deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'release-mcc-ent' of https://github.com/MicrosoftDocs/windows-docs-pr into edit-release-mcc-ent

Browse Source
This commit is contained in:
chrisjlin 2024-10-02 15:19:56 -07:00
commit 61f29aacc0
285 changed files with 10849 additions and 5051 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4631
.openpublishing.redirection.windows-security.json
View File

File diff suppressed because it is too large Load Diff

6
includes/licensing/windows-defender-application-control-wdac.md
View File

@ -1,19 +1,19 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 09/18/2023 ms.date: 09/23/2024
ms.topic: include ms.topic: include
--- ---
## Windows edition and licensing requirements ## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Defender Application Control (WDAC): The following table lists the Windows editions that support App Control for Business:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes| |Yes|Yes|Yes|Yes|
Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses: App Control license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|:---:|

2
windows/application-management/index.yml
View File

@ -9,7 +9,7 @@ metadata:
author: aczechowski author: aczechowski
ms.author: aaroncz ms.author: aaroncz
manager: aaroncz manager: aaroncz
ms.date: 06/28/2024 ms.date: 09/27/2024
ms.topic: landing-page ms.topic: landing-page
ms.service: windows-client ms.service: windows-client
ms.subservice: itpro-apps ms.subservice: itpro-apps

20
windows/application-management/per-user-services-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service s
author: aczechowski author: aczechowski
ms.author: aaroncz ms.author: aaroncz
manager: aaroncz manager: aaroncz
ms.date: 12/22/2023 ms.date: 10/01/2024
ms.topic: how-to ms.topic: how-to
ms.service: windows-client ms.service: windows-client
ms.subservice: itpro-apps ms.subservice: itpro-apps
@ -229,14 +229,14 @@ If you can't use group policy preferences to manage the per-user services, you c
1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`: 1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`:
```cmd ```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
``` ```
#### Example 2: Use the Registry Editor user interface to edit the registry #### Example 2: Use the Registry Editor user interface to edit the registry
@ -248,7 +248,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
1. Change the **Value data** to `4`. 1. Change the **Value data** to `4`.
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4."::: :::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
#### Example 3: Prevent the creation of per-user services #### Example 3: Prevent the creation of per-user services

2
windows/application-management/sideload-apps-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client
author: aczechowski author: aczechowski
ms.author: aaroncz ms.author: aaroncz
manager: aaroncz manager: aaroncz
ms.date: 12/22/2023 ms.date: 09/27/2024
ms.topic: how-to ms.topic: how-to
ms.service: windows-client ms.service: windows-client
ms.subservice: itpro-apps ms.subservice: itpro-apps

8
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -11,9 +11,9 @@ ms.date: 01/31/2024
<!-- ApplicationControl-Editable-Begin --> <!-- ApplicationControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
<!-- ApplicationControl-Editable-End --> <!-- ApplicationControl-Editable-End -->
<!-- ApplicationControl-Tree-Begin --> <!-- ApplicationControl-Tree-Begin -->
@ -861,7 +861,7 @@ The following table provides the result of this policy based on different values
## Microsoft Intune Usage Guidance ## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy App Control for Business policies by using Microsoft Intune](/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune).
## Generic MDM Server Usage Guidance ## Generic MDM Server Usage Guidance
@ -1014,7 +1014,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
### Setup for using the WMI Bridge ### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64. 1. Convert your App Control policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar). 2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface: 3. Use WMI Interface:

2
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -14,7 +14,7 @@ ms.date: 09/27/2024
<!-- ADMX_DeviceGuard-Editable-Begin --> <!-- ADMX_DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING] > [!WARNING]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). > Group Policy-based deployment of App Control for Business policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
<!-- ADMX_DeviceGuard-Editable-End --> <!-- ADMX_DeviceGuard-Editable-End -->
<!-- ConfigCIPolicy-Begin --> <!-- ConfigCIPolicy-Begin -->

149
windows/deployment/do/mcc-ent-configure-provision-linux.md Normal file
View File

@ -0,0 +1,149 @@
---
title: MCC for Enterprise provision Linux cache node
description: Microsoft Connected Cache for Enterprise. Learn about how to provision Linux cache node.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: aaroncz
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 06/03/2024
---
<!--
Remove all the comments in this template before you sign-off or merge to the main branch.
This template provides the basic structure of a How-to article pattern. See the
[instructions - How-to](../level4/article-how-to-guide.md) in the pattern library.
You can provide feedback about this template at: https://aka.ms/patterns-feedback
How-to is a procedure-based article pattern that show the user how to complete a task in their own environment. A task is a work activity that has a definite beginning and ending, is observable, consist of two or more definite steps, and leads to a product, service, or decision.
-->
<!-- 1. H1 -----------------------------------------------------------------------------
Required: Use a "<verb> * <noun>" format for your H1. Pick an H1 that clearly conveys the task the user will complete.
For example: "Migrate data from regular tables to ledger tables" or "Create a new Azure SQL Database".
* Include only a single H1 in the article.
* Don't start with a gerund.
* Don't include "Tutorial" in the H1.
-->
# "<verb> * <noun>"
TODO: Add your heading
<!-- 2. Introductory paragraph ----------------------------------------------------------
Required: Lead with a light intro that describes, in customer-friendly language, what the customer will do. Answer the fundamental “why would I want to do this?” question. Keep it short.
Readers should have a clear idea of what they will do in this article after reading the introduction.
* Introduction immediately follows the H1 text.
* Introduction section should be between 1-3 paragraphs.
* Don't use a bulleted list of article H2 sections.
Example: In this article, you will migrate your user databases from IBM Db2 to SQL Server by using SQL Server Migration Assistant (SSMA) for Db2.
-->
TODO: Add your introductory paragraph
<!---Avoid notes, tips, and important boxes. Readers tend to skip over them. Better to put that info directly into the article text.
-->
<!-- 3. Prerequisites --------------------------------------------------------------------
Required: Make Prerequisites the first H2 after the H1.
* Provide a bulleted list of items that the user needs.
* Omit any preliminary text to the list.
* If there aren't any prerequisites, list "None" in plain text, not as a bulleted item.
-->
## Prerequisites
TODO: List the prerequisites
<!-- 4. Task H2s ------------------------------------------------------------------------------
Required: Multiple procedures should be organized in H2 level sections. A section contains a major grouping of steps that help users complete a task. Each section is represented as an H2 in the article.
For portal-based procedures, minimize bullets and numbering.
* Each H2 should be a major step in the task.
* Phrase each H2 title as "<verb> * <noun>" to describe what they'll do in the step.
* Don't start with a gerund.
* Don't number the H2s.
* Begin each H2 with a brief explanation for context.
* Provide a ordered list of procedural steps.
* Provide a code block, diagram, or screenshot if appropriate
* An image, code block, or other graphical element comes after numbered step it illustrates.
* If necessary, optional groups of steps can be added into a section.
* If necessary, alternative groups of steps can be added into a section.
-->
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
<!-- 5. Next step/Related content------------------------------------------------------------------------
Optional: You have two options for manually curated links in this pattern: Next step and Related content. You don't have to use either, but don't use both.
- For Next step, provide one link to the next step in a sequence. Use the blue box format
- For Related content provide 1-3 links. Include some context so the customer can determine why they would click the link. Add a context sentence for the following links.
-->
## Next step
TODO: Add your next step link(s)
> [!div class="nextstepaction"]
> [Write concepts](article-concept.md)
<!-- OR -->
## Related content
TODO: Add your next step link(s)
- [Write concepts](article-concept.md)
<!--
Remove all the comments in this template before you sign-off or merge to the main branch.
-->

