From 17fc239a83a1c21e237ca03e6c5309e0cd770721 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 25 Jan 2025 09:08:18 -0800 Subject: [PATCH 01/28] Update appcontrol.md --- .../app-control-for-business/appcontrol.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index a778ffc2fb..40f8bb913c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -12,25 +12,25 @@ ms.topic: overview [!INCLUDE [Feature availability note](includes/feature-availability-note.md)] -With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks. +Your organization's data is one of your most valuable assets... and adversaries want it. No matter what security controls you apply over your data, they are only as strong as the weakest link: the trusted user sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the user has. So your sensitive information is easily transmitted, modified, deleted or encrypted when a user, knowingly or unknowingly, runs malicious software. And with thousands of new malicious files created every day, relying solely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks. Application control is a crucial line of defense against today's threat actors. -In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. +Application control works alongside your AV solution to help mitigate these types of security threats by restricting the apps that users can run and even what code runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). -Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). - -Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). +It moves you from a trust model where all code runs unless your AV solution confidently predicts it's bad, to one where apps run only if your policy says so. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). > [!NOTE] -> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. +> Although application control can significantly harden your computers against malicious code, it is not a replacement. You should continue to maintain your antivirus solution for a well-rounded enterprise security portfolio. -Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements: +Windows 10 and Windows 11 include two application control technologies that your organization can use depending on your specific scenarios and requirements: -- **App Control for Business**; and +- **App Control for Business (app control)**; and - **AppLocker** ## App Control and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control. App control enables enterprise customers to create a policy that offers the same security and compatibility as Smart App Control with the capability to customize policies to run line-of-business (LOB) apps. To make it easier to implement policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs or when our intelligent cloud-powered security service, known as the Intelligent Security Graph (ISG) in App Control for Business, predicts the code is safe. And code determined to be unsafe is always blocked. + +While Smart App Control is designed for consumers, it builds entirely upon App Control for Business. That means you can create a policy with the same security and compatibility as Smart App Control that also allows the line-of-business (LOB) apps that your organization needs. The App Control policy used for Smart App Control is included as an [example policy](design/example-appcontrol-base-policies.md) in Windows and the is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. From 316ed12ecc4f5884de1ed9871b1c12947eef10cc Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 25 Jan 2025 18:53:47 -0800 Subject: [PATCH 02/28] Updates to App Control topics --- .../app-control-for-business/appcontrol.md | 12 +++++++----- .../design/example-appcontrol-base-policies.md | 16 ++++++++-------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index 40f8bb913c..77e89cde8c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -12,14 +12,14 @@ ms.topic: overview [!INCLUDE [Feature availability note](includes/feature-availability-note.md)] -Your organization's data is one of your most valuable assets... and adversaries want it. No matter what security controls you apply over your data, they are only as strong as the weakest link: the trusted user sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the user has. So your sensitive information is easily transmitted, modified, deleted or encrypted when a user, knowingly or unknowingly, runs malicious software. And with thousands of new malicious files created every day, relying solely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks. Application control is a crucial line of defense against today's threat actors. +Your organization's data is one of its most valuable assets... and adversaries want it. No matter what security controls you apply over your data, they are only as strong as the weakest link: the trusted user sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the user has. So your sensitive information is easily transmitted, modified, deleted or encrypted when a user, knowingly or unknowingly, runs malicious software. And with thousands of new malicious files created every day, relying solely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks. Application control is a crucial line of defense against today's threat actors. Application control works alongside your AV solution to help mitigate these types of security threats by restricting the apps that users can run and even what code runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). It moves you from a trust model where all code runs unless your AV solution confidently predicts it's bad, to one where apps run only if your policy says so. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). > [!NOTE] -> Although application control can significantly harden your computers against malicious code, it is not a replacement. You should continue to maintain your antivirus solution for a well-rounded enterprise security portfolio. +> Although application control can significantly harden your computers against malicious code, it is not a replacement for antivirus. You should continue to maintain your active antivirus solution alongside App Control for a well-rounded enterprise security portfolio. Windows 10 and Windows 11 include two application control technologies that your organization can use depending on your specific scenarios and requirements: @@ -28,11 +28,11 @@ Windows 10 and Windows 11 include two application control technologies that your ## App Control and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs or when our intelligent cloud-powered security service, known as the Intelligent Security Graph (ISG) in App Control for Business, predicts the code is safe. And code determined to be unsafe is always blocked. +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs, or code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop positive reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked. -While Smart App Control is designed for consumers, it builds entirely upon App Control for Business. That means you can create a policy with the same security and compatibility as Smart App Control that also allows the line-of-business (LOB) apps that your organization needs. The App Control policy used for Smart App Control is included as an [example policy](design/example-appcontrol-base-policies.md) in Windows and the is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). +While Smart App Control is designed for consumers, it's built entirely upon App Control for Business. That means you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization needs. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where its known as the Intelligent Security Graph (ISG). -Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. +Smart App Control starts in evaluation mode and will switch itself off within 48 hours for enterprise managed devices unless the user has turned it on. To proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------| @@ -43,6 +43,8 @@ Smart App Control is only available on clean installation of Windows 11 version > [!IMPORTANT] > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows. +The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml and also comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. + [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)] ## Related articles diff --git a/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md b/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md index fcc507dc75..3ccc9742b3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md @@ -3,7 +3,7 @@ title: Example App Control for Business base policies description: When creating an App Control for Business policy for an organization, start from one of the many available example base policies. ms.topic: reference ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 01/25/2025 --- # App Control for Business example base policies @@ -14,18 +14,18 @@ When you create policies for use with App Control for Business, start from an ex | Example Base Policy | Description | Where it can be found | |-------------------------|---------------------------------------------------------------|--------| -| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
%ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\DefaultWindows_Audit.xml | -| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\AllowMicrosoft.xml | +| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\DefaultWindows_\*.xml | +| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\AllowMicrosoft.xml | | **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml | | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using App Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | | **DenyAllAudit.xml** | ***Warning: Will cause boot issues on Windows Server 2019 and earlier. Do not use on those operating systems.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | | **Microsoft Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in App Control integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | -| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise App Control policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\SignedReputable.xml | +| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise App Control policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\SignedReputable.xml | | **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml | -| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using App Control, if possible. | [Microsoft recommended block rules](applications-that-can-bypass-appcontrol.md)
%ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\Recommended_UserMode_Blocklist.xml | -| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md)
%OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml
%ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\Recommended_Driver_Blocklist.xml | -| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\WinSiPolicy.xml.xml | -| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.App Control.WDACWizard*\WinSEPolicy.xml.xml | +| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using App Control, if possible. | [Microsoft recommended block rules](applications-that-can-bypass-appcontrol.md)
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\Recommended_UserMode_Blocklist.xml | +| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md)
%OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\Recommended_Driver_Blocklist.xml | +| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\WinSiPolicy.xml.xml | +| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\WinSEPolicy.xml.xml | > [!NOTE] > Not all policies shown available at %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies can be found on all versions of Windows. From 4d5093a6a4acecaae5435b8b93134e799a61e233 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 26 Jan 2025 20:14:12 -0800 Subject: [PATCH 03/28] Update appcontrol.md --- .../app-control-for-business/appcontrol.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index 77e89cde8c..e86dbc883d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -28,11 +28,11 @@ Windows 10 and Windows 11 include two application control technologies that your ## App Control and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs, or code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop positive reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked. +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs as well as code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop positive reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked. -While Smart App Control is designed for consumers, it's built entirely upon App Control for Business. That means you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization needs. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where its known as the Intelligent Security Graph (ISG). +While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since it's built entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization depends on. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where its called the Intelligent Security Graph (ISG). -Smart App Control starts in evaluation mode and will switch itself off within 48 hours for enterprise managed devices unless the user has turned it on. To proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. +Smart App Control starts in evaluation mode and will switch itself off within 48 hours for enterprise managed devices unless the user has turned it on first. If you want to proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------| @@ -43,13 +43,12 @@ Smart App Control starts in evaluation mode and will switch itself off within 48 > [!IMPORTANT] > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows. -The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml and also comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. +The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)] -## Related articles +## What you should read next -- [App Control design guide](design/appcontrol-design-guide.md) -- [App Control deployment guide](deployment/appcontrol-deployment-guide.md) -- [App Control operational guide](operations/appcontrol-operational-guide.md) -- [AppLocker overview](applocker/applocker-overview.md) +Read on to learn more about the two application control technologies available in Windows with the [App Control for Business and AppLocker Overview](./appcontrol-and-applocker-overview.md). + +If you're ready to jump in and get started creating policies, let's revisit Smart App Control and [Use the Smart App Control policy to build your own custom base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md). From 7e750c3f2286ae5743ea96eb204285c16caf6a6f Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 28 Jan 2025 12:34:30 -0800 Subject: [PATCH 04/28] Updates to overview topics --- .../appcontrol-and-applocker-overview.md | 4 ++-- .../app-control-for-business/appcontrol.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index 5520d9161c..ee94923c20 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -2,7 +2,7 @@ title: App Control and AppLocker Overview description: Compare Windows application control technologies. ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 01/28/2025 ms.topic: conceptual --- @@ -26,7 +26,7 @@ App Control policies apply to the managed computer as a whole and affects all us - The process that launched the app or binary > [!NOTE] -> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy. +> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except when deploying App Control policy via Group Policy. ### App Control System Requirements diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index e86dbc883d..fdaaad9277 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed ms.localizationpriority: medium ms.collection: - tier3 -ms.date: 10/25/2024 +ms.date: 01/28/2025 ms.topic: overview --- @@ -19,7 +19,7 @@ Application control works alongside your AV solution to help mitigate these type It moves you from a trust model where all code runs unless your AV solution confidently predicts it's bad, to one where apps run only if your policy says so. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). > [!NOTE] -> Although application control can significantly harden your computers against malicious code, it is not a replacement for antivirus. You should continue to maintain your active antivirus solution alongside App Control for a well-rounded enterprise security portfolio. +> Although application control can significantly harden your computers against malicious code, it's not a replacement for antivirus. You should continue to maintain your active antivirus solution alongside App Control for a well-rounded enterprise security portfolio. Windows 10 and Windows 11 include two application control technologies that your organization can use depending on your specific scenarios and requirements: @@ -28,9 +28,9 @@ Windows 10 and Windows 11 include two application control technologies that your ## App Control and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs as well as code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop positive reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked. +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs as well as code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop better reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked. -While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since it's built entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization depends on. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where its called the Intelligent Security Graph (ISG). +While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since it's built entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization depends on. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where it's called the Intelligent Security Graph (ISG). Smart App Control starts in evaluation mode and will switch itself off within 48 hours for enterprise managed devices unless the user has turned it on first. If you want to proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. From cb10b92cb16ca367794303a64e3547237d5a640f Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 30 Jan 2025 11:32:30 -0800 Subject: [PATCH 05/28] Update appcontrol-and-applocker-overview.md --- .../appcontrol-and-applocker-overview.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index ee94923c20..5b75590aac 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -18,21 +18,21 @@ App Control was introduced with Windows 10 and allows organizations to control w App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries +- Attributes of the codesigning certificate used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file - The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md) - The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md)) -- The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) +- The [path where the app or file exists on disk](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary > [!NOTE] -> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except when deploying App Control policy via Group Policy. +> App Control for Business was originally released as part of Device Guard and called configurable code integrity. The terms "Device Guard" and "configurable code integrity" are no longer used with App Control except when deploying policies through Group Policy. ### App Control System Requirements App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019. -For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md). +For more information on which individual App Control features are available on your version of Windows, see [App Control feature availability](feature-availability.md). ## AppLocker @@ -40,9 +40,9 @@ AppLocker was introduced with Windows 7, and allows organizations to control whi AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries. +- Attributes of the codesigning certificate used to sign an app and its binaries. - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file. -- The path from which the app or file is launched. +- The path where the app or file exists on disk. AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md). From 64a4216616ea9f788782132d010117e73c34391c Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 2 Feb 2025 16:07:14 -0800 Subject: [PATCH 06/28] Updates for Windows resiliency and .Net --- .../app-control-for-business/appcontrol.md | 2 +- ...ow-com-object-registration-in-appcontrol-policy.md | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index fdaaad9277..b50b8ef185 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -43,7 +43,7 @@ Smart App Control starts in evaluation mode and will switch itself off within 48 > [!IMPORTANT] > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows. -The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. +The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)] diff --git a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md index 7968a8fb46..cef050191d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md @@ -2,7 +2,7 @@ title: Allow COM object registration in an App Control policy description: You can allow COM object registration in an App Control for Business policy. ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 02/01/2025 ms.topic: how-to --- @@ -16,11 +16,10 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component- App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you may need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article. -> [!NOTE] -> To add this functionality to other versions of Windows 10, you can install the following or later updates. - -- [Windows 10, 1809 June 18, 2019-KB4501371 (OS Build 17763.592)](https://support.microsoft.com/help/4501371/windows-10-update-kb4501371) -- [Windows 10, 1607 June 18, 2019-KB4503294 (OS Build 14393.3053)](https://support.microsoft.com/help/4503294/windows-10-update-kb4503294) +> [!IMPORTANT] +> When any App Control for Business policy with Option 0 - Enabled:UMCI is enforced on a device, .NET adds an extra validation check before running COM objects. The check verifies the COM object's system registration matches the code being run. If there is a mismatch between the GUID calculated by .NET and the GUID stored in the COM registration, .NET won't load the object and the user sees a general error dialog informing them about the failure. This mitigates certain COM-based attacks which could otherwise be used to run an attacker's own malicious or vulnerable payload. +> +> The COM allow list mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects**. Any .NET app attempting to run a COM object with a mismatched GUID are thus incompatible with App Control at this time. There are no policy control options to manage the GUID verification check, meaning the check is always performed. If you see COM object failures after an App Control policy is deployed, contact the software developer or the Independent Software Vendor (ISV) who produces the app to request a fix for the issue. ### Get COM object GUID From 4011f0f024830e2bb4c53f647afd608504750fee Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 4 Feb 2025 14:46:20 -0800 Subject: [PATCH 07/28] Update allow-com-object-registration-in-appcontrol-policy.md --- .../allow-com-object-registration-in-appcontrol-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md index cef050191d..332f842983 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md @@ -14,10 +14,10 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component- ## COM object configurability in App Control policy -App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you may need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article. +App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you might need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article. > [!IMPORTANT] -> When any App Control for Business policy with Option 0 - Enabled:UMCI is enforced on a device, .NET adds an extra validation check before running COM objects. The check verifies the COM object's system registration matches the code being run. If there is a mismatch between the GUID calculated by .NET and the GUID stored in the COM registration, .NET won't load the object and the user sees a general error dialog informing them about the failure. This mitigates certain COM-based attacks which could otherwise be used to run an attacker's own malicious or vulnerable payload. +> When any App Control for Business policy with option **0 - Enabled:UMCI** is enforced on a device, .NET adds an extra validation check before running COM objects. The check verifies the COM object's system registration matches the code being run. If there is a mismatch between the GUID calculated by .NET and the GUID stored in the COM registration, .NET won't load the object and the user sees a general error dialog informing them about the failure. This mitigates certain COM-based attacks which could otherwise be used to run an attacker's own malicious or vulnerable payload. > > The COM allow list mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects**. Any .NET app attempting to run a COM object with a mismatched GUID are thus incompatible with App Control at this time. There are no policy control options to manage the GUID verification check, meaning the check is always performed. If you see COM object failures after an App Control policy is deployed, contact the software developer or the Independent Software Vendor (ISV) who produces the app to request a fix for the issue. From 2dd142b1b71d54db1c220edc59b07b8f32e7d306 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 6 Feb 2025 12:52:21 -0800 Subject: [PATCH 08/28] Update common-appcontrol-use-cases.md --- .../design/common-appcontrol-use-cases.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md index 4ba40200b3..9e487ed510 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md @@ -2,7 +2,7 @@ title: Policy creation for common App Control usage scenarios description: Develop a plan for deploying App Control for Business in your organization based on these common scenarios. ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 01/31/2025 ms.topic: conceptual --- @@ -10,6 +10,8 @@ ms.topic: conceptual [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] +Whenever possible, App Control for Business (app control) should be enabled when setting up a device for the first time and before installing any apps. This ensures the system is in a "clean" state when App Control starts, and is especially important for apps allowed because they were installed by a managed installer or because the Intelligent Security Graph (ISG) determined that the app was safe to run. + Typically, deployment of App Control for Business happens best in phases, rather than being a feature that you simply "turn on." The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying App Control in your organization. It's common for organizations to have device use cases across each of the categories described. ## Types of devices From 76021f2c98c3c155a92975b53c923219221dc554 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 7 Feb 2025 22:25:16 -0800 Subject: [PATCH 09/28] Update common-appcontrol-use-cases.md --- .../design/common-appcontrol-use-cases.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md index 9e487ed510..0d5feeb80f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md @@ -14,18 +14,20 @@ Whenever possible, App Control for Business (app control) should be enabled when Typically, deployment of App Control for Business happens best in phases, rather than being a feature that you simply "turn on." The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying App Control in your organization. It's common for organizations to have device use cases across each of the categories described. -## Types of devices +## Common use cases -| Type of device | How App Control relates to this type of device | +| Use case | How App Control relates to this use case | |------------------------------------|------------------------------------------------------| -| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | App Control for Business can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | -| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request for more software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline App Control for Business policy can be established and enforced. Whenever the IT department approves more applications, it updates the App Control policy and (for unsigned LOB applications) the catalog. | +| **Block undesirable apps**: Few companies manage all apps centrally, needing a long discovery period before they can even begin to decide what to allow.
