deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

new section

Browse Source
This commit is contained in:
Justin Hall
2019-05-06 12:24:44 -07:00
parent ec802e324e
commit 44bb04a93a
1 changed files with 38 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -108,26 +108,42 @@ They could also choose to create a catalog that captures information about the u
Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules. Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules.
- New-CIPolicy parameters - New-CIPolicy parameters
o FilePath: create path rules under path <path to scan> for anything not user-writeable (at the individual file level) - FilePath: create path rules under path <path to scan> for anything not user-writeable (at the individual file level)
```console
New-CIPolicy -f .\mypolicy.xml -l FilePath -s <path to scan> -u New-CIPolicy -f .\mypolicy.xml -l FilePath -s <path to scan> -u
 Optionally, add -UserWriteablePaths to ignore user writeability ```
o FilePathRule: create a rule where filepath string is directly set to value of <any path string> Optionally, add -UserWriteablePaths to ignore user writeability
- FilePathRule: create a rule where filepath string is directly set to value of <any path string>
```console
New-CIPolicyRule -FilePathRule <any path string> New-CIPolicyRule -FilePathRule <any path string>
• Useful for wildcards like C:\foo\* ```
• Usage: same flow as per-app rules Useful for wildcards like C:\foo\\*
- Usage: same flow as per-app rules
```xml
$rules = New-CIPolicyRule … $rules = New-CIPolicyRule …
$rules += New-CIPolicyRule … $rules += New-CIPolicyRule …
New-CIPolicy -Rules $rules -f .\mypolicy.xml -u ```
• Wildcards supported:
o Suffix (ex. C:\foo\*) OR Prefix (ex. *\foo\bar.exe) ```console
 One or the other, not both at the same time New-CIPolicyRule -f .\mypolicy.xml -u
 Does not support wildcard in the middle (ex. C:\*\foo.exe) ```
o Examples:
 %WINDIR%\... - Wildcards supported:
 %SYSTEM32%\... Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
 %OSDRIVE%\... - One or the other, not both at the same time
• Disable default FilePath rule protection of enforcing user-writeability - Does not support wildcard in the middle (ex. C:\\*\foo.exe)
Set-RuleOption -o 18 .\policy.xml - Examples:
o Adds “Disabled:Runtime FilePath Rule Protection” to the policy - %WINDIR%\\...
- %SYSTEM32%\\...
- %OSDRIVE%\\...
- Disable default FilePath rule protection of enforcing user-writeability
For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
```console
Set-RuleOption -o 18 .\policy.xml
```