149
windows/deployment/do/mcc-ent-configure-provision-windows.md Normal file
View File

@ -0,0 +1,149 @@
---
title: MCC for Enterprise provision Windows cache node
description: Microsoft Connected Cache for Enterprise. Learn about how to provision Windows cache node.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: aaroncz
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 06/03/2024
---
<!--
Remove all the comments in this template before you sign-off or merge to the main branch.
This template provides the basic structure of a How-to article pattern. See the
[instructions - How-to](../level4/article-how-to-guide.md) in the pattern library.
You can provide feedback about this template at: https://aka.ms/patterns-feedback
How-to is a procedure-based article pattern that show the user how to complete a task in their own environment. A task is a work activity that has a definite beginning and ending, is observable, consist of two or more definite steps, and leads to a product, service, or decision.
-->
<!-- 1. H1 -----------------------------------------------------------------------------
Required: Use a "<verb> * <noun>" format for your H1. Pick an H1 that clearly conveys the task the user will complete.
For example: "Migrate data from regular tables to ledger tables" or "Create a new Azure SQL Database".
* Include only a single H1 in the article.
* Don't start with a gerund.
* Don't include "Tutorial" in the H1.
-->
# "<verb> * <noun>"
TODO: Add your heading
<!-- 2. Introductory paragraph ----------------------------------------------------------
Required: Lead with a light intro that describes, in customer-friendly language, what the customer will do. Answer the fundamental “why would I want to do this?” question. Keep it short.
Readers should have a clear idea of what they will do in this article after reading the introduction.
* Introduction immediately follows the H1 text.
* Introduction section should be between 1-3 paragraphs.
* Don't use a bulleted list of article H2 sections.
Example: In this article, you will migrate your user databases from IBM Db2 to SQL Server by using SQL Server Migration Assistant (SSMA) for Db2.
-->
TODO: Add your introductory paragraph
<!---Avoid notes, tips, and important boxes. Readers tend to skip over them. Better to put that info directly into the article text.
-->
<!-- 3. Prerequisites --------------------------------------------------------------------
Required: Make Prerequisites the first H2 after the H1.
* Provide a bulleted list of items that the user needs.
* Omit any preliminary text to the list.
* If there aren't any prerequisites, list "None" in plain text, not as a bulleted item.
-->
## Prerequisites
TODO: List the prerequisites
<!-- 4. Task H2s ------------------------------------------------------------------------------
Required: Multiple procedures should be organized in H2 level sections. A section contains a major grouping of steps that help users complete a task. Each section is represented as an H2 in the article.
For portal-based procedures, minimize bullets and numbering.
* Each H2 should be a major step in the task.
* Phrase each H2 title as "<verb> * <noun>" to describe what they'll do in the step.
* Don't start with a gerund.
* Don't number the H2s.
* Begin each H2 with a brief explanation for context.
* Provide a ordered list of procedural steps.
* Provide a code block, diagram, or screenshot if appropriate
* An image, code block, or other graphical element comes after numbered step it illustrates.
* If necessary, optional groups of steps can be added into a section.
* If necessary, alternative groups of steps can be added into a section.
-->
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
<!-- 5. Next step/Related content------------------------------------------------------------------------
Optional: You have two options for manually curated links in this pattern: Next step and Related content. You don't have to use either, but don't use both.
- For Next step, provide one link to the next step in a sequence. Use the blue box format
- For Related content provide 1-3 links. Include some context so the customer can determine why they would click the link. Add a context sentence for the following links.
-->
## Next step
TODO: Add your next step link(s)
> [!div class="nextstepaction"]
> [Write concepts](article-concept.md)
<!-- OR -->
## Related content
TODO: Add your next step link(s)
- [Write concepts](article-concept.md)
<!--
Remove all the comments in this template before you sign-off or merge to the main branch.
-->

4
windows/deployment/do/mcc-ent-deploy-to-windows.md
View File

@ -17,7 +17,7 @@ appliesto:
This article describes how to deploy Microsoft Connected Cache for Enterprise and Education (MCCE) caching software to a Windows host machine. This article describes how to deploy Microsoft Connected Cache for Enterprise and Education (MCCE) caching software to a Windows host machine.
Deploying MCCE to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](https://learn.microsoft.com/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the MCCE runtime account. This prevents tampering with the MCC container and the cached content on the host machine. Deploying MCCE to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the MCCE runtime account. This prevents tampering with the MCC container and the cached content on the host machine.
Before deploying MCCE to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your MCC Azure resource](https://aka.ms/mccent-create-resources). Before deploying MCCE to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your MCC Azure resource](https://aka.ms/mccent-create-resources).
@ -30,7 +30,7 @@ Before deploying MCCE to a Windows host machine, ensure that the host machine me
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package. 1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
1. Set the Execution Policy to "Unrestricted" to allow the provisioning scripts to run. 1. Set the Execution Policy to "Unrestricted" to allow the provisioning scripts to run.
1. Create a `$User` environment variable containing the username of the account you intend to designate as the MCC runtime account. For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`. 1. Create a `$User` environment variable containing the username of the account you intend to designate as the MCC runtime account. For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
- If you're using a Local User account as the MCCE runtime account, you'll also need to create a [PSCredential Object](https://learn.microsoft.com/dotnet/api/system.management.automation.pscredential?view=powershellsdk-7.4.0&preserve-view=true) named `$myLocalAccountCredential`. - If you're using a Local User account as the MCCE runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
1. Run the provisioning command on the host machine. 1. Run the provisioning command on the host machine.
# [Azure CLI](#tab/cli) # [Azure CLI](#tab/cli)

