||||
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
|
||||
| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
|
||||
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
|
||||
| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
|
||||
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
|
||||
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
|
||||
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
|
||||
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
|
||||
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
|
||||
| **11 Disabled:Script Enforcement** | This option is not currently supported. |
|
||||
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
|
||||
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. |
|
||||
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
|
||||
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
|
||||
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
|
||||
|
||||
## Windows Defender Application Control file rule levels
|
||||
|
||||
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new WDAC policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, WDAC policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy.
|
||||
|
||||
Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Windows Defender Application Control deployment scenario.
|
||||
|
||||
Table 3. Windows Defender Application Control policy - file rule levels
|
||||
|
||||
| Rule level | Description |
|
||||
|----------- | ----------- |
|
||||
| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
|
||||
| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
|
||||
| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
|
||||
| **Publisher** | This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). |
|
||||
| **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
|
||||
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than CA certificates, so additional administrative overhead is associated with updating the WDAC policy when these certificates expire. |
|
||||
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything beyond the certificates included in the provided signature (it does not go online or check local root stores). |
|
||||
| **RootCertificate** | Currently unsupported. |
|
||||
| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. |
|
||||
| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
|
||||
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
|
||||
|
||||
> [!NOTE]
|
||||
> When you create WDAC policies with [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
|
||||
|
||||
## Example of file rule levels in use
|
||||
|
||||
For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
|
||||
|
||||
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
|
||||
|
||||
As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the WDAC policy so that the hash in the policy matches the hash of the updated internal application.
|
||||
|
||||
They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats)
|
||||
- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
|
||||
|
||||
@ -15,200 +15,8 @@ ms.date: 02/13/2018
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
For an overview of the process described in the following procedures, see [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md). To understand how the deployment of Windows Defender Application Control (WDAC) fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
|
||||
|
||||
## Create a Windows Defender Application Control policy from a reference computer
|
||||
|
||||
This section outlines the process to create a WDAC policy with Windows PowerShell.
|
||||
For this example, you must initiate variables to be used during the creation process or use the full file paths in the command.
|
||||
Then create the WDAC policy by scanning the system for installed applications.
|
||||
The policy file is converted to binary format when it gets created so that Windows can interpret it.
|
||||
|
||||
> [!Note]
|
||||
> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.
|
||||
|
||||
### Scripting and applications
|
||||
|
||||
Each installed software application should be validated as trustworthy before you create a policy.
|
||||
We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable.
|
||||
Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts.
|
||||
You can remove or disable such software on the reference computer.
|
||||
You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker).
|
||||
|
||||
|
||||
To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
|
||||
|
||||
1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
|
||||
|
||||
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
|
||||
|
||||
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
|
||||
|
||||
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
|
||||
|
||||
2. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a new WDAC policy by scanning the system for installed applications:
|
||||
|
||||
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
|
||||
|
||||
> [!Note]
|
||||
|
||||
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
|
||||
|
||||
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in “Deploy Windows Defender Application Control: policy rules and file rules.”
|
||||
|
||||
> - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
|
||||
|
||||
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
|
||||
|
||||
3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the WDAC policy to a binary format:
|
||||
|
||||
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
|
||||
|
||||
After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
|
||||
|
||||
> [!Note]
|
||||
> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
|
||||
|
||||
We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a WDAC policy, see the next section, [Audit Windows Defender Application Control policies](#audit-windows-defender-application-control-policies).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Signing Windows Defender Application Control policies with SignTool.exe
|
||||
|
||||
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
|
||||
In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
|
||||
These policies are designed to prevent administrative tampering and kernel mode exploit access.
|
||||
With this in mind, it is much more difficult to remove signed WDAC policies.
|
||||
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](#audit-windows-defender-application-control-policies) to discover any blocked applications that should be allowed to run.
|
||||
|
||||
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
|
||||
If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) to create one with your on-premises CA.
|
||||
|
||||
Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-policy-rules) in "Deploy Windows Defender Application Control: policy rules and file rules."
|
||||
|
||||
To sign a WDAC policy with SignTool.exe, you need the following components:
|
||||
|
||||
- SignTool.exe, found in the Windows SDK (Windows 7 or later)
|
||||
|
||||
- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section or another WDAC policy that you have created
|
||||
|
||||
- An internal CA code signing certificate or a purchased code signing certificate
|
||||
|
||||
If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
|
||||
|
||||
1. Initialize the variables that will be used:
|
||||
|
||||
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
|
||||
|
||||
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
|
||||
|
||||
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
|
||||
|
||||
> [!Note]
|
||||
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
|
||||
|
||||
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
|
||||
|
||||
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
|
||||
|
||||
4. Navigate to your desktop as the working directory:
|
||||
|
||||
` cd $env:USERPROFILE\Desktop `
|
||||
|
||||
5. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add an update signer certificate to the WDAC policy:
|
||||
|
||||
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
|
||||
|
||||
> [!Note]
|
||||
> *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3.