Instead, the IT department's focus shifts to block a set of apps they consider problems, while they build their inventory of apps. | Using App Control, deploy a blocklist-only policy alongside an audit allowlist policy to gather information about the apps and processes running on your devices. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run specific apps, like the organization's antivirus solution or its helpdesk client management tools. | App Control for Business can be used to help protect the kernel, and to let users run apps that are signed, are installed by the company's app deployment solution like Intune, were installed to locations where only an admin can write files, and any app with good reputation. | +| **Fully managed devices**: Allowed software is restricted by your IT department.
Users can request for more software, or install from a list of applications provided by the IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline App Control for Business policy can be established and enforced. Whenever the IT department approves more applications, they may update the App Control policy as part of their app packaging and deployment processes. Alternatively, they may create and sign app catalog files that are then distributed as a dependency of the app. | | **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | App Control for Business can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After App Control for Business deployment, only approved applications can run. This rule is because of protections offered by App Control. | | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, App Control for Business doesn't apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | +| **"Dirty" systems**: Introducing an app control solution on systems that are already in use is much more challenging than when you apply it to a new device that hasn't installed any apps yet. Sometimes, trade-offs must be made to maintain productivity even if some apps might be unwanted by the organization. | Using a script to apply App Control policies, organizations can create a policy by scanning each device and creating rules for every binary or script file observed. This set of rules is used to supplement the more restrictive Base policy applied to fresh devices, newly configured. This way, any previously installed app keeps working, but all future installs must pass the organizations newly enforced app control rules. | ## An introduction to Lamna Healthcare Company -In the next set of articles, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company. +In the next set of articles, we'll explore policies to handle scenarios like the ones in the table using a fictional company called Lamna Healthcare Company. Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. @@ -35,4 +37,10 @@ Recently, Lamna experienced a ransomware event that required an expensive recove ## Up next -- [Create an App Control for Business policy for lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) +Now, let's create our initial policy using the [Smart App Control](../appcontrol.md#app-control-and-smart-app-control) "circle of trust" as our starting point. + +- [Use the Smart App Control policy to build your starter base policy](./create-appcontrol-policy-for-lightly-managed-devices.md). + +Or, if you prefer: + +- [Use an App Control policy to block specific apps](./create-appcontrol-deny-policy.md). From 453b40f7bafe43b70631ae4742c68c1b5a886be5 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 9 Feb 2025 13:41:12 -0800 Subject: [PATCH 10/28] More prescriptive guidance --- .../app-control-for-business/appcontrol.md | 2 +- ...trol-policy-for-lightly-managed-devices.md | 28 +++++++++++++------ 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index b50b8ef185..4f63072874 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -51,4 +51,4 @@ The App Control policy used for Smart App Control comes bundled with the [App Co Read on to learn more about the two application control technologies available in Windows with the [App Control for Business and AppLocker Overview](./appcontrol-and-applocker-overview.md). -If you're ready to jump in and get started creating policies, let's revisit Smart App Control and [Use the Smart App Control policy to build your own custom base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md). +If you're ready to jump in and get started creating policies, let's revisit Smart App Control and [Use the Smart App Control policy to build your own starter policy](design/create-appcontrol-policy-for-lightly-managed-devices.md). diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index b7c6837954..ca5300a3c0 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -1,28 +1,38 @@ --- -title: Create an App Control policy for lightly managed devices +title: Use the Smart App Control policy to build your starter base policy description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. ms.topic: conceptual ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 02/07/2025 --- -# Create an App Control policy for lightly managed devices +# Use the Smart App Control policy to build your starter policy [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This section outlines the process to create an App Control for Business policy for **lightly managed devices** within an organization. Typically, organizations that are new to App Control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their App Control-managed devices as described in later articles. +This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. -> [!NOTE] -> Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. +> [!INFORMATION] +> We strongly recommend the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations that are new to App Control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their App Control-managed devices as described in later articles. As in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different workloads. + +## Analyze the "circle-of-trust" of the Smart App Control policy + +Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control, which she finds do a good job defining it's "circle-of-trust". Alice decides to dig a little deeper by analyzing the Smart App Control policy XML itself. + +Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI whose principal maintainers are from Microsoft's Platform Integrity team, the same people responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. + +On the **App Control Policy Wizard's** main page, Alice selects **Policy Creator** which brings her to **Select a Policy Type**. Leaving the default values unaltered, she selects **Next**. On the next page, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. + +"Circle of Trust" described in this article is strongly recommended as a safe and effective app control policy for almost any environment. The policy we'll create is particularly well-suited for **lightly managed devices** within an organization. T + +and its policy ensures only signed code runs along with code predicted to be safe by our intelligent cloud-powered security service. Unsigned code is blocked from running if the service can't predict that the code is safe to run. And code determined to be unsafe is always blocked. For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. -## Define the "circle-of-trust" for lightly managed devices - Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices: - All clients are running Windows 10 version 1903 and above, or Windows 11; From 1183dd12ed4de5a48bb0e35f6c24b2fd165f44c9 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 13 Feb 2025 07:34:38 -0800 Subject: [PATCH 11/28] Updates to .Net and COM topic areas plus changes for windows resiliency --- ...bject-registration-in-appcontrol-policy.md | 8 ++--- .../design/appcontrol-and-dotnet.md | 31 ++++++++++--------- ...trol-policy-for-lightly-managed-devices.md | 4 +-- .../operations/known-issues.md | 28 +++++++++++------ 4 files changed, 41 insertions(+), 30 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md index 332f842983..13bf6a0bad 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md @@ -16,10 +16,8 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component- App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you might need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article. -> [!IMPORTANT] -> When any App Control for Business policy with option **0 - Enabled:UMCI** is enforced on a device, .NET adds an extra validation check before running COM objects. The check verifies the COM object's system registration matches the code being run. If there is a mismatch between the GUID calculated by .NET and the GUID stored in the COM registration, .NET won't load the object and the user sees a general error dialog informing them about the failure. This mitigates certain COM-based attacks which could otherwise be used to run an attacker's own malicious or vulnerable payload. -> -> The COM allow list mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects**. Any .NET app attempting to run a COM object with a mismatched GUID are thus incompatible with App Control at this time. There are no policy control options to manage the GUID verification check, meaning the check is always performed. If you see COM object failures after an App Control policy is deployed, contact the software developer or the Independent Software Vendor (ISV) who produces the app to request a fix for the issue. +> [!WARNING] +> When App Control is enforced, .NET doesn't load certain COM objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. The COM allowlist mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects** leaving those .NET apps incompatible with App Control at this time. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids) ### Get COM object GUID @@ -130,7 +128,7 @@ To add this CLSID to the existing policy, follow these steps: PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \AppControl_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean ``` - Once the command has run, find the following section added to the policy XML. + Once the command runs, find the following section added to the policy XML. ```XML diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md index 6e31a5e523..be104082d9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md @@ -2,43 +2,46 @@ title: App Control for Business and .NET description: Understand how App Control and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime. ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 02/13/2025 ms.topic: conceptual --- # App Control for Business and .NET +> [!WARNING] +> When App Control is enforced, .NET doesn't load certain Component Object Model (COM) objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids) + .NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with an App Control user mode policy, it first checks whether the original IL file passes the current App Control policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that App Control knows to trust it as well. When the .NET app runs, App Control sees the EA on the NI file and allows it. -The EA set on the NI file only applies to the currently active App Control policies. If one of the active App Control policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, App Control will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest App Control policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you might notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the App Control EA for all code that passes the latest App Control policies. +The EA set on the NI file only applies to the currently active App Control policies. If one of the active App Control policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, App Control will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest App Control policies, then the app runs without any functional issue. Since the IL is now being compiled at runtime, you might notice a slight reduction in performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the App Control EA for all code that passes the latest App Control policies. In some cases, if an NI file is blocked, you might see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [App Control Admin Tips & Known Issues](../operations/known-issues.md#net-native-images-may-generate-false-positive-block-events). -To mitigate any performance impact caused when the App Control EA isn't valid or missing: +To mitigate any performance reduction caused when the App Control EA isn't valid or is missing: - Avoid updating the App Control policies often. - Run `ngen update` (on all machine architectures) to force .NET to regenerate all NI files immediately after applying changes to your App Control policies. - Migrate applications to .NET Core (.NET 6 or greater). -## App Control and .NET hardening +## App Control and .NET Dynamic Code Security hardening -Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent App Control controls. -To address this potential vulnerability, App Control includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime. +Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent App Control. To address this potential vulnerability, App Control includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime. -When the Dynamic Code Security option is enabled, the App Control policy is applied to libraries that .NET loads from external sources. For example, any remote sources, such as the internet or a network share. +When Dynamic Code Security is enabled, your App Control policy is applied to libraries that .NET loads from external or remote sources, like the internet or a network share. It also detects tampering in code generated to disk by .NET and blocks loading code that is tampered. Additionally, some .NET loading features not supported with Dynamic Code Security, including loading unsigned assemblies built with System.Reflection.Emit, are always blocked. + +Usually, when dynamic code is blocked, its parent process is stopped or crashes. To prevent this using ASP.NET, you can precompile the dynamic code for deployment only. See ["Precompiling for Deployment Only" in the ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)#precompiling-for-deployment-only). > [!IMPORTANT] -> .Net dynamic code security hardening is *turned on and enforced* if any App Control policy with UMCI enabled has set option **19 Enabled:Dynamic Code Security**. There is no audit mode for this feature. You should test your apps with this option set before turning it on across large numbers of devices. +> .NET Dynamic Code Security works in audit mode only on Windows 11 24H2 and later, and Windows Server 2025 and later. There's no audit mode for Dynamic Code Security on Windows 10, or on earlier versions of Windows 11 and Windows Server. If any App Control policy sets option **19 Enabled:Dynamic Code Security** on those earlier versions, then dynamic code security hardening is *turned on and enforced* even if the policy is in audit mode. Always test your apps thoroughly and use safe deployment practices when deploying app control policies to production. -Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that was tampered with. +Dynamic Code Security mitigates potential attack techniques often referred to as "second order" attacks. That means that the attacker has access to the system and is able to run code. The second order attacks might be attempts to gain persistence or further obscure the attackers activities. Although Dynamic Code Security is important and recommended, Microsoft also recommends testing the policy in audit mode on systems running Windows 11 24H2 and later, or Windows Server 2025 and later before you enforce it. -Dynamic Code Security isn't enabled by default because existing policies might not account for externally loaded libraries. -Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. -Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. +Code blocked by Dynamic Code Security is logged using event ID 3114 in the **CodeIntegrity - Operational** event log. Except for code loaded using one of the unsupported .NET features like System.Reflection.Emit, you can create rules to allow blocked dynamic code using information from the events. See [Use the App Control Wizard to create rules from the App Control Event Logs](./appcontrol-wizard-parsing-event-logs.md). -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. +> [!NOTE] +> .NET attempts two different methods to run dynamically generated code. If your App Control policy blocks the first method, .NET tries the second one. Each of the two attempts raises a distinct 3114 event. When a 3114 event occurs in isolation, it's safe to ignore as a "false positive" because it only covers the first attempt by .NET to run the code. Only when you see two 3114 events back-to-back within milliseconds for the same code does it indicate an actual issue to review. -To enable Dynamic Code Security, add the following option to the `` section of your App Control policy: +To enable Dynamic Code Security, add option **19 - Enabled:Dynamic