From 4960f266b9d149bf45af15c8e5da63711c5acb00 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 9 Aug 2021 10:45:43 -0700 Subject: [PATCH 01/10] Created a new section Deploy Managed Installer. --- ...-apps-deployed-with-a-managed-installer.md | 99 +++++++++++++++++-- 1 file changed, 91 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 5028f2de9f..2b1f04c83c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -93,27 +93,86 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and Powershell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml - - + + + + - - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + ``` - ### Enable service enforcement in AppLocker policy Since many installation processes rely on services, it is typically necessary to enable tracking of services. @@ -214,3 +273,27 @@ Ea Value Length: 7e ## Enabling managed installer logging events Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. + +## Deploying the Managed Installer + +Once you've completed configuring your chosen Managed Installer, by specifying which to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. + +1. Using the following command to deploy the policy. + ```powershell + Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue + ``` + +2. Verify policy deployment + ```powershell + Get-AppLockerPolicy -Local + + Version RuleCollections RuleCollectionTypes + ------- --------------- ------------------- + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + ``` + Notice the output shows the ManagedInstaller rule is there. + +3. Get the policy XML (optional) using PS: + ```powershell + Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue + ``` \ No newline at end of file From 40db0defb89e68c9f6cddc97f6bb9f537b145272 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 10 Aug 2021 11:57:33 -0700 Subject: [PATCH 02/10] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...igure-authorized-apps-deployed-with-a-managed-installer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 2b1f04c83c..980f12be1b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 07/15/2021 +ms.date: 08/10/2021 ms.technology: mde --- @@ -296,4 +296,4 @@ Once you've completed configuring your chosen Managed Installer, by specifying w 3. Get the policy XML (optional) using PS: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue - ``` \ No newline at end of file + ``` From 79374e0892df854a1538d3555622f25b7bdb0c51 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 10 Aug 2021 12:05:54 -0700 Subject: [PATCH 03/10] Implemented Jordan's suggested edits. --- ...-authorized-apps-deployed-with-a-managed-installer.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 980f12be1b..3d3dfe707c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -283,17 +283,22 @@ Once you've completed configuring your chosen Managed Installer, by specifying w Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` -2. Verify policy deployment +2. Verify Deployment of the Rule set was successful ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` - Notice the output shows the ManagedInstaller rule is there. + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PS: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` + This command will show the raw XML to verify the individual rules that were set. \ No newline at end of file From 26ecad46c2b81d9cb37340ce6b7e187f76ddef09 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 10 Aug 2021 12:10:16 -0700 Subject: [PATCH 04/10] Made one correction and place policy file declaration in proper location. --- ...horized-apps-deployed-with-a-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 3d3dfe707c..0ab03f97aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -280,22 +280,22 @@ Once you've completed configuring your chosen Managed Installer, by specifying w 1. Using the following command to deploy the policy. ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` 2. Verify Deployment of the Rule set was successful ```powershell - $policyFile= - @" - Raw_AppLocker_Policy_XML - "@ Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- - 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` - Verify the output shows the ManagedInstaller rule set. + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PS: ```powershell From 664cd58e1cfefdd7101dc651d54d76aaf36c9ac9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 11 Aug 2021 12:30:04 -0700 Subject: [PATCH 05/10] Applied addition edit suggestions. --- ...horized-apps-deployed-with-a-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 0ab03f97aa..15639fd8d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -93,7 +93,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and Powershell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml @@ -274,11 +274,11 @@ Ea Value Length: 7e Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. -## Deploying the Managed Installer +## Deploying the Managed Installer rule collection -Once you've completed configuring your chosen Managed Installer, by specifying which to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. +Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. -1. Using the following command to deploy the policy. +1. Use the following command to deploy the policy. ```powershell $policyFile= @" @@ -287,7 +287,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` -2. Verify Deployment of the Rule set was successful +2. Verify Deployment of the ruleset was successful ```powershell Get-AppLockerPolicy -Local @@ -297,7 +297,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w ``` Verify the output shows the ManagedInstaller rule set. -3. Get the policy XML (optional) using PS: +3. Get the policy XML (optional) using PowerShell: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` From a7f7baf4bf8b67ba9a73d9d8879388b71dd5d2ca Mon Sep 17 00:00:00 2001 From: "Carlos Mayol (MSFT)" Date: Fri, 13 Aug 2021 16:32:18 -0400 Subject: [PATCH 06/10] Removing ALLOW_ALL for FileRules These rules are enabling any executable regardless of the signers policies. --- .../microsoft-recommended-driver-block-rules.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index d409657e10..82728672e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -55,8 +55,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security - - @@ -315,7 +313,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security - @@ -425,7 +422,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security - From 1c8bcd351bf3efb659b3d35ff56560b8e1372cee Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 15 Aug 2021 07:55:30 +0500 Subject: [PATCH 07/10] Update deploy-a-windows-10-image-using-mdt.md --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 02c175e81b..39430e41e8 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -316,7 +316,7 @@ On **MDT01**: ### For the HP EliteBook 8560w -For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545). +For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. From 3a296d61ee216a413ef6988253c6f50f666a48d1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 16 Aug 2021 19:29:45 +0530 Subject: [PATCH 08/10] removed old version , added new version added new version of adobe dc acrobat reader, source #9894 --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 02c175e81b..6d3a8ea77d 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. From 46c9c72781506e6ffee683915f1e626801a17f63 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Aug 2021 10:16:53 -0700 Subject: [PATCH 09/10] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 82728672e6..60312b011c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -29,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. From b5f7a74d60add25029357295fc7510b102654adf Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 16 Aug 2021 12:09:08 -0600 Subject: [PATCH 10/10] Raise acro score Sync pr https://github.com/MicrosoftDocs/windows-docs-pr/pull/5516 --- .../microsoft-recommended-driver-block-rules.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 60312b011c..f85b75d3ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -24,15 +24,15 @@ ms.date: - Windows 10 - Windows Server 2016 and above -Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. ```xml