From b9557e265b45fe1d2bbe9dd71d725ed2bd4ff383 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 28 Sep 2020 11:34:27 -0700 Subject: [PATCH 1/7] Update WDAC vs AppLocker guidance Recommend customers consider WDAC over AppLocker --- .../wdac-and-applocker-overview.md | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 7fac37b115..1db2d6d0f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -31,8 +31,7 @@ Windows 10 includes two technologies that can be used for application control de WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). -> [!NOTE] -> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. +Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC was also one feature that comprised the now-defunct term 'Device Guard'. WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: @@ -60,25 +59,23 @@ AppLocker policies can apply to all users on a computer or to individual users a ### AppLocker System Requirements -AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). +AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker -Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. +Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker, on the other hand, will receive security fixes but no new feature improvements. +In some cases, however, AppLocker may be the more appropriate technology for your organization. The following factors can help you decide when to use each of the technologies. -### WDAC is best when: +**WDAC is best when:** -- You are adopting application control primarily for security reasons. -- Your application control policy can be applied to all users on the managed computers. - All of the devices you wish to manage are running Windows 10. +- Your application control policy can be applied to all users on the managed computers. -### AppLocker is best when: +**AppLocker is best when:** - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. -- You need to apply different policies for different users or groups on a shared computer. -- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature. -- You do not wish to enforce application control on application files such as DLLs or drivers. +- You need to apply different policies for different users or groups on shared computers. ## When to use both WDAC and AppLocker together From c398c487d48784d5583faa4203479c7a2b89d1b4 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 28 Sep 2020 11:43:01 -0700 Subject: [PATCH 2/7] Minor edits to WDAC vs AppLocker guidance --- .../wdac-and-applocker-overview.md | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 1db2d6d0f6..d5ce54d444 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -31,8 +31,6 @@ Windows 10 includes two technologies that can be used for application control de WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). -Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC was also one feature that comprised the now-defunct term 'Device Guard'. - WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries; @@ -42,10 +40,13 @@ WDAC policies apply to the managed computer as a whole and affects all users of - The path from which the app or file is launched (beginning with Windows 10 version 1903); - The process that launched the app or binary. +Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. + ### WDAC System Requirements -WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. -WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. +WDAC policies can only be created on devices running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. + +WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. ## AppLocker @@ -55,24 +56,18 @@ AppLocker policies can apply to all users on a computer or to individual users a - Attributes of the codesigning certificate(s) used to sign an app and its binaries; - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The path from which the app or file is launched (beginning with Windows 10 version 1903). +- The path from which the app or file is launched. ### AppLocker System Requirements -AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). +AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker, on the other hand, will receive security fixes but no new feature improvements. -In some cases, however, AppLocker may be the more appropriate technology for your organization. The following factors can help you decide when to use each of the technologies. -**WDAC is best when:** - -- All of the devices you wish to manage are running Windows 10. -- Your application control policy can be applied to all users on the managed computers. - -**AppLocker is best when:** +In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. - You need to apply different policies for different users or groups on shared computers. From bd4cb4bb529079cc68d8b4424432e74e8f0d5478 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 28 Sep 2020 11:48:44 -0700 Subject: [PATCH 3/7] Fix wording in AppLocker description Also minor grammatical changes --- .../wdac-and-applocker-overview.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index d5ce54d444..d308e15135 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -40,7 +40,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of - The path from which the app or file is launched (beginning with Windows 10 version 1903); - The process that launched the app or binary. -Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. +Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. ### WDAC System Requirements @@ -50,7 +50,7 @@ WDAC policies can be applied to devices running any edition of Windows 10 or Win ## AppLocker -AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers. +AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker helps to prevent end users avoid running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: @@ -72,7 +72,5 @@ In some cases, however, AppLocker may be the more appropriate technology for you - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. - You need to apply different policies for different users or groups on shared computers. -## When to use both WDAC and AppLocker together - -AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. -As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. +AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps. +As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. From cb574ae1e1d367e1810430378690ffe149e8493f Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 28 Sep 2020 11:51:07 -0700 Subject: [PATCH 4/7] fix wording error in AppLocker description --- .../wdac-and-applocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index d308e15135..3896e23e08 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -50,7 +50,7 @@ WDAC policies can be applied to devices running any edition of Windows 10 or Win ## AppLocker -AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker helps to prevent end users avoid running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. +AppLocker was introduced with Windows 7 and allows organizations to control what applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: From 1427b6a2279fbcce38fdfabb3c3a0508ace61698 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 28 Sep 2020 11:54:40 -0700 Subject: [PATCH 5/7] Update metadata for WDAC vs AppLocker --- .../wdac-and-applocker-overview.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 3896e23e08..c6b0c15add 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -1,7 +1,7 @@ --- title: WDAC and AppLocker Overview description: Compare Windows application control technologies. -keywords: security, malware +keywords: security, malware, whitelisting, allow-list, block-list ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: denisebmsft ms.reviewer: isbrahm ms.author: deniseb manager: dansimp -ms.date: 04/15/2020 +ms.date: 09/28/2020 ms.custom: asr --- @@ -29,16 +29,16 @@ Windows 10 includes two technologies that can be used for application control de ## Windows Defender Application Control -WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). +WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries; -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The reputation of the app as determined by Microsoft's Intelligent Security Graph; -- The identity of the process that initiated the installation of the app and its binaries (managed installer); -- The path from which the app or file is launched (beginning with Windows 10 version 1903); -- The process that launched the app or binary. +- Attributes of the codesigning certificate(s) used to sign an app and its binaries +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file +- The reputation of the app as determined by Microsoft's Intelligent Security Graph +- The identity of the process that initiated the installation of the app and its binaries (managed installer) +- The path from which the app or file is launched (beginning with Windows 10 version 1903) +- The process that launched the app or binary Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. @@ -50,13 +50,13 @@ WDAC policies can be applied to devices running any edition of Windows 10 or Win ## AppLocker -AppLocker was introduced with Windows 7 and allows organizations to control what applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. +AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries; -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The path from which the app or file is launched. +- Attributes of the codesigning certificate(s) used to sign an app and its binaries +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file +- The path from which the app or file is launched ### AppLocker System Requirements @@ -65,7 +65,7 @@ AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker -Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker, on the other hand, will receive security fixes but no new feature improvements. +Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker is a legacy technology which will continue to receive security fixes but will not undergo new feature improvements. In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: From c4e7593c9975caa99d2ef02285fac1cdfbd912e3 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 28 Sep 2020 11:59:43 -0700 Subject: [PATCH 6/7] Add links for WDAC featuers --- .../wdac-and-applocker-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index c6b0c15add..c76d656d51 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -35,9 +35,9 @@ WDAC policies apply to the managed computer as a whole and affects all users of - Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file -- The reputation of the app as determined by Microsoft's Intelligent Security Graph -- The identity of the process that initiated the installation of the app and its binaries (managed installer) -- The path from which the app or file is launched (beginning with Windows 10 version 1903) +- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) +- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md)) +- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. From 34e1ba01a8f2b944e4a649bb09a88e7ddb4d082d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 30 Sep 2020 11:33:44 -0700 Subject: [PATCH 7/7] Update wdac-and-applocker-overview.md --- .../wdac-and-applocker-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index c76d656d51..f076b612e7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -1,7 +1,7 @@ --- title: WDAC and AppLocker Overview description: Compare Windows application control technologies. -keywords: security, malware, whitelisting, allow-list, block-list +keywords: security, malware, allow-list, block-list ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: denisebmsft ms.reviewer: isbrahm ms.author: deniseb manager: dansimp -ms.date: 09/28/2020 +ms.date: 09/30/2020 ms.custom: asr ---