From 61270ecfed2161180818a7098aadb9deeb96d670 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 26 Jul 2021 17:40:56 -0700 Subject: [PATCH] Edited select-type and event-id documents. - select-type-of-rules-to-create: added option 20 to table 1. - event-id-explanations: Added a new System Integrity Policy Options table for event ID 3099. --- .../event-id-explanations.md | 29 +++++++++++++++++++ .../select-types-of-rules-to-create.md | 1 + 2 files changed, 30 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 6ac3422250..2d450b1c94 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -86,6 +86,35 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` +## System Integrity Policy Options +Below are the policy options in event 3099. + +| Bit Address | Policy Rule Option | +|-------|------| +| 2 | Enabled:UMCI | +| 3 | Enabled:Boot Menu Protection | +| 4 | Enabled:Intelligent Security Graph Authorization | +| 5 | Enabled:Invalidate EAs on Reboot | +| 7 |Required:WHQL | +| 8 | Enabled:Developer Dynamic Code Security | +| 9 | Enabled: No Revalidation Upon Refresh | +| 10 | Enabled:Allow Supplemental Policies | +| 11 | Disabled:Runtime FilePath Rule Protection | +| 13 | Enabled: Revoked Expired As Unsigned | +| 16 |Enabled:Audit Mode (Default) | +| 17 | Disabled:Flight Signing | +| 18 | Enabled:Inherit Default Policy | +| 19 | Enabled:Unsigned System Integrity Policy (Default) | +| 20 | Enabled:Dynamic Code Security | +| 21 | Required:EV Signers | +| 22 | Enabled:Boot Audit on Failure | +| 23 | Enabled:Advanced Boot Options Menu | +| 24 | Disabled:Script Enforcement | +| 25 | Required:Enforce Store Applications | +| 26 | Enabled: Host Policy Enforcement | +| 27 |Enabled:Managed Installer | +| 28 |Enabled:Update Policy No Reboot | + ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 794cefca57..0d7b426112 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels