deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 09:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7243 from MicrosoftDocs/main

Browse Source 
Publish 10/06/2022 3:30 PM PT
This commit is contained in:
Angela Fleischmann 2022-10-07 16:55:33 -06:00 committed by GitHub
commit 50a02f1363
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -14,7 +14,7 @@ author: jgeurten
ms.reviewer: aaroncz
ms.author: dansimp
manager: dansimp
ms.date: 10/06/2022
ms.date: 10/07/2022
---
# Microsoft recommended driver block rules
@ -2198,6 +2198,14 @@ If you prefer to apply the vulnerable driver blocklist exactly as shown above, f
4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
To check that the policy was successfully applied on your computer:
1. Open Event Viewer
2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
3. Select **Filter Current Log...**
4. Replace "<All Event IDs>" with "3099" and select OK
5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
> [!NOTE]
> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.