Code Security** to your App Control policy using the App Control Wizard, the set-ruleoption PowerShell cmdlet, or by adding the following to the `` section of your App Control policy XML: ```xml diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index ca5300a3c0..e56e5a2e2d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -12,8 +12,8 @@ ms.date: 02/07/2025 This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. -> [!INFORMATION] -> We strongly recommend the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations that are new to App Control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their App Control-managed devices as described in later articles. +> [!NOTE] +> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations who are new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can choose to harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. As in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md index 4181691e76..4baf2a1a12 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md @@ -2,7 +2,7 @@ title: App Control Admin Tips & Known Issues description: App Control Known Issues ms.manager: jsuther -ms.date: 09/11/2024 +ms.date: 02/13/2025 ms.topic: troubleshooting ms.localizationpriority: medium --- @@ -28,21 +28,21 @@ For **single policy format App Control policies**, in addition to the two preced - <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b > [!NOTE] -> A multiple policy format App Control policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` may exist under any of the policy file locations. +> A multiple policy format App Control policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` might exist under any of the policy file locations. ## File Rule Precedence Order When the App Control engine evaluates files against the active set of policies on the device, rules are applied in the following order. Once a file encounters a match, App Control stops further processing. -1. Explicit deny rules - a file is blocked if any explicit deny rule exists for it, even if other rules are created to try to allow it. Deny rules can use any [rule level](../design/select-types-of-rules-to-create.md#app-control-for-business-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend. +1. Any file matching an explicit deny rule is blocked, even if you create other rules to try to allow it. Deny rules can use any [rule level](../design/select-types-of-rules-to-create.md#app-control-for-business-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend. -2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs. +2. Any file matching an explicit allow rule runs. -3. App Control then checks for the [Managed Installer extended attribute (EA)](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) or the [Intelligent Security Graph (ISG) EA](../design/use-appcontrol-with-intelligent-security-graph.md) on the file. If either EA exists and the policy enables the corresponding option, then the file is allowed. +3. Any file that has a [Managed Installer](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) or [Intelligent Security Graph (ISG)](../design/use-appcontrol-with-intelligent-security-graph.md) extended attribute (EA) runs if the policy enables the matching option (managed installer or ISG). -4. Lastly, App Control makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option. +4. Any file that isn't allowed based on the preceding conditions, is checked for reputation using the ISG when that option is enabled in the policy. The file runs if the ISG decides that it's safe and a new ISG EA is written on the file. -5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly. +5. Any file not allowed by an explicit rule, or based on ISG or managed installer, is blocked implicitly. ## Known issues @@ -51,11 +51,11 @@ When the App Control engine evaluates files against the active set of policies o Until you apply the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your App Control policies. Any [Windows inbox policies](inbox-appcontrol-policies.md) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, April 9, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies. > [!NOTE] -> The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies. +> The policy limit wasn't removed on Windows 11 21H2, and remains limited to 32 policies. ### Audit mode policies can change the behavior for some apps or cause app crashes -Although App Control audit mode is designed to avoid impact to apps, some features are always on/always enforced with any App Control policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: +Although App Control audit mode is designed to avoid any effect on apps, some features are always on/always enforced with any App Control policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: - Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with App Control](../design/script-enforcement.md) for information about individual script host behaviors. - Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [App Control and .NET](../design/appcontrol-and-dotnet.md#app-control-and-net-hardening). @@ -64,6 +64,16 @@ Although App Control audit mode is designed to avoid impact to apps, some featur In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. +### .NET doesn't load Component Object Model (COM) objects with mismatched GUIDs + +COM objects make it easy for different software components to communicate and work together. To be used by another component, COM objects must be registered with the operating system. The registration includes a GUID that is calculated based on the object's code. Loading and activation of the COM object is done using another part of the registration called the type name. Sometimes a mismatch exists between the registered GUID and the actual GUID of the activated COM object's code. Mismatches might come from bugs in the app's COM object registration code or if the COM object's code is changed in a way that affects the GUID. Normally, Windows and .NET are forgiving about this condition and runs the COM object’s code regardless. But allowing COM objects to load where there are GUID mismatches leaves the system vulnerable to attackers who can exploit the GUID confusion to run unintended code. + +To increase App Control's protective effectiveness on a system vulnerable to this attack technique, .NET applies an extra validation to check that the registered COM object GUID matches the system calculated one. If a mismatch is found, .NET doesn't load the COM object and a general COM load error is raised. Apps using COM objects with this condition might behave in unexpected ways and must be updated to fix issues with the app's COM object registration code. + +Since this behavior only occurs when App Control policy is enforced on user mode code, you can't detect it while in audit mode. There's no logging or other events when a COM object fails to load due to the extra validation check. Repairing or reinstalling the app can resolve the issue temporarily, but an app update is needed to fix the COM registration issue and prevent future instances of the problem. + +There are no policy control options to manage .NET's GUID verification check, meaning the check is always performed. If you see COM object failures after an App Control policy is deployed, contact the software developer or the Independent Software Vendor (ISV) who produces the app to request a fix for the issue. + ### Signatures using elliptical curve cryptography (ECC) aren't supported App Control signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If App Control blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. From 0fe9edf40e26cf4bca500a40ba6145e53ba0c309 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 15 Feb 2025 11:07:17 -0800 Subject: [PATCH 12/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...trol-policy-for-lightly-managed-devices.md | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index e56e5a2e2d..3e889dcb0c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -10,22 +10,32 @@ ms.date: 02/07/2025 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. +This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. -> [!NOTE] +> [!TIP] > Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations who are new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can choose to harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. -As in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. +As we did in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications. -## Analyze the "circle-of-trust" of the Smart App Control policy +## Analyze the "circle-of-trust" of the Smart App Control policy and its fit in your organization -Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control, which she finds do a good job defining it's "circle-of-trust". Alice decides to dig a little deeper by analyzing the Smart App Control policy XML itself. +Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control, which she finds do a good job defining it's "circle-of-trust". Its policy ensures only signed code runs along with code predicted to be safe by the [Intelligent Security Graph](./use). Unsigned code is blocked from running if the service can't predict that the code is safe to run. And code determined to be unsafe is always blocked. -Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI whose principal maintainers are from Microsoft's Platform Integrity team, the same people responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. +Now Alice considers how to adapt the policy for Lamna's use cases. For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. Even though Lamna's leadership would prefer a more restrictive posture, she's been careful not to over-promise how quickly the company can get to that state and has leadership buy-in on her strategy. -On the **App Control Policy Wizard's** main page, Alice selects **Policy Creator** which brings her to **Select a Policy Type**. Leaving the default values unaltered, she selects **Next**. On the next page, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. +Alice next identifies the key factors about Lamna's environment that she believes will shape the "circle-of-trust" it needs to operate the business until it can reform its app management processes. They also help her narrow the set of systems she will start with. Alice writes down these factors in her planning worksheet: + +- Most clients are running Windows 11, with small numbers of clients remaining on Windows 10 through the remainder of the fiscal year; +- All clients are managed by Microsoft Intune; +- Most, but not all, apps are deployed using Intune; +- Most users run as standard user, though some have local admin rights on their devices; the people with admin rights are accustomed to the freedom they have to install whatever apps they want; +- Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned or mostly unsigned code, though the company has started to require codesigning in the past two years; all of the signed LOB apps + +Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. + +1. On the **App Control Policy Wizard's** main page, Alice selects **Policy Creator** which brings her to **Select a Policy Type**. Leaving the default values unaltered, she selects **Next**. On the next page, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. "Circle of Trust" described in this article is strongly recommended as a safe and effective app control policy for almost any environment. The policy we'll create is particularly well-suited for **lightly managed devices** within an organization. T From 2087dd5646b50521d0c2f74466bdc7b15a666860 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 20 Feb 2025 07:25:00 -0800 Subject: [PATCH 13/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...ntrol-policy-for-lightly-managed-devices.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 3e889dcb0c..72ef69ec16 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -19,18 +19,20 @@ As we did in [App Control for Business deployment in different scenarios: types **Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications. -## Analyze the "circle-of-trust" of the Smart App Control policy and its fit in your organization +## Analyze how Smart App Control's "circle-of-trust" fits for you -Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control, which she finds do a good job defining it's "circle-of-trust". Its policy ensures only signed code runs along with code predicted to be safe by the [Intelligent Security Graph](./use). Unsigned code is blocked from running if the service can't predict that the code is safe to run. And code determined to be unsafe is always blocked. +Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control to be sure she understands it well. From her reading, she learns that the Smart App Control allows only publicly-trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts is safe. Publicly-trusted signed code means the signing certificate was issued by one of the certificate authorities (CA) who are in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. -Now Alice considers how to adapt the policy for Lamna's use cases. For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. Even though Lamna's leadership would prefer a more restrictive posture, she's been careful not to over-promise how quickly the company can get to that state and has leadership buy-in on her strategy. +Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible to cover more users, avoid user productivity impact, but still provide tangible security value. Even though Lamna's leadership would prefer a more restrictive posture, more rapidly, she's educated key stakeholders on the challenges and complexities ahead. As a result, she has senior leadership buy-in on her strategy. -Alice next identifies the key factors about Lamna's environment that she believes will shape the "circle-of-trust" it needs to operate the business until it can reform its app management processes. They also help her narrow the set of systems she will start with. Alice writes down these factors in her planning worksheet: +### Consider the key factors about your organization -- Most clients are running Windows 11, with small numbers of clients remaining on Windows 10 through the remainder of the fiscal year; -- All clients are managed by Microsoft Intune; -- Most, but not all, apps are deployed using Intune; -- Most users run as standard user, though some have local admin rights on their devices; the people with admin rights are accustomed to the freedom they have to install whatever apps they want; +Alice next identifies the key factors about Lamna's environment that she thinks will shape the company's "circle-of-trust". The policy must be flexible to meet the needs of the business while adjusting its app management processes so that a more restrictive policy is even practical. The key factors also help her choose which systems to include in the first deployment. Alice writes down these factors in her planning worksheet so that whoever follows her knows : + +- **Privileges:** Most users operate as standard user, though nearly a quarter still have local admin rights on their devices; the people with admin rights view the freedoms that gives them as essential, including the option to run whatever apps they want; +- **Operating Systems:** Windows 11 runs most user devices, but Windows 10 will remain on roughly 10% of clients at least through the next fiscal year, particularly those in smaller satellite offices; Alice's group doesn't manage Lamna's servers or any specialized equipment; Lamna's server IT group plans to wait to see how the client rollout of App Control unfolds before implementing the technology on the servers they control; +- **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native; they continue to use Microsoft Endpoint Configuration Manager (MEMCM) with Microsoft Entra hybrid join on all Windows 10 devices; +- Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them; - Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned or mostly unsigned code, though the company has started to require codesigning in the past two years; all of the signed LOB apps Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. From b6430ee59d285f991309f9aab3cbb921c0223707 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 20 Feb 2025 08:04:39 -0800 Subject: [PATCH 14/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- .../create-appcontrol-policy-for-lightly-managed-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 3e889dcb0c..de637f9762 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -31,7 +31,7 @@ Alice next identifies the key factors about Lamna's environment that she believe - All clients are managed by Microsoft Intune; - Most, but not all, apps are deployed using Intune; - Most users run as standard user, though some have local admin rights on their devices; the people with admin rights are accustomed to the freedom they have to install whatever apps they want; -- Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned or mostly unsigned code, though the company has started to require codesigning in the past two years; all of the signed LOB apps +- Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned or mostly unsigned code, though the company has started to require codesigning in the past two years; all of the signed LOB apps use a codesigning certificate issued using Lamna's internal PKI meaning they aren't publicly trusted Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. From 2ffbd34780f1a1df962c3b35319fa0af74ccfaa6 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 20 Feb 2025 18:20:00 -0800 Subject: [PATCH 15/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...reate-appcontrol-policy-for-lightly-managed-devices.