From 44bb04a93af5d51764df038568758bab57e09d8e Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 6 May 2019 12:24:44 -0700 Subject: [PATCH] new section --- .../select-types-of-rules-to-create.md | 60 ++++++++++++------- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 22294479af..14ae09388f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -108,26 +108,42 @@ They could also choose to create a catalog that captures information about the u Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules. - New-CIPolicy parameters -o FilePath: create path rules under path for anything not user-writeable (at the individual file level) -New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u - Optionally, add -UserWriteablePaths to ignore user writeability -o FilePathRule: create a rule where filepath string is directly set to value of -New-CIPolicyRule -FilePathRule -• Useful for wildcards like C:\foo\* -• Usage: same flow as per-app rules -$rules = New-CIPolicyRule … -$rules += New-CIPolicyRule … -… -New-CIPolicy -Rules $rules -f .\mypolicy.xml -u -• Wildcards supported: -o Suffix (ex. C:\foo\*) OR Prefix (ex. *\foo\bar.exe) - One or the other, not both at the same time - Does not support wildcard in the middle (ex. C:\*\foo.exe) -o Examples: - %WINDIR%\... - %SYSTEM32%\... - %OSDRIVE%\... -• Disable default FilePath rule protection of enforcing user-writeability -Set-RuleOption -o 18 .\policy.xml -o Adds “Disabled:Runtime FilePath Rule Protection” to the policy + - FilePath: create path rules under path for anything not user-writeable (at the individual file level) + ```console + New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u + ``` + Optionally, add -UserWriteablePaths to ignore user writeability + + - FilePathRule: create a rule where filepath string is directly set to value of + ```console + New-CIPolicyRule -FilePathRule + ``` + Useful for wildcards like C:\foo\\* + +- Usage: same flow as per-app rules + ```xml + $rules = New-CIPolicyRule … + $rules += New-CIPolicyRule … + … + ``` + + ```console + New-CIPolicyRule -f .\mypolicy.xml -u + ``` + +- Wildcards supported: + Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) + - One or the other, not both at the same time + - Does not support wildcard in the middle (ex. C:\\*\foo.exe) + - Examples: + - %WINDIR%\\... + - %SYSTEM32%\\... + - %OSDRIVE%\\... + +- Disable default FilePath rule protection of enforcing user-writeability + For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: + ```console + Set-RuleOption -o 18 .\policy.xml + ``` +