|
||||
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see the [Disable signed Windows Defender Application Control policies within Windows](#disable-signed-windows-defender-application-control-policies-within-windows) section.
|
||||
|
||||
6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option:
|
||||
|
||||
` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
|
||||
|
||||
7. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the policy to binary format:
|
||||
|
||||
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
|
||||
|
||||
8. Sign the WDAC policy by using SignTool.exe:
|
||||
|
||||
` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
|
||||
|
||||
> [!Note]
|
||||
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
|
||||
|
||||
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](#deploy-and-manage-windows-defender-application-control-with-group-policy).
|
||||
|
||||
## Disable unsigned Windows Defender Application Control policies
|
||||
|
||||
There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. Depending on how the WDAC policy was deployed, unsigned policies can be disabled in one of two ways. If a WDAC policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the computer. The following locations can contain executing WDAC policies:
|
||||
|
||||
- <EFI System Partition>\\Microsoft\\Boot\\
|
||||
|
||||
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
|
||||
|
||||
If the WDAC policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the WDAC policy will be disabled on the next computer restart.
|
||||
|
||||
## Disable signed Windows Defender Application Control policies within Windows
|
||||
|
||||
Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
|
||||
|
||||
> [!Note]
|
||||
> For reference, signed WDAC policies should be replaced and removed from the following locations:
|
||||
|
||||
- <EFI System Partition>\\Microsoft\\Boot\\
|
||||
|
||||
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
|
||||
|
||||
|
||||
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
|
||||
|
||||
> **Note** To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
|
||||
|
||||
2. Restart the client computer.
|
||||
|
||||
3. Verify that the new signed policy exists on the client.
|
||||
|
||||
> **Note** If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
|
||||
|
||||
4. Delete the new policy.
|
||||
|
||||
5. Restart the client computer.
|
||||
|
||||
If the signed WDAC policy has been deployed using by using Group Policy, you must complete the following steps:
|
||||
|
||||
1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
|
||||
|
||||
> **Note** To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
|
||||
|
||||
2. Restart the client computer.
|
||||
|
||||
3. Verify that the new signed policy exists on the client.
|
||||
|
||||
> **Note** If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
|
||||
|
||||
4. Set the GPO to disabled.
|
||||
|
||||
5. Delete the new policy.
|
||||
|
||||
6. Restart the client computer.
|
||||
|
||||
## Disable signed Windows Defender Application Control policies within the BIOS
|
||||
|
||||
There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
|
||||
|
||||
- <EFI System Partition>\\Microsoft\\Boot\\
|
||||
|
||||
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
[Windows Defender Application Control](windows-defender-application-control.md)
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,7 @@
|
||||
|
||||
|
||||
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
|
||||
### [Types of devices](types-of-devices.md)
|
||||
### [Use WDAC with the Microsoft Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
|
||||
### [Use WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
|
||||
### [Use WDAC with custom policies](use-windows-defender-application-control-with-custom policies.md)
|
||||
|
||||
@ -9,10 +9,97 @@ author: jsuther1974
|
||||
ms.date: 02/21/2018
|
||||
---
|
||||
|
||||
# Select the types of rules to create
|
||||
# Deploy Windows Defender Application Control policy rules and file rules
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a WDAC policy, and *file rules* (or *file rule levels*) that specify the level at which applications will be identified and trusted.
|
||||
|
||||
## Overview of the process of creating Windows Defender Application Control policies
|
||||
|
||||
A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](planning-and-getting-started-on-the-device-guard-deployment-process.md).
|
||||
|
||||
> **Note** Each computer can have only **one** WDAC policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your WDAC policies.
|
||||
|
||||
Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
|
||||
|
||||
If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
|
||||
|
||||
## Windows Defender Application Control policy rules
|
||||
|
||||
To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
|
||||
|
||||
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
|
||||
|
||||
` Set-RuleOption -FilePath <Path to policy> -Option 0`
|
||||
|
||||
Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Application Control will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
|
||||
|
||||
- To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command:
|
||||
|
||||
` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
|
||||
|
||||
You can set several rule options within a WDAC policy. Table 2 describes each rule option.
|
||||
|
||||
> [!NOTE]
|
||||
> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
|
||||
|
||||
**Table 2. Windows Defender Application Control policy - policy rule options**
|
||||
|
||||
| Rule option | Description |
|
||||
|------------ | ----------- |
|
||||
| **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
|
||||
| **1 Enabled:Boot Menu Protection** | This option is not currently supported. |
|
||||
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
|
||||
| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
|
||||
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
|
||||
| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
|
||||
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
|
||||
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
|
||||
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
|
||||
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
|
||||
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
|
||||
| **11 Disabled:Script Enforcement** | This option is not currently supported. |
|
||||
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
|
||||
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. |
|
||||
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
|
||||
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
|
||||
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
|
||||
|
||||
## Windows Defender Application Control file rule levels
|
||||
|
||||
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new WDAC policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, WDAC policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy.
|
||||
|
||||
Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Windows Defender Application Control deployment scenario.
|
||||
|
||||
Table 3. Windows Defender Application Control policy - file rule levels
|
||||
|
||||
| Rule level | Description |
|
||||
|----------- | ----------- |
|
||||
| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
|
||||
| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
|
||||
| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
|
||||
| **Publisher** | This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). |
|
||||
| **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
|
||||
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than CA certificates, so additional administrative overhead is associated with updating the WDAC policy when these certificates expire. |
|
||||
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything beyond the certificates included in the provided signature (it does not go online or check local root stores). |
|
||||
| **RootCertificate** | Currently unsupported. |
|
||||
| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. |
|
||||
| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
|
||||
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
|
||||
|
||||
> [!NOTE]
|
||||
> When you create WDAC policies with [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
|
||||
|
||||
## Example of file rule levels in use
|
||||
|
||||
For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
|
||||
|
||||
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
|
||||
|
||||
As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the WDAC policy so that the hash in the policy matches the hash of the updated internal application.
|
||||
|
||||
They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
|
||||
@ -0,0 +1,53 @@
|
||||
---
|
||||
title: types of devices (Windows 10)
|
||||
description: TTypically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices.
|
||||
keywords: virtualization, security, malware
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.localizationpriority: high
|
||||
author: brianlic-msft
|
||||
ms.date: 03/01/2018
|
||||
---
|
||||
|
||||
# Windows Defender Application Control deployment in different scenarios: types of devices
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Typically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Windows Defender Device Guard in your organization.
|
||||
|
||||
| **Type of device** | **How Windows Defender Device Guard relates to this type of device** | **Windows Defender Device Guard components that you can use to protect this kind of device** |
|
||||
|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
|
||||
| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Windows Defender Device Guard deployment, only approved applications can run. This is because of protections offered by WDAC. | - VBS (hardware-based) protections, enabled.<br><br>• WDAC in enforced mode, with UMCI enabled. |
|
||||
| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>• WDAC in enforced mode, with UMCI enabled. |
|
||||
| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a WDAC policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>• WDAC, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
|
||||
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Windows Defender Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
|
||||
|
||||
## Windows Defender Device Guard deployment in virtual machines
|
||||
|
||||
Windows Defender Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Device Guard are the same from within the virtual machine.
|
||||
|
||||
Windows Defender Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Windows Defender Device Guard for a virtual machine:
|
||||
|
||||
```powershell
|
||||
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
|
||||
```
|
||||
|
||||
|
||||
### Requirements for running Windows Defender Device Guard in Hyper-V virtual machines
|
||||
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
|
||||
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
|
||||
- Windows Defender Device Guard and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
|
||||
- Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
|
||||
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
|
||||
- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
|
||||
|
||||
|
||||
@ -16,4 +16,47 @@ ms.date: 02/27/2018
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2016
|
||||
|
||||
This topic covers guidelines for using code signing control classic Windows apps.
|
||||
|
||||
## Reviewing your applications: application signing and catalog files
|
||||
|
||||
Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
|
||||
|
||||
Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
|
||||
|
||||
To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
|
||||
|
||||
- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
|
||||
|
||||
- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
|
||||
|
||||
- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
|
||||
|
||||
To use catalog signing, you can choose from the following options:
|
||||
|
||||
- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
|
||||
|
||||
- Create your own catalog files, which are described in the next section.
|
||||
|
||||
### Catalog files
|
||||
|
||||
Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
|
||||
|
||||
Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
|
||||
|
||||
After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
|
||||
|
||||
> [!NOTE]
|
||||
> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
|
||||
|
||||
For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
|
||||
|
||||
## Windows Defender Application Control policy formats and signing
|
||||
|
||||
When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file.
|
||||
|
||||
We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
|
||||
|
||||
When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy.
|
||||
Reference in New Issue
Block a user