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 72ef69ec16..37240b4302 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -3,7 +3,7 @@ title: Use the Smart App Control policy to build your starter base policy description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. ms.topic: conceptual ms.localizationpriority: medium -ms.date: 02/07/2025 +ms.date: 02/20/2025 --- # Use the Smart App Control policy to build your starter policy @@ -13,11 +13,11 @@ ms.date: 02/07/2025 This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. > [!TIP] -> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations who are new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can choose to harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. +> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations who are new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. -As we did in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. +As we did in [App Control for Business deployment in different scenarios](common-appcontrol-use-cases.md), we'll use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna intends to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications. +**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has relaxed application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications. ## Analyze how Smart App Control's "circle-of-trust" fits for you From e0938aae51a13cc9577498d107138969cf70de8d Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 23 Feb 2025 20:11:04 -0800 Subject: [PATCH 16/28] removed unnecessary user mode block rule; further improvements to lightly managed scenario --- ...applications-that-can-bypass-appcontrol.md | 5 +- ...trol-policy-for-lightly-managed-devices.md | 84 +++++++++++-------- 2 files changed, 50 insertions(+), 39 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md index f2ebb636f5..19ce55871e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md @@ -2,7 +2,7 @@ title: Applications that can bypass App Control and how to block them description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 02/23/2025 ms.topic: reference --- @@ -36,7 +36,6 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - lxssmanager.dll - lxrun.exe - Microsoft.Build.dll -- Microsoft.Build.Framework.dll - Microsoft.Workflow.Compiler.exe - msbuild.exe2 - msbuild.dll @@ -168,7 +167,6 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and - @@ -871,7 +869,6 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and - diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 37240b4302..d2acaa44d8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -13,65 +13,79 @@ ms.date: 02/20/2025 This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. > [!TIP] -> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end user's devices. Typically, organizations who are new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. +> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end users' devices. Typically, organizations new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. As we did in [App Control for Business deployment in different scenarios](common-appcontrol-use-cases.md), we'll use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna intends to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has relaxed application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications. +**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has relaxed application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and likely use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications, Smart App Control's "Signed & Reputable" policy adapted for Lamna. ## Analyze how Smart App Control's "circle-of-trust" fits for you -Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control to be sure she understands it well. From her reading, she learns that the Smart App Control allows only publicly-trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts is safe. Publicly-trusted signed code means the signing certificate was issued by one of the certificate authorities (CA) who are in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. +Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads Microsoft's online help articles about Smart App Control to be sure she understands it well. From her reading, she learns that Smart App Control allows only publicly-trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts is safe. Publicly-trusted signed code means the signing certificate was issued by one of the certificate authorities (CA) who are in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. -Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible to cover more users, avoid user productivity impact, but still provide tangible security value. Even though Lamna's leadership would prefer a more restrictive posture, more rapidly, she's educated key stakeholders on the challenges and complexities ahead. As a result, she has senior leadership buy-in on her strategy. +Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provide durable security value. Alice knows that some within Lamna's leadership advocate an approach much more aggressive than she plans. They want to immediately lockdown end users' devices and hope there's limited fallout. For now, she has enough support for her approach, because more of the leadership team appreciate that the corporate app culture that exists at Lamna is deeply ingrained. An app culture that developed slowly over the course of the company's existence won't just go away. ### Consider the key factors about your organization -Alice next identifies the key factors about Lamna's environment that she thinks will shape the company's "circle-of-trust". The policy must be flexible to meet the needs of the business while adjusting its app management processes so that a more restrictive policy is even practical. The key factors also help her choose which systems to include in the first deployment. Alice writes down these factors in her planning worksheet so that whoever follows her knows : +Alice next identifies the key factors about Lamna's environment that she believes will most influence the company's "circle-of-trust". The policy must be flexible to meet the needs of the business in the short- and medium-term, while they introduce new app management processes that will make it practical to consider a more restrictive app control policy. The key factors also help her choose which systems to include in the first deployment. Alice writes down these factors in her planning worksheet so that whomever may follow her will know how she viewed the challenge: -- **Privileges:** Most users operate as standard user, though nearly a quarter still have local admin rights on their devices; the people with admin rights view the freedoms that gives them as essential, including the option to run whatever apps they want; +- **User privileges:** Most users operate as standard user, though nearly a quarter still have local admin rights on their devices; the people with admin rights view the freedoms that gives them as essential, including the option to run whatever apps they want; - **Operating Systems:** Windows 11 runs most user devices, but Windows 10 will remain on roughly 10% of clients at least through the next fiscal year, particularly those in smaller satellite offices; Alice's group doesn't manage Lamna's servers or any specialized equipment; Lamna's server IT group plans to wait to see how the client rollout of App Control unfolds before implementing the technology on the servers they control; - **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native; they continue to use Microsoft Endpoint Configuration Manager (MEMCM) with Microsoft Entra hybrid join on all Windows 10 devices; -- Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them; -- Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned or mostly unsigned code, though the company has started to require codesigning in the past two years; all of the signed LOB apps +- **App management:** Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them; +- **App ecosystem complexity:** Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned, or mostly unsigned, code, though the company has started to require codesigning in the past two years; they've used a codesigning certificate issued by Lamna's corporate Public Key Infrastructure (PKI), meaning that they aren't trusted by the Smart App Control policy by default; Alice must add the certs to the policy. -Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. - -1. On the **App Control Policy Wizard's** main page, Alice selects **Policy Creator** which brings her to **Select a Policy Type**. Leaving the default values unaltered, she selects **Next**. On the next page, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. - -"Circle of Trust" described in this article is strongly recommended as a safe and effective app control policy for almost any environment. The policy we'll create is particularly well-suited for **lightly managed devices** within an organization. T - -and its policy ensures only signed code runs along with code predicted to be safe by our intelligent cloud-powered security service. Unsigned code is blocked from running if the service can't predict that the code is safe to run. And code determined to be unsafe is always blocked. - -For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. - -Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices: - -- All clients are running Windows 10 version 1903 and above, or Windows 11; -- All clients are managed by Configuration Manager or with Intune. -- Some, but not all, apps are deployed using Configuration Manager; -- Most users are local administrators on their devices; -- Some teams may need more rules to authorize specific apps that don't apply generally to all other users. - -Based on the above, Alice defines the pseudo-rules for the policy: +Based on the above, Alice defines the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy: 1. **"Windows works"** rules that authorize: - Windows - WHQL (third-party kernel drivers) - - Windows Store signed apps + +2. **"Any signed code"** rules that authorize code signed by publicly trusted certificates or issued from Lamna's PKI: + - Signer rules for Microsoft-signed code and "AuthRoot" signers to allow publicly trusted signed code to properly function. + - A signer rule authorizing Lamna Codesigning PCA, the intermediate cert issued from their own internal PKI. -1. **"ConfigMgr works"** rules that include: - - Signer and hash rules for Configuration Manager components to properly function. - - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer. +3. **Allow apps based on their "reputation"** rule to authorize apps deemed "safe" by the ISG. -1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) +4. **Allow Managed Installer** rule to authorize Intune's management extensions and Configuration Manager as a managed installer. Based on articles she's read, Alice decides to configure the auto-updater process for many popular apps as managed installers to ensure the code those apps use is always allowed. -1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority - -1. **Admin-only path rules** for the following locations: +5. **Admin-only path rules** for the following locations: - C:\Program Files\* - C:\Program Files (x86)\* - %windir%\* + - "D:\Lamna Helpdesk\* + +## Modify the "Signed & Reputable" policy template to suit your business needs + +Alice is familiar with the App Control Policy Wizard, the open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. + +1. On the **App Control Policy Wizard's** welcome page, Alice sees three options: **Policy Creator**, **Policy Editor**, and **Policy Merger**. Alice selects **Policy Creator** which takes her to the next page. + +2. On **Select a Policy Type**, Alice must choose whether to create a *Multiple Policy Format* or *Single Policy Format* policy. Since all of the end users' devices run Windows 11 or current versions of Windows 10, she takes the default *Multiple Policy Format*. Similarly, the choice between *Base Policy* and *Supplemental Policy* is straightforward and, here too, she leaves the default, *Base Policy* intact. She selects **Next** to move to the next page. + +3. On the next page, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. + + + +When creating policies for use with App Control for Business, it's recommended to start with a template policy, and then add or remove rules to suit your App Control scenario. For this reason, the App Control Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. + +## Template Base Policies + +Each of the template policies has a unique set of policy allowlist rules that affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy has a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. + +| Template Base Policy | Description | +|---------------------------------|-------------------------------------------------------------------| +| **Default Windows Mode** | Default Windows mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| +| **Allow Microsoft Mode** | Allow mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • *All Microsoft-signed software*
| +| **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • All Microsoft-signed software
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| + +*Italicized content denotes the changes in the current policy with respect to the policy prior.* + +More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example App Control for Business base policies article](example-appcontrol-base-policies.md). + +![Selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png) + +Once the base template is selected, give the policy a name and choose where to save the App Control policy on disk. ## Create a custom base policy using an example App Control base policy From 35f6b12f3c98c589f9a73fa2364f12d7786eba95 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 24 Feb 2025 15:58:45 -0800 Subject: [PATCH 17/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...trol-policy-for-lightly-managed-devices.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index d2acaa44d8..aa50e47a32 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -59,25 +59,26 @@ Based on the above, Alice defines the pseudo-rules for the Lamna version of Micr Alice is familiar with the App Control Policy Wizard, the open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. -1. On the **App Control Policy Wizard's** welcome page, Alice sees three options: **Policy Creator**, **Policy Editor**, and **Policy Merger**. Alice selects **Policy Creator** which takes her to the next page. +1. On the **App Control Policy Wizard's** welcome page, Alice sees three options: **Policy Creator**, **Policy Editor**, and **Policy Merger**. Alice selects **Policy Creator** which takes her to the next page. -2. On **Select a Policy Type**, Alice must choose whether to create a *Multiple Policy Format* or *Single Policy Format* policy. Since all of the end users' devices run Windows 11 or current versions of Windows 10, she takes the default *Multiple Policy Format*. Similarly, the choice between *Base Policy* and *Supplemental Policy* is straightforward and, here too, she leaves the default, *Base Policy* intact. She selects **Next** to move to the next page. +2. On **Select a Policy Type**, Alice must choose whether to create a *Multiple Policy Format* or *Single Policy Format* policy. Since all of the end users' devices run Windows 11 or current versions of Windows 10, she takes the default *Multiple Policy Format*. Similarly, the choice between *Base Policy* and *Supplemental Policy* is straightforward and, here too, she leaves the default, *Base Policy* intact. She selects **Next** to continue. -3. On the next page, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. +3. The next page is where Alice will **Select a Base Template for the Policy**. The App Control Wizard offers three template policies to use when creating a new Base Policy. Each template policy applies slightly different rules to alter its circle-of-trust and security model of the policy. The three template policies are: - - -When creating policies for use with App Control for Business, it's recommended to start with a template policy, and then add or remove rules to suit your App Control scenario. For this reason, the App Control Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. + | Template Base Policy | Description | + |---------------------------------|-------------------------------------------------------------------| + | **Default Windows Mode** | Default Windows mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| + | **Allow Microsoft Mode** | Allow mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • *All Microsoft-signed software*