149
windows/deployment/do/mcc-ent-monitor-cache.md Normal file
View File

@ -0,0 +1,149 @@
---
title: MCC for Enterprise monitor cache nodes
description: Microsoft Connected Cache for Enterprise. Learn about how to monitor cache node.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: aaroncz
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 09/04/2024
---
<!--
Remove all the comments in this template before you sign-off or merge to the main branch.
This template provides the basic structure of a How-to article pattern. See the
[instructions - How-to](../level4/article-how-to-guide.md) in the pattern library.
You can provide feedback about this template at: https://aka.ms/patterns-feedback
How-to is a procedure-based article pattern that show the user how to complete a task in their own environment. A task is a work activity that has a definite beginning and ending, is observable, consist of two or more definite steps, and leads to a product, service, or decision.
-->
<!-- 1. H1 -----------------------------------------------------------------------------
Required: Use a "<verb> * <noun>" format for your H1. Pick an H1 that clearly conveys the task the user will complete.
For example: "Migrate data from regular tables to ledger tables" or "Create a new Azure SQL Database".
* Include only a single H1 in the article.
* Don't start with a gerund.
* Don't include "Tutorial" in the H1.
-->
# "<verb> * <noun>"
TODO: Add your heading
<!-- 2. Introductory paragraph ----------------------------------------------------------
Required: Lead with a light intro that describes, in customer-friendly language, what the customer will do. Answer the fundamental “why would I want to do this?” question. Keep it short.
Readers should have a clear idea of what they will do in this article after reading the introduction.
* Introduction immediately follows the H1 text.
* Introduction section should be between 1-3 paragraphs.
* Don't use a bulleted list of article H2 sections.
Example: In this article, you will migrate your user databases from IBM Db2 to SQL Server by using SQL Server Migration Assistant (SSMA) for Db2.
-->
TODO: Add your introductory paragraph
<!---Avoid notes, tips, and important boxes. Readers tend to skip over them. Better to put that info directly into the article text.
-->
<!-- 3. Prerequisites --------------------------------------------------------------------
Required: Make Prerequisites the first H2 after the H1.
* Provide a bulleted list of items that the user needs.
* Omit any preliminary text to the list.
* If there aren't any prerequisites, list "None" in plain text, not as a bulleted item.
-->
## Prerequisites
TODO: List the prerequisites
<!-- 4. Task H2s ------------------------------------------------------------------------------
Required: Multiple procedures should be organized in H2 level sections. A section contains a major grouping of steps that help users complete a task. Each section is represented as an H2 in the article.
For portal-based procedures, minimize bullets and numbering.
* Each H2 should be a major step in the task.
* Phrase each H2 title as "<verb> * <noun>" to describe what they'll do in the step.
* Don't start with a gerund.
* Don't number the H2s.
* Begin each H2 with a brief explanation for context.
* Provide a ordered list of procedural steps.
* Provide a code block, diagram, or screenshot if appropriate
* An image, code block, or other graphical element comes after numbered step it illustrates.
* If necessary, optional groups of steps can be added into a section.
* If necessary, alternative groups of steps can be added into a section.
-->
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## "\<verb\> * \<noun\>"
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
<!-- 5. Next step/Related content------------------------------------------------------------------------
Optional: You have two options for manually curated links in this pattern: Next step and Related content. You don't have to use either, but don't use both.
- For Next step, provide one link to the next step in a sequence. Use the blue box format
- For Related content provide 1-3 links. Include some context so the customer can determine why they would click the link. Add a context sentence for the following links.
-->
## Next step
TODO: Add your next step link(s)
> [!div class="nextstepaction"]
> [Write concepts](article-concept.md)
<!-- OR -->
## Related content
TODO: Add your next step link(s)
- [Write concepts](article-concept.md)
<!--
Remove all the comments in this template before you sign-off or merge to the main branch.
-->

4
windows/deployment/do/mcc-ent-prerequisites.md
View File

@ -27,7 +27,7 @@ This article details the requirements and recommendations for using Microsoft Co
- **E3/E5 or A3/A5 license**: Your organization must have one of the following license subscriptions for each device that downloads content from an MCCE cache node. - **E3/E5 or A3/A5 license**: Your organization must have one of the following license subscriptions for each device that downloads content from an MCCE cache node.
- [Windows Enterprise E3 or E5](https://learn.microsoft.com/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916) - [Windows Enterprise E3 or E5](/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916)
- Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans) - Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans)
## Cache node host machine requirements ## Cache node host machine requirements
@ -45,7 +45,7 @@ This article details the requirements and recommendations for using Microsoft Co
- Windows 11 must have [OS Build 22631.3296](https://support.microsoft.com/topic/march-12-2024-kb5035853-os-builds-22621-3296-and-22631-3296-a69ac07f-e893-4d16-bbe1-554b7d9dd39b) or later - Windows 11 must have [OS Build 22631.3296](https://support.microsoft.com/topic/march-12-2024-kb5035853-os-builds-22621-3296-and-22631-3296-a69ac07f-e893-4d16-bbe1-554b7d9dd39b) or later
- Windows Server 2022 must have [OS Build 20348.2227](https://support.microsoft.com/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a) or later - Windows Server 2022 must have [OS Build 20348.2227](https://support.microsoft.com/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a) or later
- The Windows host machine must support nested virtualization. - The Windows host machine must support nested virtualization.
- The Windows host machine must have [WSL2 installed](https://learn.microsoft.com/windows/wsl/install#install-wsl-command). - The Windows host machine must have [WSL2 installed](/windows/wsl/install#install-wsl-command).
### Additional requirements for Linux host machines ### Additional requirements for Linux host machines

55
windows/deployment/do/mcc-ent-update-cache.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Uninstall MCC for Enterprise and Education
description: Details on how to uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
ms.author: carmenf
author: cmknox
manager: aaroncz
ms.reviewer: mstewart
ms.collection:
- tier3
- must-keep
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
ms.date: 05/23/2024
---
<!-- Customers will no longer update the private preview and instead install public preview
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
## Update MCC
Run the following command with the **arguments** we provided in the email to update your MCC:
```powershell
# .\updatemcc.ps1 version="**\<VERSION\>**" tenantid="**\<TENANTID\>**" customerid="**\<CUSTOMERID\>**" cachenodeid="**\<CACHENODEID\>**" customerkey="**\<CUSTOMERKEY\>**"
```
For example:
```powershell
# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a"
```
-->
# Uninstall MCC
Contact the MCC Team before uninstalling to let us know if you're facing issues.
This script removes the following items:
1. EFLOW + Linux VM
1. IoT Edge
1. Edge Agent
1. Edge Hub
1. MCC
1. Moby CLI
1. Moby Engine
To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT
Edge LTS \> Uninstall

2
windows/deployment/do/mcc-ent-verify-cache-node.md
View File

@ -36,7 +36,7 @@ These steps should be taken after deploying MCCE caching software to a [Windows]
If successful, the Windows client device should begin to download a small image file from the MCCE cache node. If successful, the Windows client device should begin to download a small image file from the MCCE cache node.
1. To check how much content an individual Windows client has pulled from an MCCE cache node, open the [Delivery Optimization activity monitor](https://learn.microsoft.com/microsoft-365-apps/updates/delivery-optimization#viewing-data-about-the-use-of-delivery-optimization) on the Windows client device. 1. To check how much content an individual Windows client has pulled from an MCCE cache node, open the [Delivery Optimization activity monitor](/microsoft-365-apps/updates/delivery-optimization#viewing-data-about-the-use-of-delivery-optimization) on the Windows client device.
You should see a donut chart titled Download Statistics. If the Windows client has pulled content from the cache node, you'll see a segment of the donut labeled "From Microsoft cache server". You should see a donut chart titled Download Statistics. If the Windows client has pulled content from the cache node, you'll see a segment of the donut labeled "From Microsoft cache server".

8
windows/deployment/update/fod-and-lang-packs.md
View File

@ -13,7 +13,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a> - ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a> - ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 04/22/2024 ms.date: 10/01/2024
--- ---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
@ -31,11 +31,13 @@ Due to these changes, the **Specify settings for optional component installation
The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content. The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content.
Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content. Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content. This policy was modified starting in Windows 11, version 24H2 and the following options were removed:<!--8914508-->
- Never attempt to download payload from Windows Update
- Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)
## Version specific information for Features on Demand and language packs ## Version specific information for Features on Demand and language packs
Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options.<!--8914508-->
For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<FeatureUpdates/QualityUpdates>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either: For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<FeatureUpdates/QualityUpdates>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either:
- Change the source selection for feature and quality updates to Windows Update - Change the source selection for feature and quality updates to Windows Update

1
windows/deployment/windows-enterprise-e3-overview.md
View File

@ -105,7 +105,6 @@ For more information about implementing Credential Guard, see the following reso
- [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations) - [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
### AppLocker management ### AppLocker management
AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices. AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.

12
windows/hub/index.yml
View File

@ -15,7 +15,7 @@ metadata:
author: aczechowski author: aczechowski
ms.author: aaroncz ms.author: aaroncz
manager: aaroncz manager: aaroncz
ms.date: 08/27/2024 ms.date: 10/01/2024
highlightedContent: highlightedContent:
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | training | overview | quickstart | reference | sample | tutorial | video | whats-new # itemType: architecture | concept | deploy | download | get-started | how-to-guide | training | overview | quickstart | reference | sample | tutorial | video | whats-new
@ -25,13 +25,13 @@ highlightedContent:
itemType: get-started itemType: get-started
url: /windows/whats-new/windows-11-overview url: /windows/whats-new/windows-11-overview
- title: Windows 11, version 23H2 - title: Windows 11, version 24H2
itemType: whats-new itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-23h2 url: /windows/whats-new/whats-new-windows-11-version-24h2
- title: Windows 11, version 23H2 group policy settings reference - title: Windows 11, version 24H2 group policy settings reference
itemType: download itemType: download
url: https://www.microsoft.com/download/details.aspx?id=105668 url: https://www.microsoft.com/download/details.aspx?id=106255
- title: Windows administrative tools - title: Windows administrative tools
itemType: concept itemType: concept
@ -73,7 +73,7 @@ conceptualContent:
- title: Privacy in Windows - title: Privacy in Windows
links: links:
- url: /windows/privacy/required-diagnostic-events-fields-windows-11-22h2 - url: /windows/privacy/required-diagnostic-events-fields-windows-11-24h2
itemType: reference itemType: reference
text: Windows 11 required diagnostic data text: Windows 11 required diagnostic data
- url: /windows/privacy/configure-windows-diagnostic-data-in-your-organization - url: /windows/privacy/configure-windows-diagnostic-data-in-your-organization

31
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT author: DHB-MSFT
ms.author: danbrown ms.author: danbrown
manager: laurawi manager: laurawi
ms.date: 04/24/2024 ms.date: 10/01/2024
ms.topic: reference ms.topic: reference
ms.collection: privacy-windows ms.collection: privacy-windows
--- ---
@ -27,6 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles: You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md) - [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
@ -903,7 +904,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden? - **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? - **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@ -949,7 +950,6 @@ The following fields are available:
- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? - **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove ### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date. This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
@ -1763,7 +1763,6 @@ The following fields are available:
The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows. The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available: The following fields are available:
@ -2186,7 +2185,7 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. - **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@ -2626,7 +2625,7 @@ Fires when the compatibility check completes. Gives the results from the check.
The following fields are available: The following fields are available:
- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false. - **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement). - **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement).
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
@ -4759,6 +4758,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events. - **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd ### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly. This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
@ -5375,7 +5375,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available: The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''. - **appAp** Any additional parameters for the specified application. Default: ''.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined. - **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''. - **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev). - **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. - **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -5383,11 +5383,11 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. - **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. - **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. - **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'. - **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. - **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. - **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. - **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@ -5398,8 +5398,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. - **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. - **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'. - **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information. - **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@ -5409,9 +5409,9 @@ The following fields are available:
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. - **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. Please see the wiki for additional information. - **eventType** A string indicating the type of the event.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'. - **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
@ -9069,7 +9069,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours ### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
This event indicates that update activity was blocked because it is within the active hours window. The data collected with this event is used to help keep Windows secure and up to date. This event indicates that update activity was blocked because it's within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -10232,6 +10232,3 @@ The following fields are available:
- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. - **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. - **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application.
- **UserId** The XUID (Xbox User ID) of the current user. - **UserId** The XUID (Xbox User ID) of the current user.

2
windows/privacy/index.yml
View File

@ -39,7 +39,7 @@ productDirectory:
- title: Windows 11 required diagnostic data - title: Windows 11 required diagnostic data
imageSrc: /media/common/i_extend.svg imageSrc: /media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected. summary: Learn more about basic Windows diagnostic data events and fields collected.
url: required-diagnostic-events-fields-windows-11-22H2.md url: required-diagnostic-events-fields-windows-11-24H2.md
- title: Windows 10 required diagnostic data - title: Windows 10 required diagnostic data
imageSrc: /media/common/i_build.svg imageSrc: /media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy summary: See what changes Windows is making to align to the new data collection taxonomy

204
windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: high
author: DHB-MSFT author: DHB-MSFT
ms.author: danbrown ms.author: danbrown
manager: laurawi manager: laurawi
ms.date: 02/29/2024 ms.date: 10/01/2024
ms.topic: reference ms.topic: reference
ms.collection: privacy-windows ms.collection: privacy-windows
--- ---
@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles: You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md) - [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@ -128,6 +129,7 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser binary generating the events. - **AppraiserVersion** The version of the appraiser binary generating the events.
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
@ -780,6 +782,7 @@ The following fields are available:
- **AppraiserVersion** Appraiser version. - **AppraiserVersion** Appraiser version.
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@ -1309,7 +1312,6 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs. - **xid** A list of base10-encoded XBOX User IDs.
## Common data fields ## Common data fields
### Ms.Device.DeviceInventoryChange ### Ms.Device.DeviceInventoryChange
@ -1725,7 +1727,7 @@ The following fields are available:
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and won't produce AppHang events.
The following fields are available: The following fields are available:
@ -1751,31 +1753,6 @@ The following fields are available:
## Holographic events ## Holographic events
### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **SessionID** Unique value for each attempt.
- **TargetAsId** The sequence number for the process.
- **windowInstanceId** Unique value for each window instance.
### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **EventHistory** Unique number of event history.
- **ExternalComponentState** State of external component.
- **LastEvent** Unique number of last event.
- **SessionID** Unique value for each attempt.
- **TargetAsId** The sequence number for the process.
- **windowInstanceId** Unique value for each window instance.
### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated ### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly. This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
@ -2247,6 +2224,22 @@ The following fields are available:
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''. - **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
### Microsoft.Edge.Crashpad.HangEvent
This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
The following fields are available:
- **app_name** The name of the hanging process.
- **app_session_guid** Encodes the boot session, process, and process start time.
- **app_version** The version of the hanging process.
- **client_id_hash** Hash of the browser client id to help identify the installation.
- **etag** Identifier to help identify running browser experiments.
- **hang_source** Identifies how the hang was detected.
- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
## OneSettings events ## OneSettings events
### Microsoft.Windows.OneSettingsClient.Status ### Microsoft.Windows.OneSettingsClient.Status
@ -2273,105 +2266,29 @@ The following fields are available:
## Other events ## Other events
### Microsoft.Edge.Crashpad.HangEvent ### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang. This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available: The following fields are available:
- **app_name** The name of the hanging process. - **SessionID** Unique value for each attempt.
- **app_session_guid** Encodes the boot session, process, and process start time. - **TargetAsId** The sequence number for the process.
- **app_version** The version of the hanging process. - **windowInstanceId** Unique value for each window instance.
- **client_id_hash** Hash of the browser client id to help identify the installation.
- **etag** Identifier to help identify running browser experiments.
- **hang_source** Identifies how the hang was detected.
- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
### Microsoft.Gaming.Critical.Error ### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
Common error event used by the Gaming Telemetry Library to provide centralized monitoring for critical errors logged by callers using the library. This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available: The following fields are available:
- **callStack** List of active subroutines running during error occurrence. - **EventHistory** Unique number of event history.
- **componentName** Friendly name meant to represent what feature area this error should be attributed to. Used for aggregations and pivots of data. - **ExternalComponentState** State of external component.
- **customAttributes** List of custom attributes. - **LastEvent** Unique number of last event.
- **errorCode** Error code. - **SessionID** Unique value for each attempt.
- **extendedData** JSON blob representing additional, provider-level properties common to the component. - **TargetAsId** The sequence number for the process.
- **featureName** Friendly name meant to represent which feature this should be attributed to. - **windowInstanceId** Unique value for each window instance.
- **identifier** Error identifier.
- **message** Error message.
- **properties** List of properties attributed to the error.
### Microsoft.Gaming.Critical.ProviderRegistered
Indicates that a telemetry provider has been registered with the Gaming Telemetry Library.
The following fields are available:
- **providerNamespace** The telemetry Namespace for the registered provider.
### Microsoft.Gaming.OOBE.HDDBackup
This event describes whether an External HDD back up has been found.
The following fields are available:
- **backupVersion** version number of backup.
- **extendedData** JSON blob representing additional, provider-level properties common to the component.
- **hasConsoleSettings** Indicates whether the console settings stored.
- **hasUserSettings** Indicates whether the user settings stored.
- **hasWirelessProfile** Indicates whether the wireless profile stored.
- **hddBackupFound** Indicates whether hdd backup is found.
- **osVersion** Operating system version.
### Microsoft.Gaming.OOBE.OobeComplete
This event is triggered when OOBE activation is complete.
The following fields are available:
- **allowAutoUpdate** Allows auto update.
- **allowAutoUpdateApps** Allows auto update for apps.
- **appliedTransferToken** Applied transfer token.
- **connectionType** Connection type.
- **curSessionId** Current session id.
- **extendedData** JSON blob representing additional, provider-level properties common to the component.
- **instantOn** Instant on.
- **moobeAcceptedState** Moobe accepted state.
- **phaseOneElapsedTimeMs** Total elapsed time in milliseconds for phase 1.
- **phaseOneVersion** Version of phase 1.
- **phaseTwoElapsedTimeMs** Total elapsed time in milliseconds for phase 2.
- **phaseTwoVersion** Version of phase 2.
- **systemUpdateRequired** Indicates whether a system update required.
- **totalElapsedTimeMs** Total elapsed time in milliseconds of all phases.
- **usedCloudBackup** Indicates whether cloud backup is used.
- **usedHDDBackup** Indicates whether HDD backup is used.
- **usedOffConsole** Indicates whether off console is used.
### Microsoft.Gaming.OOBE.SessionStarted
This event is sent at the start of OOBE session.
The following fields are available:
- **customAttributes** customAttributes.
- **extendedData** extendedData.
### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware.
The following fields are available:
- **CrashLog** MCU crash log
- **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
### Microsoft.Windows.Defender.Engine.Maps.Heartbeat ### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
@ -2409,6 +2326,7 @@ The following fields are available:
- **Action** Action string indicating place of failure - **Action** Action string indicating place of failure
- **hr** Return HRESULT code - **hr** Return HRESULT code
### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted ### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
Event that indicates secure boot update has started. Event that indicates secure boot update has started.
@ -2419,22 +2337,6 @@ The following fields are available:
- **SecureBootUpdateCaller** Enum value indicating if this is a servicing or an upgrade. - **SecureBootUpdateCaller** Enum value indicating if this is a servicing or an upgrade.
### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
- **CV** The correlation vector.
- **GlobalEventCounter** The global event counter for all telemetry on the device.
- **UpdateAssistantStateDownloading** True at the start Downloading.
- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
- **UpdateAssistantStateInstalling** True at the start of Installing.
- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
- **UpdateAssistantVersion** Current package version of UpdateAssistant.
### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled ### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
This event fires when HVCI is already enabled so no need to continue auto-enablement. This event fires when HVCI is already enabled so no need to continue auto-enablement.
@ -2670,6 +2572,19 @@ The following fields are available:
- **Ver** Schema version. - **Ver** Schema version.
### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware.
The following fields are available:
- **CrashLog** MCU crash log
- **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 ### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
@ -2710,6 +2625,24 @@ The following fields are available:
- **UpdateAttempted** Indicates if installation of the current update has been attempted before. - **UpdateAttempted** Indicates if installation of the current update has been attempted before.
## Update Assistant events
### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
- **CV** The correlation vector.
- **GlobalEventCounter** The global event counter for all telemetry on the device.
- **UpdateAssistantStateDownloading** True at the start Downloading.
- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
- **UpdateAssistantStateInstalling** True at the start of Installing.
- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
- **UpdateAssistantVersion** Current package version of UpdateAssistant.
## Update events ## Update events
### Update360Telemetry.FellBackToDownloadingAllPackageFiles ### Update360Telemetry.FellBackToDownloadingAllPackageFiles
@ -3574,7 +3507,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted. - **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode. - **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan. - **relatedCV** Correlation vector value generated from the latest USO scan.
- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. - **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCancelled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. - **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). - **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt. - **sessionId** Unique value for each Update Agent mode attempt.
@ -3758,6 +3691,3 @@ The following fields are available:
- **SessionId** The UpdateAgent “SessionId” value. - **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update. - **UpdateId** Unique identifier for the Update.
- **WuId** Unique identifier for the Windows Update client. - **WuId** Unique identifier for the Windows Update client.

4266
windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md Normal file
View File

File diff suppressed because it is too large Load Diff

46
windows/privacy/required-windows-11-diagnostic-events-and-fields.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT author: DHB-MSFT
ms.author: danbrown ms.author: danbrown
manager: laurawi manager: laurawi
ms.date: 04/24/2024 ms.date: 10/01/2024
ms.collection: privacy-windows ms.collection: privacy-windows
ms.topic: reference ms.topic: reference
--- ---
@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles: You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md) - [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@ -167,7 +168,6 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser binary generating the events. - **AppraiserVersion** The version of the appraiser binary generating the events.
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
@ -438,7 +438,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden? - **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? - **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@ -1475,7 +1475,7 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine. - **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. - **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine. - **CDJType** Represents the type of cloud domain joined for the machine.
- **CommercialId** Represents the GUID for the commercial entity that the device is a member of.  Will be used to reflect insights back to customers. - **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted. - **ContainerType** The type of container, such as process or virtual machine hosted.
- **EnrollmentType** Defines the type of MDM enrollment on the device. - **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login. - **HashedDomain** The hashed representation of the user domain used for login.
@ -1490,7 +1490,6 @@ The following fields are available:
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware ### Census.Firmware
This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date. This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
@ -1956,6 +1955,7 @@ The following fields are available:
Fires when HVCI is already enabled so no need to continue auto-enablement. Fires when HVCI is already enabled so no need to continue auto-enablement.
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
Fires when driver scanning fails to get results. Fires when driver scanning fails to get results.
@ -2197,6 +2197,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs. - **xid** A list of base10-encoded XBOX User IDs.
## Common data fields ## Common data fields
### Ms.Device.DeviceInventoryChange ### Ms.Device.DeviceInventoryChange
@ -2212,6 +2213,7 @@ The following fields are available:
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
## Component-based servicing events ## Component-based servicing events
### CbsServicingProvider.CbsCapabilityEnumeration ### CbsServicingProvider.CbsCapabilityEnumeration
@ -2985,6 +2987,7 @@ The following fields are available:
- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. - **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. - **wilActivity** Windows Mixed Reality Portal app wilActivity ID.
### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming ### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly. This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
@ -3570,7 +3573,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. This event provides data on Unified Update Platform (UUP) products and what version they're at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -3753,7 +3756,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available: The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''. - **appAp** Any additional parameters for the specified application. Default: ''.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. See the wiki for additional information. Default: undefined. - **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''. - **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev). - **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. - **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -3761,13 +3764,13 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. - **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. - **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. - **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. See the wiki for additional information. Default: '-2'. - **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. - **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'. - **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. - **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched. - **appLastLaunchTime** The time when browser was last launched.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. See the wiki for additional information. Default: '0.0.0.0'. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply. - **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
@ -3781,8 +3784,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. - **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. - **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. See the wiki for additional information. Default: '0'. - **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. See the wiki for additional information. - **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@ -3794,9 +3797,9 @@ The following fields are available:
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. See the wiki for additional information. Default: '0.0.0.0'. - **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. See the wiki for additional information. - **eventType** A string indicating the type of the event.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. - **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **hwDiskType** Devices hardware disk type. - **hwDiskType** Devices hardware disk type.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'. - **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
@ -3996,7 +3999,6 @@ The following fields are available:
- **extendedData** GTL extended data section for each app to add its own extensions. - **extendedData** GTL extended data section for each app to add its own extensions.
- **timeToActionMs** Time in MS for this Page Action. - **timeToActionMs** Time in MS for this Page Action.
### Microsoft.Surface.Mcu.Prod.CriticalLog ### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware. Error information from Surface device firmware.
@ -4312,7 +4314,7 @@ The following fields are available:
- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) - **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
- **EventType** Possible values are "Child", "Bundle", or "Driver" - **EventType** Possible values are "Child", "Bundle", or "Driver"
- **FlightId** The unique identifier for each flight - **FlightId** The unique identifier for each flight
- **IsNetworkMetered** Indicates whether Windows considered the current network to be metered" - **IsNetworkMetered** Indicates whether Windows considered the current network to be "metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any - **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any - **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) - **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
@ -6355,7 +6357,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted. - **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode. - **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan. - **relatedCV** Correlation vector value generated from the latest USO scan.
- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. - **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCancelled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. - **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). - **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt. - **sessionId** Unique value for each Update Agent mode attempt.
@ -6589,6 +6591,15 @@ The following fields are available:
- **WasPresented** True if the user interaction campaign is displayed to the user. - **WasPresented** True if the user interaction campaign is displayed to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
## Windows Update mitigation events ## Windows Update mitigation events
### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete ### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete
@ -6841,6 +6852,3 @@ The following fields are available:
- **Flags** The flags passed to the hard reserve adjustment function. - **Flags** The flags passed to the hard reserve adjustment function.
- **PendingHardReserveAdjustment** The final change to the hard reserve size. - **PendingHardReserveAdjustment** The final change to the hard reserve size.
- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.

55
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT author: DHB-MSFT
ms.author: danbrown ms.author: danbrown
manager: laurawi manager: laurawi
ms.date: 04/24/2024 ms.date: 10/01/2024
ms.collection: privacy-windows ms.collection: privacy-windows
ms.topic: reference ms.topic: reference
--- ---
@ -31,6 +31,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles: You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@ -873,7 +874,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden? - **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? - **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@ -2476,7 +2477,8 @@ Fires when the compatibility check completes. Gives the results from the check.
The following fields are available: The following fields are available:
- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false. - **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement). - **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement).
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
@ -4334,6 +4336,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory binary generating the events. - **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd ### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd
This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date. This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date.
@ -4608,6 +4611,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events. - **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows. This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
@ -4858,7 +4862,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. This event provides data on Unified Update Platform (UUP) products and what version they're at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -5148,7 +5152,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available: The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''. - **appAp** Any additional parameters for the specified application. Default: ''.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined. - **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''. - **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev). - **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. - **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -5156,13 +5160,13 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. - **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. - **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. - **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'. - **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. - **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'. - **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. - **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched. - **appLastLaunchTime** The time when browser was last launched.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply. - **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z. - **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
@ -5180,8 +5184,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. - **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. - **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'. - **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information. - **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@ -5195,9 +5199,9 @@ The following fields are available:
- **appUpdateCheckTargetChannel** Check for status showing the target release channel. - **appUpdateCheckTargetChannel** Check for status showing the target release channel.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. - **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. Please see the wiki for additional information. - **eventType** A string indicating the type of the event.
- **expDeviceId** A non-unique resettable device ID to identify a device in experimentation. - **expDeviceId** A non-unique resettable device ID to identify a device in experimentation.
- **expEtag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. - **expEtag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. - **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
@ -5618,6 +5622,7 @@ The following fields are available:
- **criticalLogSize** Log size - **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier. - **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier - **productId** Product identifier
- **SurfaceTelemetry_EventType** Required vs. Optional event
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure. - **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
@ -5639,6 +5644,7 @@ This event sends information about the Operating System image name to Microsoft.
The following fields are available: The following fields are available:
- **SurfaceTelemetry_EventType** Required vs. Optional event
- **szOsImageName** This is the image name that is running on the device. - **szOsImageName** This is the image name that is running on the device.
@ -5691,6 +5697,7 @@ The following fields are available:
- **UpdateType** Indicates if it's DB or DBX update - **UpdateType** Indicates if it's DB or DBX update
- **WillResealSucceed** Indicates if TPM reseal operation is expected to succeed - **WillResealSucceed** Indicates if TPM reseal operation is expected to succeed
### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted ### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
Event that indicates secure boot update has started. Event that indicates secure boot update has started.
@ -5746,9 +5753,7 @@ The following fields are available:
- **touchKeyboardDesktop** Touch keyboard desktop - **touchKeyboardDesktop** Touch keyboard desktop
- **touchKeyboardTablet** Touch keyboard tablet - **touchKeyboardTablet** Touch keyboard tablet
- **triggerType** Trigger type - **triggerType** Trigger type
- **usePowershell** Use PowerShell - **usePowershell** Use PowerShell.
## Privacy consent logging events ## Privacy consent logging events
@ -6558,8 +6563,9 @@ The following fields are available:
- **CUtility::GetTargetNameA(Target)** Sub component name. - **CUtility::GetTargetNameA(Target)** Sub component name.
- **HealthLog** Health indicator log. - **HealthLog** Health indicator log.
- **healthLogSize** 4KB. - **healthLogSize** 4KB.
- **PartA_PrivacyProduct** Product tag
- **productId** Identifier for product model. - **productId** Identifier for product model.
- **SurfaceTelemetry_EventType** Required vs. Optional event
### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 ### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
@ -6568,9 +6574,25 @@ This event sends reason for SAM, PCH and SoC reset. The data collected with this
The following fields are available: The following fields are available:
- **ControllerResetCause** The cause for the controller reset. - **ControllerResetCause** The cause for the controller reset.
- **EcResetCause** EC reset cause.
- **FaultReset1Cause** Fault 1 reset cause.
- **FaultReset2Cause** Fault 2 reset cause.
- **HostResetCause** Host reset cause. - **HostResetCause** Host reset cause.
- **OffResetCause** Off reset cause.
- **OnResetCause** On reset cause.
- **PartA_PrivacyProduct** Product tag
- **PchResetCause** PCH reset cause. - **PchResetCause** PCH reset cause.
- **PoffResetCause** Power Off reset cause.
- **PonResetCause** Power On reset cause.
- **S3ResetCause** S3 reset cause.
- **SamResetCause** SAM reset cause. - **SamResetCause** SAM reset cause.
- **SamResetCauseExtBacklightState** SAM Reset Display Backlight state.
- **SamResetCauseExtLastPowerButtonTime** SAM Reset Last Power Button time.
- **SamResetCauseExtLastSshCommunicationTime** SAM Reset Last SSH Communication time.
- **SamResetCauseExtPostureStateReason** SAM Reset Last Posture State reason.
- **SamResetCauseExtRestartReason** SAM Reset Extended Restart reason.
- **SurfaceTelemetry_EventType** Required vs. Optional event.
- **WarmResetCause** Warm reset cause.
## Update Assistant events ## Update Assistant events
@ -10019,6 +10041,3 @@ The following fields are available:
- **virtualMachineName** VM name. - **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection. - **waitForClientConnection** True if we should wait for client connection.
- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled. - **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.

2
windows/privacy/toc.yml
View File

@ -13,6 +13,8 @@
href: diagnostic-data-viewer-powershell.md href: diagnostic-data-viewer-powershell.md
- name: Required Windows diagnostic data events and fields - name: Required Windows diagnostic data events and fields
items: items:
- name: Windows 11, version 24H2
href: required-diagnostic-events-fields-windows-11-24H2.md
- name: Windows 11, versions 23H2 and 22H2 - name: Windows 11, versions 23H2 and 22H2
href: required-diagnostic-events-fields-windows-11-22H2.md href: required-diagnostic-events-fields-windows-11-22H2.md
- name: Windows 11, version 21H2 - name: Windows 11, version 21H2

15
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md
View File

@ -1,23 +1,22 @@
--- ---
title: Designing, creating, managing, and troubleshooting Windows Defender Application Control AppId Tagging policies title: Designing, creating, managing, and troubleshooting App Control for Business AppId Tagging policies
description: How to design, create, manage, and troubleshoot your WDAC AppId Tagging policies description: How to design, create, manage, and troubleshoot your App Control AppId Tagging policies
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 04/27/2022 ms.date: 09/11/2024
ms.topic: conceptual ms.topic: conceptual
--- ---
# WDAC Application ID (AppId) Tagging guide # App Control Application ID (AppId) Tagging guide
> [!NOTE] [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## AppId Tagging Feature Overview ## AppId Tagging Feature Overview
The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't. The Application ID (AppId) Tagging Policy feature, while based off App Control for Business, doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
## AppId Tagging Feature Availability ## AppId Tagging Feature Availability
The WDAC AppId Tagging feature is available on the following versions of the Windows platform: The App Control AppId Tagging feature is available on the following versions of the Windows platform:
Client: Client:
- Windows 10 20H1, 20H2, and 21H1 versions only - Windows 10 20H1, 20H2, and 21H1 versions only

9
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
View File

@ -2,20 +2,19 @@
title: Testing and Debugging AppId Tagging Policies title: Testing and Debugging AppId Tagging Policies
description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully. description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 04/29/2022 ms.date: 09/11/2024
ms.topic: troubleshooting ms.topic: troubleshooting
--- ---
# Testing and Debugging AppId Tagging Policies # Testing and Debugging AppId Tagging Policies
> [!NOTE] [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. After deployment of the App Control AppId Tagging policy, App Control will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes ## Verifying Tags on Running Processes
After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed. After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since App Control for Business can only tag processes created after the policy has been deployed.
1. Download and Install the Windows Debugger 1. Download and Install the Windows Debugger

23
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md
View File

@ -1,17 +1,16 @@
--- ---
title: Deploying Windows Defender Application Control AppId tagging policies title: Deploying App Control for Business AppId tagging policies
description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment. description: How to deploy your App Control AppId tagging policies locally and globally within your managed environment.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 04/29/2022 ms.date: 09/11/2024
ms.topic: conceptual ms.topic: conceptual
--- ---
# Deploying Windows Defender Application Control AppId tagging policies # Deploying App Control for Business AppId tagging policies
> [!NOTE] [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy: Similar to App Control for Business policies, App Control AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:
1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm) 1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm)
1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager) 1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager)
@ -20,23 +19,23 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg
## Deploy AppId tagging policies with MDM ## Deploy AppId tagging policies with MDM
Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-app-control-policies-with-custom-oma-uri).
## Deploy AppId tagging policies with Configuration Manager ## Deploy AppId tagging policies with Configuration Manager
Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-wdac-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-appcontrol-policies-with-memcm.md#deploy-custom-app-control-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
### Deploy AppId tagging Policies via Scripting ### Deploy AppId tagging Policies via Scripting
Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see [Deploy WDAC policies using script](../deployment/deploy-wdac-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later. Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy App Control AppId tagging policies via scripting, see [Deploy App Control policies using script](../deployment/deploy-appcontrol-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later.
### Deploying policies via the ApplicationControl CSP ### Deploying policies via the ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Multiple App Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability. For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability.
> [!NOTE] > [!NOTE]
> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies. > WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format App Control for Business policies.

102
windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Create your App Control for Business AppId Tagging Policies
description: Create your App Control for Business AppId tagging policies for Windows devices.
ms.localizationpriority: medium
ms.date: 09/23/2024
ms.topic: conceptual
---
# Creating your App Control AppId Tagging Policies
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## Create the policy using the App Control Wizard
You can use the App Control for Business Wizard and the PowerShell commands to create an App Control policy and convert it to an AppIdTagging policy. The App Control Wizard is available for download at the [App Control Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md).
1. Create a new base policy using the templates:
Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/appcontrol-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
:::image type="content" alt-text="Configuring the policy base and template." source="../images/appid-appcontrol-wizard-1.png" lightbox="../images/appid-appcontrol-wizard-1.png":::
> [!NOTE]
> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
2. Set the following rule-options using the Wizard toggles:
:::image type="content" alt-text="Configuring the policy rule-options." source="../images/appid-appcontrol-wizard-2.png":::
3. Create custom rules:
Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
- Package app name rules: Create a rule based off the package family name of an appx/msix.
- Hash rules: Create a rule based off the PE Authenticode hash of a file.
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/appcontrol-wizard-create-base-policy.md#creating-custom-file-rules).
4. Convert to AppId Tagging Policy:
After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
The policyID GUID is returned by the PowerShell command if successful.
## Create the policy using PowerShell
Using this method, you create an AppId Tagging policy directly using the App Control PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). In an elevate PowerShell instance:
1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [App Control File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-app-control-for-business-policy---file-rule-levels) can be used in AppId rules:
```powershell
$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application>
```
2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
3. Set the rule-options for the policy:
```powershell
Set-RuleOption -Option 0 .\AppIdPolicy.xml # Usermode Code Integrity (UMCI)
Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot
Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
```
If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
4. Set the name and ID on the policy, which is helpful for future debugging:
```powershell
Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
```
The policyID GUID is returned by the PowerShell command if successful.
## Deploy for Local Testing
After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
1. Depending on your deployment method, convert the xml to binary:
```powershell
Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
```
2. Optionally, deploy it for local testing:
```powershell
copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
./RefreshPolicy.exe
```
RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
## Next Steps
For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md).

