From bec0a9d00ac34fecc24205323f057e5d4833b06e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 20 Jun 2022 13:19:42 -0700 Subject: [PATCH 1/4] 40012854 - Clarify LogAnalytics may extract MI logs after opt-in --- .../event-id-explanations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..0c3579cf09 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -52,6 +52,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI) +> [!NOTE] +> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs. + Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above. | Event ID | Explanation | From 210cc4b2bbfa0bad13212bbba799a8ae1403b41a Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 20 Jun 2022 14:03:21 -0700 Subject: [PATCH 2/4] 40023533 - UTF-8 certificates are incompatible with signed WDAC policy --- ...t-windows-defender-application-control-against-tampering.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index f99d35706c..ee63feb1cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -48,6 +48,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components: > [!NOTE] > All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) +> +>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. + If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: From a80d6df2e9ecfcdb69a42d1b488f78bc74c27fe2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:15:34 -0700 Subject: [PATCH 3/4] Update event-id-explanations.md --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 2e324713fc..e96c186076 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -9,7 +9,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/09/2022 +ms.date: 06/27/2022 ms.topic: reference --- From 9b6f93fda97bcd9ea0c0be49d2483357fdab4755 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:15:49 -0700 Subject: [PATCH 4/4] Update use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md --- ...-windows-defender-application-control-against-tampering.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index ef443c5c9f..1b87884a5e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/03/2018 +ms.date: 06/27/2022 ms.technology: windows-sec --- @@ -111,4 +111,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). > [!NOTE] -> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. \ No newline at end of file +> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.