| + | **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • All Microsoft-signed software
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| + +1. and then add or remove rules to suit your App Control scenario. For this reason, the Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. ## Template Base Policies -Each of the template policies has a unique set of policy allowlist rules that affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy has a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. + The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy has a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. + +, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. -| Template Base Policy | Description | -|---------------------------------|-------------------------------------------------------------------| -| **Default Windows Mode** | Default Windows mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| -| **Allow Microsoft Mode** | Allow mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • *All Microsoft-signed software*
| -| **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • All Microsoft-signed software
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| *Italicized content denotes the changes in the current policy with respect to the policy prior.* From 5b6bdabe1677a12ad1999c8ad1c93ec40f52042d Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 2 Mar 2025 20:06:33 -0800 Subject: [PATCH 18/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...trol-policy-for-lightly-managed-devices.md | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index aa50e47a32..693e2355f8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -33,27 +33,32 @@ Alice next identifies the key factors about Lamna's environment that she believe - **Operating Systems:** Windows 11 runs most user devices, but Windows 10 will remain on roughly 10% of clients at least through the next fiscal year, particularly those in smaller satellite offices; Alice's group doesn't manage Lamna's servers or any specialized equipment; Lamna's server IT group plans to wait to see how the client rollout of App Control unfolds before implementing the technology on the servers they control; - **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native; they continue to use Microsoft Endpoint Configuration Manager (MEMCM) with Microsoft Entra hybrid join on all Windows 10 devices; - **App management:** Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them; -- **App ecosystem complexity:** Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned, or mostly unsigned, code, though the company has started to require codesigning in the past two years; they've used a codesigning certificate issued by Lamna's corporate Public Key Infrastructure (PKI), meaning that they aren't trusted by the Smart App Control policy by default; Alice must add the certs to the policy. +- **App ecosystem complexity:** Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned, or mostly unsigned, code; though the company has started to require codesigning, they use a codesigning certificate issued by Lamna's corporate Public Key Infrastructure (PKI), meaning that they aren't trusted by the Smart App Control policy by default; Alice must add the certs to the policy. Based on the above, Alice defines the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy: -1. **"Windows works"** rules that authorize: - - Windows - - WHQL (third-party kernel drivers) +1. **"Windows and Microsoft-certified kernel drivers"** One or more signer rules allowing: + - Windows and its components + - Microsoft-certified third-party kernel drivers (WHQL) -2. **"Any signed code"** rules that authorize code signed by publicly trusted certificates or issued from Lamna's PKI: - - Signer rules for Microsoft-signed code and "AuthRoot" signers to allow publicly trusted signed code to properly function. - - A signer rule authorizing Lamna Codesigning PCA, the intermediate cert issued from their own internal PKI. +2. **"Publicly-trusted signed code"** One or more signer rules allowing: + - Code signed with certificates issued from any certificate authority participating in the [Microsoft Trusted Root Program ("AuthRoot")](/security/trusted-root/program-requirements) or non-OS code signed by Microsoft. -3. **Allow apps based on their "reputation"** rule to authorize apps deemed "safe" by the ISG. +3. **Lamna signed code** One or more signer rules allowing: + - Code signed by certificates issued from Lamna Codesigning PCA, the intermediate cert issued from their own internal PKI. -4. **Allow Managed Installer** rule to authorize Intune's management extensions and Configuration Manager as a managed installer. Based on articles she's read, Alice decides to configure the auto-updater process for many popular apps as managed installers to ensure the code those apps use is always allowed. +3. **Allow apps based on their "reputation"** A policy option allowing: + - Apps predicted to be "safe" by the ISG. -5. **Admin-only path rules** for the following locations: - - C:\Program Files\* - - C:\Program Files (x86)\* - - %windir%\* - - "D:\Lamna Helpdesk\* +4. **Allow Managed Installer** A policy option allowing: + - Code written to the system by a process designated by policy as a managed installer. + - Alice sets Lamna's managed installer policy based on articles she's read Alice decides to configure the auto-updater process for many popular apps as managed installers to ensure the code those apps use is always allowed. + +5. **Admin-only path rules** One or more filepath rules for the following locations: + - "C:\Program Files\*" + - "C:\Program Files (x86)\*" + - "%windir%\*" + - "D:\Lamna Helpdesk\*" ## Modify the "Signed & Reputable" policy template to suit your business needs From 0d0d35fa9d64dc1ea179e043fc1d16a070e90bf3 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 5 Mar 2025 14:04:29 -0800 Subject: [PATCH 19/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...trol-policy-for-lightly-managed-devices.md | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 693e2355f8..8ab724ca57 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -3,7 +3,7 @@ title: Use the Smart App Control policy to build your starter base policy description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. ms.topic: conceptual ms.localizationpriority: medium -ms.date: 02/20/2025 +ms.date: 03/05/2025 --- # Use the Smart App Control policy to build your starter policy @@ -23,7 +23,7 @@ As we did in [App Control for Business deployment in different scenarios](common Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads Microsoft's online help articles about Smart App Control to be sure she understands it well. From her reading, she learns that Smart App Control allows only publicly-trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts is safe. Publicly-trusted signed code means the signing certificate was issued by one of the certificate authorities (CA) who are in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. -Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provide durable security value. Alice knows that some within Lamna's leadership advocate an approach much more aggressive than she plans. They want to immediately lockdown end users' devices and hope there's limited fallout. For now, she has enough support for her approach, because more of the leadership team appreciate that the corporate app culture that exists at Lamna is deeply ingrained. An app culture that developed slowly over the course of the company's existence won't just go away. +Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provide durable security value. Alice knows that some within Lamna advocate a more aggressive approach than she plans. They want to immediately lockdown end users' devices and hope there's limited fallout. For now, she has support for her approach, because more of the leadership team agrees that the Lamna app culture that developed slowly over the course of the company's existence won't just go away overnight, so the policy must maintain substantial flexibility initially. ### Consider the key factors about your organization @@ -33,28 +33,27 @@ Alice next identifies the key factors about Lamna's environment that she believe - **Operating Systems:** Windows 11 runs most user devices, but Windows 10 will remain on roughly 10% of clients at least through the next fiscal year, particularly those in smaller satellite offices; Alice's group doesn't manage Lamna's servers or any specialized equipment; Lamna's server IT group plans to wait to see how the client rollout of App Control unfolds before implementing the technology on the servers they control; - **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native; they continue to use Microsoft Endpoint Configuration Manager (MEMCM) with Microsoft Entra hybrid join on all Windows 10 devices; - **App management:** Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them; -- **App ecosystem complexity:** Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned, or mostly unsigned, code; though the company has started to require codesigning, they use a codesigning certificate issued by Lamna's corporate Public Key Infrastructure (PKI), meaning that they aren't trusted by the Smart App Control policy by default; Alice must add the certs to the policy. +- **App development and code signing:** Lamna has hundreds of line-of-business (LOB) apps across its business units; Lamna hasn't aligned its business units on development platforms and frameworks, so Alice expects lots of variability and complexity; almost all of the apps use unsigned, or mostly unsigned, code; although the company has started to require codesigning, their codesigning certificates come from Lamna's corporate Public Key Infrastructure (PKI), so they aren't trusted by the Smart App Control policy by default; Alice must add the certs to the policy. Based on the above, Alice defines the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy: 1. **"Windows and Microsoft-certified kernel drivers"** One or more signer rules allowing: - - Windows and its components - - Microsoft-certified third-party kernel drivers (WHQL) - + - Windows and its components. + - Microsoft-certified third-party kernel drivers (WHQL). + 2. **"Publicly-trusted signed code"** One or more signer rules allowing: - Code signed with certificates issued from any certificate authority participating in the [Microsoft Trusted Root Program ("AuthRoot")](/security/trusted-root/program-requirements) or non-OS code signed by Microsoft. -3. **Lamna signed code** One or more signer rules allowing: +3. **Lamna signed code** One or more signer rules allowing: - Code signed by certificates issued from Lamna Codesigning PCA, the intermediate cert issued from their own internal PKI. -3. **Allow apps based on their "reputation"** A policy option allowing: +4. **Allow apps based on their "reputation"** A policy option allowing: - Apps predicted to be "safe" by the ISG. -4. **Allow Managed Installer** A policy option allowing: - - Code written to the system by a process designated by policy as a managed installer. - - Alice sets Lamna's managed installer policy based on articles she's read Alice decides to configure the auto-updater process for many popular apps as managed installers to ensure the code those apps use is always allowed. +5. **Allow Managed Installer** A policy option allowing: + - Code written to the system by a process designated by policy as a managed installer. For Lamna's managed installer policy, Alice includes the Intune Management Extension, and also well-known auto-updater processes from ISVs whose apps are popular and likely to find across the company. She also includes a filepath rule, "D:\ Lamna Helpdesk\*" where Lamna's helpdesk admins are trained to copy the app installers and scripts they use to repair user's apps and systems. -5. **Admin-only path rules** One or more filepath rules for the following locations: +6. **Admin-only path rules** One or more filepath rules for the following locations: - "C:\Program Files\*" - "C:\Program Files (x86)\*" - "%windir%\*" From dd636a0860566d94811617dc3b9835892c488769 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 6 Mar 2025 16:54:02 -0800 Subject: [PATCH 20/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...-appcontrol-policy-for-lightly-managed-devices.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 693e2355f8..a9a74b1974 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -72,11 +72,15 @@ Alice is familiar with the App Control Policy Wizard, the open-source policy aut | Template Base Policy | Description | |---------------------------------|-------------------------------------------------------------------| - | **Default Windows Mode** | Default Windows mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| - | **Allow Microsoft Mode** | Allow mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • *All Microsoft-signed software*
| - | **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components:
  • Windows operating components - any binary installed by a fresh install of Windows
  • Apps installed from the Microsoft Store
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
  • All Microsoft-signed software
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| + | **Default Windows mode** | Default Windows mode authorizes the following components:
  • Windows operating system components - any binary installed by a fresh install of Windows
  • Packaged apps (MSIX) signed by the Microsoft Store MarketPlace signer
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| + | **Allow Microsoft mode** | Allow Microsoft mode authorizes the following components:
  • All code allowed by Default Windows mode, plus...
  • *All Microsoft-signed software*
| + | **Signed and Reputable mode** | Signed and Reputable mode authorizes the following components:
  • All code allowed by Allow Microsoft mode, plus...<
  • *Files created or installed by a process configured as a [managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md)*
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| -1. and then add or remove rules to suit your App Control scenario. For this reason, the Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. + Alice selects the **Signed and Reputable mode** template and then **Next**, accepting the defaults for the policy filename and location. + +4. On the **Configure Policy Template - Policy rules** page, Alice reviews the set of options enabled for the policy. She's pleased to see the template already has most options set as recommended by Microsoft. The only changes she makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher will run. Then she selects **Next**. + +5. On the **File Rules** page, Alice adds rules to e. For this reason, the Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. ## Template Base Policies From 8462a89e87fefea965f38f03ed3c67b0e5cb7519 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 7 Mar 2025 07:36:03 -0800 Subject: [PATCH 21/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...te-appcontrol-policy-for-lightly-managed-devices.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 0f51250afc..ae9b532ae0 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -51,7 +51,7 @@ Based on the above, Alice defines the pseudo-rules for the Lamna version of Micr - Apps predicted to be "safe" by the ISG. 5. **Allow Managed Installer** A policy option allowing: - - Code written to the system by a process designated by policy as a managed installer. For Lamna's managed installer policy, Alice includes the Intune Management Extension, and also well-known auto-updater processes from ISVs whose apps are popular and likely to find across the company. She also includes a filepath rule, "D:\ Lamna Helpdesk\*" where Lamna's helpdesk admins are trained to copy the app installers and scripts they use to repair user's apps and systems. + - Code written to the system by a process designated by policy as a managed installer. For Lamna's managed installer policy, Alice includes the Intune Management Extension, and also well-known auto-updater processes for widely-used apps. She also includes a filepath rule, "D:\ Lamna Helpdesk\*" where Lamna's helpdesk admins are trained to copy the app installers and scripts they use to repair user's apps and systems. 6. **Admin-only path rules** One or more filepath rules for the following locations: - "C:\Program Files\*" @@ -75,11 +75,15 @@ Alice is familiar with the App Control Policy Wizard, the open-source policy aut | **Allow Microsoft mode** | Allow Microsoft mode authorizes the following components:
  • All code allowed by Default Windows mode, plus...
  • *All Microsoft-signed software*
| | **Signed and Reputable mode** | Signed and Reputable mode authorizes the following components:
  • All code allowed by Allow Microsoft mode, plus...<
  • *Files created or installed by a process configured as a [managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md)*
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| - Alice selects the **Signed and Reputable mode** template and then **Next**, accepting the defaults for the policy filename and location. + Alice selects the **Signed and Reputable mode** template and then **Next**, accepting the defaults for the policy filename and location. 4. On the **Configure Policy Template - Policy rules** page, Alice reviews the set of options enabled for the policy. She's pleased to see the template already has most options set as recommended by Microsoft. The only changes she makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher will run. Then she selects **Next**. -5. On the **File Rules** page, Alice adds rules to e. For this reason, the Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. +5. On the **File Rules** page, Alice sees the rules Microsoft included in the Signed and Reputable mode template policy. Here, she'll add the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder. + + To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, she leaves the default selections for **Rule Scope** and **Rule Action**. For the **Rule Type** dropdown, she chooses the **Publisher** option to create a Signer rule. She then selects **Browse** to choose a file she knows is signed by a cert chaining up to the Lamna Codesigning PCA. The Wizard shows the signature information it found on the file with checkboxes for each element of the signature and the file's signed .rsrc header section, including Product Name and Original File Name. In this case, since she intends to allow everything signed with Lamna's interal codesigning certs, she only leaves Issuing CA and Publisher checked. Having set the rule conditions for the Lamna Codesigning PCA rule, she selects **Create Rule** and sees that the rule is now shown in the list. + + Alice repeats the preceding steps to create the rest of the rules. choose whether to allow or block based on it. adds rules to e. For this reason, the Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. ## Template Base Policies From b1be697b0c2b9bcf546bf882f4071351f20d716a Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 7 Mar 2025 18:08:14 -0800 Subject: [PATCH 22/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- ...trol-policy-for-lightly-managed-devices.md | 111 ++---------------- 1 file changed, 7 insertions(+), 104 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index ae9b532ae0..cef3669d65 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -69,6 +69,7 @@ Alice is familiar with the App Control Policy Wizard, the open-source policy aut 3. The next page is where Alice will **Select a Base Template for the Policy**. The App Control Wizard offers three template policies to use when creating a new Base Policy. Each template policy applies slightly different rules to alter its circle-of-trust and security model of the policy. The three template policies are: + | Template Base Policy | Description | |---------------------------------|-------------------------------------------------------------------| | **Default Windows mode** | Default Windows mode authorizes the following components:
  • Windows operating system components - any binary installed by a fresh install of Windows
  • Packaged apps (MSIX) signed by the Microsoft Store MarketPlace signer
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| @@ -81,109 +82,11 @@ Alice is familiar with the App Control Policy Wizard, the open-source policy aut 5. On the **File Rules** page, Alice sees the rules Microsoft included in the Signed and Reputable mode template policy. Here, she'll add the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder. - To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, she leaves the default selections for **Rule Scope** and **Rule Action**. For the **Rule Type** dropdown, she chooses the **Publisher** option to create a Signer rule. She then selects **Browse** to choose a file she knows is signed by a cert chaining up to the Lamna Codesigning PCA. The Wizard shows the signature information it found on the file with checkboxes for each element of the signature and the file's signed .rsrc header section, including Product Name and Original File Name. In this case, since she intends to allow everything signed with Lamna's interal codesigning certs, she only leaves Issuing CA and Publisher checked. Having set the rule conditions for the Lamna Codesigning PCA rule, she selects **Create Rule** and sees that the rule is now shown in the list. + To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, she leaves the default selections for **Rule Scope** and **Rule Action**. For the **Rule Type** dropdown, she chooses the **Publisher** option to a Signer rule. She then selects **Browse** to choose a file she knows is signed by a cert chaining up to the Lamna Codesigning PCA. The Wizard shows the signature information it found on the file with checkboxes for each element of the signature and the file's signed .rsrc header section, including Product Name and Original File Name. In this case, since she intends to allow everything signed with Lamna's interal codesigning certs, she only leaves Issuing CA and Publisher checked. Having set the rule conditions for the Lamna Codesigning PCA rule, she selects **Create Rule** and sees that the rule is now shown in the list. Alice repeats these steps for the rest of Lamna's custom rules. - Alice repeats the preceding steps to create the rest of the rules. choose whether to allow or block based on it. adds rules to e. For this reason, the Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. +6. Having made all the edits she planned, Alice selects **Next** and the wizard creates the App Control policy files, consisting of an XML form and a compiled binary form of the policy. Alice does a cursory review of the XML policy file to confirm the final result. -## Template Base Policies - - The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy has a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. - -, she immediately notices the template called **Signed and Reputable Mode** and reads the list of code the template authorizes, which perfectly matches the "circle-of-trust" for Smart App Control. Alice selects the template and selects **Next** to see the policy rules set by the template. - - -*Italicized content denotes the changes in the current policy with respect to the policy prior.* - -More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example App Control for Business base policies article](example-appcontrol-base-policies.md). - -![Selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png) - -Once the base template is selected, give the policy a name and choose where to save the App Control policy on disk. - -## Create a custom base policy using an example App Control base policy - -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs. - -Alice follows these steps to complete this task: - -1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables: - - > [!NOTE] - > If you prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md), substitute the example policy path with your preferred base policy in this step. - - ```powershell - $PolicyPath = $env:userprofile+"\Desktop\" - $PolicyName= "Lamna_LightlyManagedClients_Audit" - $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml" - $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml" - ``` - -1. Copy the example policy to the desktop: - - ```powershell - Copy-Item $ExamplePolicy $LamnaPolicy - ``` - -1. Modify the policy to remove unsupported rule: - - > [!NOTE] - > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise App Control policies and must be removed. For more information, see [App Control and Smart App Control](../appcontrol.md#app-control-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step. - - ```powershell - [xml]$xml = Get-Content $LamnaPolicy - $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable) - $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI) - $node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns) - $node.ParentNode.RemoveChild($node) - $xml.Save($LamnaPolicy) - ``` - -1. Give the new policy a unique ID, descriptive name, and initial version number: - - ```powershell - Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID - Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0" - ``` - -1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy. - - > [!NOTE] - > If you do not use Configuration Manager, skip this step. - - ```powershell - $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" - Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$ConfigMgrPolicy - Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer - ``` - -1. Modify the policy to set additional policy rules: - - ```powershell - Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode - Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps - Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security - ``` - -1. Add rules to allow the Windows and Program Files directories: - - ```powershell - $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" - $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*" - $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*" - Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules - ``` - -1. If appropriate, add more signer or file rules to further customize the policy for your organization. - -1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the App Control for Business policy to a binary format: - - ```powershell - [xml]$PolicyXML = Get-Content $LamnaPolicy - $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" - ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin - ``` - -1. Upload your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). +With her starter policy in hand, Alice uploads both files to a Github repository Alice created specifically for lifecycle management and earlier created a project to store and manage Lamna's policies over time. your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. @@ -254,7 +157,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats. -## Up next +## What you should read next -- [Create an App Control for Business policy for fully managed devices](create-appcontrol-policy-for-fully-managed-devices.md) -- [Prepare to deploy App Control for Business policies](../deployment/appcontrol-deployment-guide.md) +- Learn more about managed installers: how they work, how to set them up, and what are some of their limitations in [Automatically allow apps deployed by a managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md). +- Or to see your starter policy in action, [Prepare to deploy App Control for Business policies](../deployment/appcontrol-deployment-guide.md). From da65f3d62a10f7acb5d3f21649c677ee59c9f63a Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 9 Mar 2025 01:56:38 -0800 Subject: [PATCH 23/28] More WRI changes --- .../appcontrol-and-applocker-overview.md | 7 +- .../app-control-for-business/appcontrol.md | 26 ++--- ...trol-policy-for-lightly-managed-devices.md | 97 ++++++++++--------- 3 files changed, 68 insertions(+), 62 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index 5b75590aac..b1288a07b3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -59,6 +59,11 @@ However, in some cases, AppLocker might be the more appropriate technology for y - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. - You need to apply different policies for different users or groups on shared computers. -- You don't want to enforce application control on application files such as DLLs or drivers. AppLocker can also be deployed as a complement to App Control to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce App Control at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. + +## What you should read next + +- If you want to use App control, one of the most powerful security features in Windows, you must plan and prepare if you want to succeed. Start that by exploring the [App Control for Business Design Guide](design/appcontrol-design-guide.md). + +- If you're ready to jump in and start creating policies, revisit Smart App Control and [Use the Smart App Control policy to build your own starter policy](design/create-appcontrol-policy-for-lightly-managed-devices.md). diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index 4f63072874..99db8becdd 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed ms.localizationpriority: medium ms.collection: - tier3 -ms.date: 01/28/2025 +ms.date: 03/08/2025 ms.topic: overview --- @@ -12,27 +12,27 @@ ms.topic: overview [!INCLUDE [Feature availability note](includes/feature-availability-note.md)] -Your organization's data is one of its most valuable assets... and adversaries want it. No matter what security controls you apply over your data, they are only as strong as the weakest link: the trusted user sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the user has. So your sensitive information is easily transmitted, modified, deleted or encrypted when a user, knowingly or unknowingly, runs malicious software. And with thousands of new malicious files created every day, relying solely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks. Application control is a crucial line of defense against today's threat actors. +Your organization's data is one of its most valuable assets... and adversaries want it. No matter what security controls you apply over your data, there are no controls to fully protect your most vulnerable target: the trusted user sitting at the keyboard. When a user runs a process, that process shares the same access to your data that the user has. So your sensitive information is easily transmitted, modified, deleted, or encrypted when a user, intentionally or not, runs malicious software. And with thousands of new malicious files created every day, relying solely on traditional methods like antivirus (AV) solutions gives you an inadequate defense against new attacks. -Application control works alongside your AV solution to help mitigate these types of security threats by restricting the apps that users can run and even what code runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). +Application control changes Windows from a place where all code runs unless your AV solution confidently predicts it's bad, to one where code runs only if your policy says so. The cyber threats you face change rapidly, and your defenses need to change too. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). It works alongside your AV solution to help mitigate security threats by restricting the apps that users can run and even what code runs in the System Core (kernel). -It moves you from a trust model where all code runs unless your AV solution confidently predicts it's bad, to one where apps run only if your policy says so. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). +> [!IMPORTANT] +> Although application control can significantly harden your computers against malicious code, it's not a replacement for antivirus. You should continue to maintain an active antivirus solution alongside App Control for a well-rounded enterprise security portfolio. -> [!NOTE] -> Although application control can significantly harden your computers against malicious code, it's not a replacement for antivirus. You should continue to maintain your active antivirus solution alongside App Control for a well-rounded enterprise security portfolio. +Although we call it application control, the code running on your system isn't always an app. Application control extends beyond apps to also cover scripts and Microsoft installers (MSI), command-line batch files, and even interactive sessions of Windows PowerShell, which run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). -Windows 10 and Windows 11 include two application control technologies that your organization can use depending on your specific scenarios and requirements: +Windows includes two application control technologies you can use depending on your organization's specific scenarios and requirements: - **App Control for Business (app control)**; and - **AppLocker** ## App Control and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs as well as code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop better reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked. +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs or code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it's safe to run, then we block it. Over time, the code's reputation might change as the service processes new signals it receives. Meanwhile, code determined to be unsafe is always blocked. -While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since it's built entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization depends on. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where it's called the Intelligent Security Graph (ISG). +While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since we built it entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control that also trusts the line-of-business (LOB) apps your organization needs. The service Smart App Control uses to predict what code is safe to run is also available in App Control for Business and called the Intelligent Security Graph (ISG). -Smart App Control starts in evaluation mode and will switch itself off within 48 hours for enterprise managed devices unless the user has turned it on first. If you want to proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. +Smart App Control starts in evaluation mode and switches off within 48 hours for enterprise managed devices unless the user turns it on first. If you want to proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------| @@ -43,12 +43,12 @@ Smart App Control starts in evaluation mode and will switch itself off within 48 > [!IMPORTANT] > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows. -The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. +The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it's ready for use as an App Control for Business policy. [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)] ## What you should read next -Read on to learn more about the two application control technologies available in Windows with the [App Control for Business and AppLocker Overview](./appcontrol-and-applocker-overview.md). +- To learn more about the two application control technologies available in Windows, read [App Control for Business and AppLocker Overview](./appcontrol-and-applocker-overview.md). -If you're ready to jump in and get started creating policies, let's revisit Smart App Control and [Use the Smart App Control policy to build your own starter policy](design/create-appcontrol-policy-for-lightly-managed-devices.md). +- To jump right in and get started creating policies, go revisit Smart App Control and [Use the Smart App Control policy to build your own starter policy](design/create-appcontrol-policy-for-lightly-managed-devices.md). diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index cef3669d65..3db61ea75b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -3,7 +3,7 @@ title: Use the Smart App Control policy to build your starter base policy description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. ms.topic: conceptual ms.localizationpriority: medium -ms.date: 03/05/2025 +ms.date: 03/08/2025 --- # Use the Smart App Control policy to build your starter policy @@ -13,45 +13,45 @@ ms.date: 03/05/2025 This article describes how to create an App Control for Business policy using the Smart App Control policy as a template. [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) is an app control-based security solution designed for consumer users. It uses the same technology as App Control for Business so it's easy to use as the basis for an equally robust but flexible enterprise policy. > [!TIP] -> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end users' devices. Typically, organizations new to App Control will be most successful if they start with a permissive policy like the one described in this article. You can harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. +> Microsoft recommends the policy created in this article as the ideal starter policy for most App Control deployments to end users' devices. Typically, organizations new to App Control are most successful if they start with a permissive policy like the one described in this article. You can harden the policy over time to achieve a stronger overall security posture on your App Control-managed devices as described in later articles. -As we did in [App Control for Business deployment in different scenarios](common-appcontrol-use-cases.md), we'll use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna intends to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. +As we did in [App Control for Business deployment in different scenarios](common-appcontrol-use-cases.md), let's use the fictional example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna intends to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has relaxed application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and likely use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications, Smart App Control's "Signed & Reputable" policy adapted for Lamna. +**Alice Pena (she/her)** is the IT team lead tasked with the rollout of App Control. Lamna currently has relaxed application usage policies and a culture of maximum app flexibility for users. So, Alice knows they need to take an incremental approach to App Control and likely use different policies for different user segments. But for now, Alice wants a policy that can cover most users without any modifications, Smart App Control's "Signed & Reputable" policy adapted for Lamna. ## Analyze how Smart App Control's "circle-of-trust" fits for you -Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads Microsoft's online help articles about Smart App Control to be sure she understands it well. From her reading, she learns that Smart App Control allows only publicly-trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts is safe. Publicly-trusted signed code means the signing certificate was issued by one of the certificate authorities (CA) who are in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. +Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads Microsoft's online help articles about Smart App Control to understand it well. From that reading, Alice learns that Smart App Control allows only publicly trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts to be safe. Publicly trusted signed code means the signing certificate's issuer is one of the certificate authorities (CA) in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. -Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provide durable security value. Alice knows that some within Lamna advocate a more aggressive approach than she plans. They want to immediately lockdown end users' devices and hope there's limited fallout. For now, she has support for her approach, because more of the leadership team agrees that the Lamna app culture that developed slowly over the course of the company's existence won't just go away overnight, so the policy must maintain substantial flexibility initially. +Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provides durable security value. Some within Lamna advocate a more aggressive approach than Alice plans. They want to immediately lockdown end users' devices and hope for limited fallout. But the leadership team agrees with Alice that Lamna's app culture, formed slowly over tie, won't just go away overnight and so the initial policy needs much flexibility. ### Consider the key factors about your organization -Alice next identifies the key factors about Lamna's environment that she believes will most influence the company's "circle-of-trust". The policy must be flexible to meet the needs of the business in the short- and medium-term, while they introduce new app management processes that will make it practical to consider a more restrictive app control policy. The key factors also help her choose which systems to include in the first deployment. Alice writes down these factors in her planning worksheet so that whomever may follow her will know how she viewed the challenge: +Alice next identifies the key factors about Lamna's environment that affect the company's "circle-of-trust." The policy must be flexible to meet the needs of the business in the short- and medium-term. That gives Lamna time to introduce new app management processes and policies to make it practical for a more restrictive app control policy in the future. The key factors also help Alice choose which systems to include in the first deployment. Alice writes down these factors in the planning document: -- **User privileges:** Most users operate as standard user, though nearly a quarter still have local admin rights on their devices; the people with admin rights view the freedoms that gives them as essential, including the option to run whatever apps they want; -- **Operating Systems:** Windows 11 runs most user devices, but Windows 10 will remain on roughly 10% of clients at least through the next fiscal year, particularly those in smaller satellite offices; Alice's group doesn't manage Lamna's servers or any specialized equipment; Lamna's server IT group plans to wait to see how the client rollout of App Control unfolds before implementing the technology on the servers they control; -- **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native; they continue to use Microsoft Endpoint Configuration Manager (MEMCM) with Microsoft Entra hybrid join on all Windows 10 devices; -- **App management:** Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them; -- **App development and code signing:** Lamna has hundreds of line-of-business (LOB) apps across its business units; Lamna hasn't aligned its business units on development platforms and frameworks, so Alice expects lots of variability and complexity; almost all of the apps use unsigned, or mostly unsigned, code; although the company has started to require codesigning, their codesigning certificates come from Lamna's corporate Public Key Infrastructure (PKI), so they aren't trusted by the Smart App Control policy by default; Alice must add the certs to the policy. +- **User privileges:** Most users are standard user, but nearly a quarter have local admin rights on their devices and the option to run any app they choose is a major contributing factor. +- **Operating Systems:** Windows 11 runs most user devices, but Lamna expects ~10% of clients to remain on Windows 10 through the next fiscal year, particularly in smaller satellite offices. Lamna's servers and specialized equipment are out of scope at this time. +- **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native. They continue to use Microsoft Endpoint Configuration Manager (MEMCM) for most Windows 10 devices, deployed as Microsoft Entra hybrid join. +- **App management:** Lamna has hundreds of line-of-business (LOB) apps across its business units. Alice's team deploys most, but not all, of these apps using Intune. And there's a long tail of apps used by smaller teams, including many "Shadow IT" apps, that have no official charter, but are critical to the employees who use them. +- **App development and code signing:** Lamna business units aren't standardized on development platforms and frameworks, so significant variability and complexity is likely. Almost all of the apps use unsigned, or mostly unsigned, code. Although the company now requires codesigning, Lamna's codesigning certificates come from its corporate Public Key Infrastructure (PKI), and require custom rules in the policy. -Based on the above, Alice defines the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy: +Based on these factors, Alice writes the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy: 1. **"Windows and Microsoft-certified kernel drivers"** One or more signer rules allowing: - Windows and its components. - - Microsoft-certified third-party kernel drivers (WHQL). + - Kernel drivers signed by the Windows Hardware Quality Labs (WHQL) certificate authority. 2. **"Publicly-trusted signed code"** One or more signer rules allowing: - Code signed with certificates issued from any certificate authority participating in the [Microsoft Trusted Root Program ("AuthRoot")](/security/trusted-root/program-requirements) or non-OS code signed by Microsoft. 3. **Lamna signed code** One or more signer rules allowing: - - Code signed by certificates issued from Lamna Codesigning PCA, the intermediate cert issued from their own internal PKI. + - Code signed by certificates issued from Lamna Codesigning private certificate authority (PCA), the intermediate cert issued from their own internal PKI. 4. **Allow apps based on their "reputation"** A policy option allowing: - Apps predicted to be "safe" by the ISG. 5. **Allow Managed Installer** A policy option allowing: - - Code written to the system by a process designated by policy as a managed installer. For Lamna's managed installer policy, Alice includes the Intune Management Extension, and also well-known auto-updater processes for widely-used apps. She also includes a filepath rule, "D:\ Lamna Helpdesk\*" where Lamna's helpdesk admins are trained to copy the app installers and scripts they use to repair user's apps and systems. + - Code written to the system by a process designated by policy as a managed installer. For Lamna's managed installer policy, Alice includes the Intune Management Extension, and also well-known autoupdater processes for widely used apps. Alice also includes a filepath rule, "D:\ Lamna Helpdesk\*" where Lamna's helpdesk admins are trained to copy the app installers and scripts they use to repair user's apps and systems. 6. **Admin-only path rules** One or more filepath rules for the following locations: - "C:\Program Files\*" @@ -59,40 +59,40 @@ Based on the above, Alice defines the pseudo-rules for the Lamna version of Micr - "%windir%\*" - "D:\Lamna Helpdesk\*" -## Modify the "Signed & Reputable" policy template to suit your business needs +## Modify the "Signed & Reputable" policy template for your organization -Alice is familiar with the App Control Policy Wizard, the open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it. +Alice downloads the App Control Policy Wizard from https://aka.ms/appcontrolwizard and runs it. -1. On the **App Control Policy Wizard's** welcome page, Alice sees three options: **Policy Creator**, **Policy Editor**, and **Policy Merger**. Alice selects **Policy Creator** which takes her to the next page. +1. On the **Welcome** page, Alice sees three options: **Policy Creator**, **Policy Editor**, and **Policy Merger**. Alice selects **Policy Creator** which takes her to the next page. -2. On **Select a Policy Type**, Alice must choose whether to create a *Multiple Policy Format* or *Single Policy Format* policy. Since all of the end users' devices run Windows 11 or current versions of Windows 10, she takes the default *Multiple Policy Format*. Similarly, the choice between *Base Policy* and *Supplemental Policy* is straightforward and, here too, she leaves the default, *Base Policy* intact. She selects **Next** to continue. +2. On **Select a Policy Type**, Alice must choose whether to create a *Multiple Policy Format* or *Single Policy Format* policy. Since all of the end users' devices run Windows 11 or current versions of Windows 10, Alice leaves the default *Multiple Policy Format*. Similarly, the choice between *Base Policy* and *Supplemental Policy* is straightforward and, here too, leaves the default *Base Policy* selected. Alice selects **Next** to continue. 3. The next page is where Alice will **Select a Base Template for the Policy**. The App Control Wizard offers three template policies to use when creating a new Base Policy. Each template policy applies slightly different rules to alter its circle-of-trust and security model of the policy. The three template policies are: | Template Base Policy | Description | |---------------------------------|-------------------------------------------------------------------| - | **Default Windows mode** | Default Windows mode authorizes the following components:
  • Windows operating system components - any binary installed by a fresh install of Windows
  • Packaged apps (MSIX) signed by the Microsoft Store MarketPlace signer
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
| + | **Default Windows mode** | Default Windows mode authorizes the following components:
  • Windows operating system components - any binary installed by a fresh install of Windows
  • MSIX packaged apps signed by the Microsoft Store MarketPlace signer
  • Microsoft Office365 apps, OneDrive, and Microsoft Teams
  • [WHQL signed drivers](/windows-hardware/drivers/install/whql-release-signature)
| | **Allow Microsoft mode** | Allow Microsoft mode authorizes the following components:
  • All code allowed by Default Windows mode, plus...
  • *All Microsoft-signed software*
| | **Signed and Reputable mode** | Signed and Reputable mode authorizes the following components:
  • All code allowed by Allow Microsoft mode, plus...<
  • *Files created or installed by a process configured as a [managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md)*
  • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-appcontrol-with-intelligent-security-graph.md)*
| Alice selects the **Signed and Reputable mode** template and then **Next**, accepting the defaults for the policy filename and location. -4. On the **Configure Policy Template - Policy rules** page, Alice reviews the set of options enabled for the policy. She's pleased to see the template already has most options set as recommended by Microsoft. The only changes she makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher will run. Then she selects **Next**. +4. On **Configure Policy Template - Policy rules**, Alice reviews the set of options enabled for the policy. The template already has most options set as recommended by Microsoft. The only changes Alice makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher can run. Selecting **Next** advances the wizard. -5. On the **File Rules** page, Alice sees the rules Microsoft included in the Signed and Reputable mode template policy. Here, she'll add the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder. +5. The **File Rules** page shows the rules from the Signed and Reputable mode template policy. Alice adds the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder. - To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, she leaves the default selections for **Rule Scope** and **Rule Action**. For the **Rule Type** dropdown, she chooses the **Publisher** option to a Signer rule. She then selects **Browse** to choose a file she knows is signed by a cert chaining up to the Lamna Codesigning PCA. The Wizard shows the signature information it found on the file with checkboxes for each element of the signature and the file's signed .rsrc header section, including Product Name and Original File Name. In this case, since she intends to allow everything signed with Lamna's interal codesigning certs, she only leaves Issuing CA and Publisher checked. Having set the rule conditions for the Lamna Codesigning PCA rule, she selects **Create Rule** and sees that the rule is now shown in the list. Alice repeats these steps for the rest of Lamna's custom rules. + To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, the default selections for **Rule Scope** and **Rule Action** are correct. For the **Rule Type** dropdown, the **Publisher** option is the correct choice to create a Signer rule. Alice then selects **Browse** and picks a file signed by a cert issued by the Lamna Codesigning PCA. The Wizard shows the signature information and information pulled from the resource header section (RSRC) of the file, like ***product name*** and the ***original file name*** with checkboxes by each element. In this case, since they intend to allow everything signed with Lamna's internal codesigning certs, Alice leaves only ***Issuing CA*** and ***Publisher*** checked. With the rule conditions for the Lamna Codesigning PCA rule set, Alice selects **Create Rule** and sees the rule is included in the list. Alice repeats these steps for the rest of Lamna's custom rules. -6. Having made all the edits she planned, Alice selects **Next** and the wizard creates the App Control policy files, consisting of an XML form and a compiled binary form of the policy. Alice does a cursory review of the XML policy file to confirm the final result. +6. Now that all of the edits described in the pseudo-rules are done, Alice selects **Next** and the wizard creates the App Control policy files. The output files include an XML form and a compiled binary form of the policy. Alice does a cursory review of the XML policy file to confirm the result looks good and then closes the wizard. -With her starter policy in hand, Alice uploads both files to a Github repository Alice created specifically for lifecycle management and earlier created a project to store and manage Lamna's policies over time. your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). +Alice uploads both files to a GitHub repository created specifically for Lamna's app control policy files. -At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. +Alice's starter policy is now ready to deploy in audit mode to Lamna's managed devices. -## Security considerations of this lightly managed policy +## Security considerations of this policy -In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: +In order to minimize the potential to negatively affect user productivity, Alice defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: - **Users with administrative access** @@ -100,18 +100,18 @@ In order to minimize user productivity impact, Alice has defined a policy that m Possible mitigations: - - Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies. - - To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process. - - Use device attestation to detect the configuration state of App Control at boot time and use that information to condition access to sensitive corporate resources. - + - To prevent tampering of App Control policies, use signed App Control policies on systems running Unified Extensible Firmware Interface (UEFI) firmware. + - To remove the need for trusting managed installer, create and deploy signed catalog files or deploy updated policies as part of your regular app deployment and app updating procedures. + - To control access to other corporate resources and data, use the boot time measurement of App Control configuration state from the Trusted Computing Group (TCG) log with device attestation. + - **Unsigned policies** - Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. + Any process running as administrator can replace or remove unsigned policies without consequence. Similarly, unsigned supplemental policies can alter the "circle-of-trust" for an unsigned base policy that includes option **17 Enabled:Allow Supplemental Policies**. Possible mitigations: - - Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies. - - Limit who can elevate to administrator on the device. + - To prevent tampering of App Control policies, use signed App Control policies on systems running UEFI firmware. + - To minimize the risk, limit who can elevate to administrator on the device. - **Managed installer** @@ -119,8 +119,8 @@ In order to minimize user productivity impact, Alice has defined a policy that m Possible mitigations: - - To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process. - - Limit who can elevate to administrator on the device. + - To remove the need for trusting managed installer, create and deploy signed catalog files or deploy updated policies as part of your regular app deployment and app updating procedures. + - To minimize the risk, limit who can elevate to administrator on the device. - **Intelligent Security Graph (ISG)** @@ -128,12 +128,12 @@ In order to minimize user productivity impact, Alice has defined a policy that m Possible mitigations: - - Implement policies that require apps be managed by IT. Audit existing app usage and deploy authorized apps using a software distribution solution, like Microsoft Intune. Move from ISG to managed installer or signature-based rules. - - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - + - To remove the need for trusting ISG, perform a comprehensive audit of existing app usage and installation. Onboard any apps you find that aren't currently managed to your software distribution solution, like Microsoft Intune. Implement policies to require apps become managed by IT. Then transition from ISG to managed installer, signed catalog files and/or updated policy rules and deploy them as part of your regular app deployment and app updating procedures. + - To collect more data for use in security incident investigations and post-incident reviews, deploy a highly restrictive app control policy in audit mode. The data captured in the App Control event logs contains useful information about all code that runs that isn't Windows signed. To prevent your policy from impacting your device performance and functionality, be sure it minimally allows Windows code that runs as part of the boot process. + - **Supplemental policies** - Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. + Supplemental policies are designed to expand the "circle-of-trust" defined by the base policy. If the base policy is also unsigned, then any process running as administrator can place an unsigned supplemental policy and expand the "circle-of-trust" of the base policy without restriction. Possible mitigations: @@ -147,17 +147,18 @@ In order to minimize user productivity impact, Alice has defined a policy that m Possible mitigations: - Limit who can elevate to administrator on the device. - - Migrate from filepath rules to managed installer or signature-based rules. + - Transition from filepath rules to managed installer or signature-based rules. -- **Signed files** +- **Signed malware** - Although files that are code-signed verify the author's identity and ensures that the code hasn't been altered by anyone other than the author, it doesn't guarantee that the signed code is safe. + Code signing alone isn't a security solution, but it does provide two critical building blocks that make security solutions like App Control possible. First, code signing strongly associates code with a real-world identity... and a real world identity can face consequences that a nameless, shadowy figure responsible for unsigned malware doesn't. Second, code signing provides cryptographic proof that the code running remains untampered since the publisher signed it. An app control policy that requires all code is signed, or the policy explicitly allows it, raises the stakes and the costs for an attacker. But there remain ways for a motivated attacker to get their malicious code signed and trusted, at least for a while. And even when software comes from a trustworthy source, it doesn't mean it's safe to run. Any code can expose powerful capabilities that a malicious actor could exploit for their own ill-intent. And vulnerabilities can turn the most benign code into something truly dangerous. Possible mitigations: - - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats. + - Use a reputable anti-malware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats. ## What you should read next -- Learn more about managed installers: how they work, how to set them up, and what are some of their limitations in [Automatically allow apps deployed by a managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md). -- Or to see your starter policy in action, [Prepare to deploy App Control for Business policies](../deployment/appcontrol-deployment-guide.md). +- Learn more about managed installers: how they work, how to set them up, and what are their limitations in [Automatically allow apps deployed by a managed installer](./configure-authorized-apps-deployed-with-a-managed-installer.md). + +- Learn how to deploy your starter policy and see it in action in [Deploying App Control for Business policies](../deployment/appcontrol-deployment-guide.md). From c4b312f69fbb1c57a2480e2474227149f1ba8aa6 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 9 Mar 2025 04:21:38 -0700 Subject: [PATCH 24/28] WRI changes --- .../appcontrol-and-applocker-overview.md | 2 +- .../create-appcontrol-policy-for-lightly-managed-devices.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index b1288a07b3..1d72571a26 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -2,7 +2,7 @@ title: App Control and AppLocker Overview description: Compare Windows application control technologies. ms.localizationpriority: medium -ms.date: 01/28/2025 +ms.date: 03/09/2025 ms.topic: conceptual --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 3db61ea75b..879618b6a7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -3,7 +3,7 @@ title: Use the Smart App Control policy to build your starter base policy description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. ms.topic: conceptual ms.localizationpriority: medium -ms.date: 03/08/2025 +ms.date: 03/09/2025 --- # Use the Smart App Control policy to build your starter policy @@ -23,7 +23,7 @@ As we did in [App Control for Business deployment in different scenarios](common Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads Microsoft's online help articles about Smart App Control to understand it well. From that reading, Alice learns that Smart App Control allows only publicly trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts to be safe. Publicly trusted signed code means the signing certificate's issuer is one of the certificate authorities (CA) in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked. -Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provides durable security value. Some within Lamna advocate a more aggressive approach than Alice plans. They want to immediately lockdown end users' devices and hope for limited fallout. But the leadership team agrees with Alice that Lamna's app culture, formed slowly over tie, won't just go away overnight and so the initial policy needs much flexibility. +Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible, but still provides durable security value. Some within Lamna advocate a more aggressive approach than Alice plans. They want to immediately lockdown end users' devices and hope for limited fallout. But the leadership team agrees with Alice that Lamna's app culture, formed slowly over time, won't just go away overnight and so the initial policy needs much flexibility. ### Consider the key factors about your organization From b78222503b6363440d5d8e743b7d3f1c3aa9ca94 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 9 Mar 2025 04:30:39 -0700 Subject: [PATCH 25/28] Update create-appcontrol-policy-for-lightly-managed-devices.md --- .../create-appcontrol-policy-for-lightly-managed-devices.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 879618b6a7..4238536c5a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -69,6 +69,7 @@ Alice downloads the App Control Policy Wizard from https://aka.ms/appcontrolwiza 3. The next page is where Alice will **Select a Base Template for the Policy**. The App Control Wizard offers three template policies to use when creating a new Base Policy. Each template policy applies slightly different rules to alter its circle-of-trust and security model of the policy. The three template policies are: + ![Selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png) | Template Base Policy | Description | |---------------------------------|-------------------------------------------------------------------| @@ -80,10 +81,15 @@ Alice downloads the App Control Policy Wizard from https://aka.ms/appcontrolwiza 4. On **Configure Policy Template - Policy rules**, Alice reviews the set of options enabled for the policy. The template already has most options set as recommended by Microsoft. The only changes Alice makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher can run. Selecting **Next** advances the wizard. + > [!div class="mx-imgBorder"] + > ![Rule options UI for Windows Allowed mode policy.](../images/appcontrol-wizard-rule-options-UI-advanced-collapsed.png) + 5. The **File Rules** page shows the rules from the Signed and Reputable mode template policy. Alice adds the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder. To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, the default selections for **Rule Scope** and **Rule Action** are correct. For the **Rule Type** dropdown, the **Publisher** option is the correct choice to create a Signer rule. Alice then selects **Browse** and picks a file signed by a cert issued by the Lamna Codesigning PCA. The Wizard shows the signature information and information pulled from the resource header section (RSRC) of the file, like ***product name*** and the ***original file name*** with checkboxes by each element. In this case, since they intend to allow everything signed with Lamna's internal codesigning certs, Alice leaves only ***Issuing CA*** and ***Publisher*** checked. With the rule conditions for the Lamna Codesigning PCA rule set, Alice selects **Create Rule** and sees the rule is included in the list. Alice repeats these steps for the rest of Lamna's custom rules. + ![Custom filepublisher file rule creation.](../images/appcontrol-wizard-custom-publisher-rule.png) + 6. Now that all of the edits described in the pseudo-rules are done, Alice selects **Next** and the wizard creates the App Control policy files. The output files include an XML form and a compiled binary form of the policy. Alice does a cursory review of the XML policy file to confirm the result looks good and then closes the wizard. Alice uploads both files to a GitHub repository created specifically for Lamna's app control policy files. From 5272b033b794d6083410f37a15b402933598519b Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 9 Mar 2025 05:15:15 -0700 Subject: [PATCH 26/28] Fixed issues in links --- .../app-control-for-business/appcontrol.md | 4 ++-- .../create-appcontrol-policy-for-lightly-managed-devices.md | 2 ++ .../design/example-appcontrol-base-policies.md | 4 ++-- .../app-control-for-business/operations/known-issues.md | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index 99db8becdd..7c94102167 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed ms.localizationpriority: medium ms.collection: - tier3 -ms.date: 03/08/2025 +ms.date: 03/09/2025 ms.topic: overview --- @@ -43,7 +43,7 @@ Smart App Control starts in evaluation mode and switches off within 48 hours for > [!IMPORTANT] > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows. -The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it's ready for use as an App Control for Business policy. +The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Use the Smart App Control Policy to build your own base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#use-the-smart-app-control-policy-to-build-your-starter-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it's ready for use as an App Control for Business policy. [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)] diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 4238536c5a..012d99f500 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -35,6 +35,8 @@ Alice next identifies the key factors about Lamna's environment that affect the - **App management:** Lamna has hundreds of line-of-business (LOB) apps across its business units. Alice's team deploys most, but not all, of these apps using Intune. And there's a long tail of apps used by smaller teams, including many "Shadow IT" apps, that have no official charter, but are critical to the employees who use them. - **App development and code signing:** Lamna business units aren't standardized on development platforms and frameworks, so significant variability and complexity is likely. Almost all of the apps use unsigned, or mostly unsigned, code. Although the company now requires codesigning, Lamna's codesigning certificates come from its corporate Public Key Infrastructure (PKI), and require custom rules in the policy. +## Define the "circle-of-trust" for lightly managed devices + Based on these factors, Alice writes the pseudo-rules for the Lamna version of Microsoft's Signed & Reputable policy: 1. **"Windows and Microsoft-certified kernel drivers"** One or more signer rules allowing: diff --git a/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md b/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md index 3ccc9742b3..3f58e69ea0 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/example-appcontrol-base-policies.md @@ -3,7 +3,7 @@ title: Example App Control for Business base policies description: When creating an App Control for Business policy for an organization, start from one of the many available example base policies. ms.topic: reference ms.localizationpriority: medium -ms.date: 01/25/2025 +ms.date: 03/09/2025 --- # App Control for Business example base policies @@ -20,7 +20,7 @@ When you create policies for use with App Control for Business, start from an ex | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using App Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | | **DenyAllAudit.xml** | ***Warning: Will cause boot issues on Windows Server 2019 and earlier. Do not use on those operating systems.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | | **Microsoft Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in App Control integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | -| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise App Control policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\SignedReputable.xml | +| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise App Control policies and must be removed. For more information about using this example policy, see [Use the Smart App Control policy to build your starter Base policy](create-appcontrol-policy-for-lightly-managed-devices.md#use-the-smart-app-control-policy-to-build-your-starter-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\SignedReputable.xml | | **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml | | **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using App Control, if possible. | [Microsoft recommended block rules](applications-that-can-bypass-appcontrol.md)
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\Recommended_UserMode_Blocklist.xml | | **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md)
%OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Templates\Recommended_Driver_Blocklist.xml | diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md index 4baf2a1a12..f3ad4251d3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md @@ -58,7 +58,7 @@ Until you apply the Windows security update released on or after April 9, 2024, Although App Control audit mode is designed to avoid any effect on apps, some features are always on/always enforced with any App Control policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: - Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with App Control](../design/script-enforcement.md) for information about individual script host behaviors. -- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [App Control and .NET](../design/appcontrol-and-dotnet.md#app-control-and-net-hardening). +- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option on some versions of Windows and Windows Server. See [App Control and .NET](../design/appcontrol-and-dotnet.md#app-control-and-net-dynamic-code-security-hardening). ### .NET native images may generate false positive block events From fb7518e43dfbd71d40a5f4cc49aecffc74c0d415 Mon Sep 17 00:00:00 2001 From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Date: Mon, 10 Mar 2025 12:05:17 +0530 Subject: [PATCH 27/28] Pencil edit --- .../allow-com-object-registration-in-appcontrol-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md index 13bf6a0bad..c4e0e7aef7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md @@ -17,7 +17,7 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component- App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you might need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article. > [!WARNING] -> When App Control is enforced, .NET doesn't load certain COM objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. The COM allowlist mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects** leaving those .NET apps incompatible with App Control at this time. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids) +> When App Control is enforced, .NET doesn't load certain COM objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. The COM allowlist mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects** leaving those .NET apps incompatible with App Control at this time. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids). ### Get COM object GUID From 46c382ddc7399131a41b79f3144fb2d0ce7c96e1 Mon Sep 17 00:00:00 2001 From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Date: Mon, 10 Mar 2025 12:33:27 +0530 Subject: [PATCH 28/28] Pencil edit --- .../design/appcontrol-and-dotnet.md | 2 +- .../design/applications-that-can-bypass-appcontrol.md | 2 +- .../create-appcontrol-policy-for-lightly-managed-devices.md | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md index 6c3a409ac1..6f533a4fb0 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md @@ -9,7 +9,7 @@ ms.topic: article # App Control for Business and .NET > [!WARNING] -> When App Control is enforced, .NET doesn't load certain Component Object Model (COM) objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids) +> When App Control is enforced, .NET doesn't load certain Component Object Model (COM) objects if their registration GUID doesn't match the one calculated by the system at runtime. When that happens, the user sees a general COM load error dialog, but no events or other information is logged to the system. For more information, see [App Control Admin Tips & Known Issues: .NET doesn't load COM objects with mismatched GUIDs](../operations/known-issues.md#net-doesnt-load-component-object-model-com-objects-with-mismatched-guids). .NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with an App Control user mode policy, it first checks whether the original IL file passes the current App Control policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that App Control knows to trust it as well. When the .NET app runs, App Control sees the EA on the NI file and allows it. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md index 19ce55871e..02dcffc684 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md @@ -100,7 +100,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny - msxml6.dll - jscript9.dll -The blocklist policy that follows includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone App Control policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy that follows using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the blocklist policy. +The blocklist policy that follows includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone App Control policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy formats using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy that follows using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the blocklist policy. **App Control policy XML**: diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index db66fa58a4..c7ec95789f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -71,7 +71,7 @@ Alice downloads the App Control Policy Wizard from https://aka.ms/appcontrolwiza 3. The next page is where Alice will **Select a Base Template for the Policy**. The App Control Wizard offers three template policies to use when creating a new Base Policy. Each template policy applies slightly different rules to alter its circle-of-trust and security model of the policy. The three template policies are: - ![Selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png) + [![Screenshot that shows selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png)](../images/appcontrol-wizard-template-selection.png#lightbox) | Template Base Policy | Description | |---------------------------------|-------------------------------------------------------------------| @@ -84,13 +84,13 @@ Alice downloads the App Control Policy Wizard from https://aka.ms/appcontrolwiza 4. On **Configure Policy Template - Policy rules**, Alice reviews the set of options enabled for the policy. The template already has most options set as recommended by Microsoft. The only changes Alice makes are to check the options for **Managed Installer** and **Require WHQL**. This way apps installed by Intune or any of the other managed installers are automatically allowed, and only kernel drivers built for Windows 10 or higher can run. Selecting **Next** advances the wizard. > [!div class="mx-imgBorder"] - > ![Rule options UI for Windows Allowed mode policy.](../images/appcontrol-wizard-rule-options-UI-advanced-collapsed.png) + > [![Screenshot that shows rule options UI for Windows Allowed mode policy.](../images/appcontrol-wizard-rule-options-UI-advanced-collapsed.png)](../images/appcontrol-wizard-rule-options-UI-advanced-collapsed.png#lightbox) 5. The **File Rules** page shows the rules from the Signed and Reputable mode template policy. Alice adds the Signer rule to trust Lamna-signed code, and the filepath rules to allow code in admin-writable-only locations under the two Program Files directories, the Windows directory, and Lamna's Helpdesk folder. To create each rule, Alice selects **+ Add Custom** which opens the **Custom Rules** dialog where the conditions for the rule are defined. For the first rule, the default selections for **Rule Scope** and **Rule Action** are correct. For the **Rule Type** dropdown, the **Publisher** option is the correct choice to create a Signer rule. Alice then selects **Browse** and picks a file signed by a cert issued by the Lamna Codesigning PCA. The Wizard shows the signature information and information pulled from the resource header section (RSRC) of the file, like ***product name*** and the ***original file name*** with checkboxes by each element. In this case, since they intend to allow everything signed with Lamna's internal codesigning certs, Alice leaves only ***Issuing CA*** and ***Publisher*** checked. With the rule conditions for the Lamna Codesigning PCA rule set, Alice selects **Create Rule** and sees the rule is included in the list. Alice repeats these steps for the rest of Lamna's custom rules. - ![Custom filepublisher file rule creation.](../images/appcontrol-wizard-custom-publisher-rule.png) + [![Screenshot that shows custom filepublisher file rule creation.](../images/appcontrol-wizard-custom-publisher-rule.png)](../images/appcontrol-wizard-custom-publisher-rule.png#lightbox) 6. Now that all of the edits described in the pseudo-rules are done, Alice selects **Next** and the wizard creates the App Control policy files. The output files include an XML form and a compiled binary form of the policy. Alice does a cursory review of the XML policy file to confirm the result looks good and then closes the wizard.