180
windows/security/application-security/application-control/windows-defender-application-control/TOC.yml → windows/security/application-security/application-control/app-control-for-business/TOC.yml
View File

@ -1,126 +1,126 @@
- name: Application Control for Windows - name: Application Control for Windows
href: index.yml href: index.yml
- name: About application control for Windows - name: About application control for Windows
href: wdac.md href: appcontrol.md
expanded: true expanded: true
items: items:
- name: WDAC and AppLocker Overview - name: App Control and AppLocker Overview
href: wdac-and-applocker-overview.md href: appcontrol-and-applocker-overview.md
- name: WDAC and AppLocker Feature Availability - name: App Control and AppLocker Feature Availability
href: feature-availability.md href: feature-availability.md
- name: Virtualization-based protection of code integrity - name: Virtualization-based protection of code integrity
href: ../introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md href: ../introduction-to-virtualization-based-security-and-appcontrol.md
- name: WDAC design guide - name: Design guide
href: design/wdac-design-guide.md href: design/appcontrol-design-guide.md
items: items:
- name: Plan for WDAC policy lifecycle management - name: Plan for App Control policy lifecycle management
href: design/plan-wdac-management.md href: design/plan-appcontrol-management.md
- name: Design your WDAC policy - name: Design your App Control policy
items: items:
- name: Understand WDAC policy design decisions - name: Understand App Control policy design decisions
href: design/understand-wdac-policy-design-decisions.md href: design/understand-appcontrol-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules - name: Understand App Control policy rules and file rules
href: design/select-types-of-rules-to-create.md href: design/select-types-of-rules-to-create.md
items: items:
- name: Allow apps installed by a managed installer - name: Allow apps installed by a managed installer
href: design/configure-authorized-apps-deployed-with-a-managed-installer.md href: design/configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG) - name: Allow reputable apps with Intelligent Security Graph (ISG)
href: design/use-wdac-with-intelligent-security-graph.md href: design/use-appcontrol-with-intelligent-security-graph.md
- name: Allow COM object registration - name: Allow COM object registration
href: design/allow-com-object-registration-in-wdac-policy.md href: design/allow-com-object-registration-in-appcontrol-policy.md
- name: Use WDAC with .NET hardening - name: Use App Control with .NET hardening
href: design/wdac-and-dotnet.md href: design/appcontrol-and-dotnet.md
- name: Script enforcement with Windows Defender Application Control - name: Script enforcement with App Control for Business
href: design/script-enforcement.md href: design/script-enforcement.md
- name: Manage packaged apps with WDAC - name: Manage packaged apps with App Control
href: design/manage-packaged-apps-with-wdac.md href: design/manage-packaged-apps-with-appcontrol.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules - name: Use App Control to control specific plug-ins, add-ins, and modules
href: design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md href: design/use-appcontrol-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings - name: Understand App Control policy settings
href: design/understanding-wdac-policy-settings.md href: design/understanding-appcontrol-policy-settings.md
- name: Use multiple WDAC policies - name: Use multiple App Control policies
href: design/deploy-multiple-wdac-policies.md href: design/deploy-multiple-appcontrol-policies.md
- name: Create your WDAC policy - name: Create your App Control policy
items: items:
- name: Example WDAC base policies - name: Example App Control base policies
href: design/example-wdac-base-policies.md href: design/example-appcontrol-base-policies.md
- name: Policy creation for common WDAC usage scenarios - name: Policy creation for common App Control usage scenarios
href: design/common-wdac-use-cases.md href: design/common-appcontrol-use-cases.md
items: items:
- name: Create a WDAC policy for lightly managed devices - name: Create an App Control policy for lightly managed devices
href: design/create-wdac-policy-for-lightly-managed-devices.md href: design/create-appcontrol-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices - name: Create an App Control policy for fully managed devices
href: design/create-wdac-policy-for-fully-managed-devices.md href: design/create-appcontrol-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices - name: Create an App Control policy for fixed-workload devices
href: design/create-wdac-policy-using-reference-computer.md href: design/create-appcontrol-policy-using-reference-computer.md
- name: Create a WDAC deny list policy - name: Create an App Control deny list policy
href: design/create-wdac-deny-policy.md href: design/create-appcontrol-deny-policy.md
- name: Applications that can bypass WDAC and how to block them - name: Applications that can bypass App Control and how to block them
href: design/applications-that-can-bypass-wdac.md href: design/applications-that-can-bypass-appcontrol.md
- name: Microsoft recommended driver block rules - name: Microsoft recommended driver block rules
href: design/microsoft-recommended-driver-block-rules.md href: design/microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool - name: Use the App Control Wizard tool
href: design/wdac-wizard.md href: design/appcontrol-wizard.md
items: items:
- name: Create a base WDAC policy with the Wizard - name: Create a base App Control policy with the Wizard
href: design/wdac-wizard-create-base-policy.md href: design/appcontrol-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard - name: Create a supplemental App Control policy with the Wizard
href: design/wdac-wizard-create-supplemental-policy.md href: design/appcontrol-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard - name: Editing an App Control policy with the Wizard
href: design/wdac-wizard-editing-policy.md href: design/appcontrol-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events - name: Creating App Control Policy Rules from App Control Events
href: design/wdac-wizard-parsing-event-logs.md href: design/appcontrol-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard - name: Merging multiple App Control policies with the Wizard
href: design/wdac-wizard-merging-policies.md href: design/appcontrol-wizard-merging-policies.md
- name: WDAC deployment guide - name: Deployment guide
href: deployment/wdac-deployment-guide.md href: deployment/appcontrol-deployment-guide.md
items: items:
- name: Deploy WDAC policies with MDM - name: Deploy App Control policies with MDM
href: deployment/deploy-wdac-policies-using-intune.md href: deployment/deploy-appcontrol-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager - name: Deploy App Control policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md href: deployment/deploy-appcontrol-policies-with-memcm.md
- name: Deploy WDAC policies with script - name: Deploy App Control policies with script
href: deployment/deploy-wdac-policies-with-script.md href: deployment/deploy-appcontrol-policies-with-script.md
- name: Deploy WDAC policies with group policy - name: Deploy App Control policies with group policy
href: deployment/deploy-wdac-policies-using-group-policy.md href: deployment/deploy-appcontrol-policies-using-group-policy.md
- name: Audit WDAC policies - name: Audit App Control policies
href: deployment/audit-wdac-policies.md href: deployment/audit-appcontrol-policies.md
- name: Merge WDAC policies - name: Merge App Control policies
href: deployment/merge-wdac-policies.md href: deployment/merge-appcontrol-policies.md
- name: Enforce WDAC policies - name: Enforce App Control policies
href: deployment/enforce-wdac-policies.md href: deployment/enforce-appcontrol-policies.md
- name: Use code signing for added control and protection with WDAC - name: Use code signing for added control and protection with App Control
href: deployment/use-code-signing-for-better-control-and-protection.md href: deployment/use-code-signing-for-better-control-and-protection.md
items: items:
- name: Deploy catalog files to support WDAC - name: Deploy catalog files to support App Control
href: deployment/deploy-catalog-files-to-support-wdac.md href: deployment/deploy-catalog-files-to-support-appcontrol.md
- name: Use signed policies to protect Windows Defender Application Control against tampering - name: Use signed policies to protect App Control for Business against tampering
href: deployment/use-signed-policies-to-protect-wdac-against-tampering.md href: deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
- name: "Optional: Create a code signing cert for WDAC" - name: "Optional: Create a code signing cert for App Control"
href: deployment/create-code-signing-cert-for-wdac.md href: deployment/create-code-signing-cert-for-appcontrol.md
- name: Disable WDAC policies - name: Disable App Control policies
href: deployment/disable-wdac-policies.md href: deployment/disable-appcontrol-policies.md
- name: WDAC operational guide - name: Operational guide
href: operations/wdac-operational-guide.md href: operations/appcontrol-operational-guide.md
items: items:
- name: WDAC debugging and troubleshooting - name: App Control debugging and troubleshooting
href: operations/wdac-debugging-and-troubleshooting.md href: operations/appcontrol-debugging-and-troubleshooting.md
- name: Understanding Application Control event IDs - name: Understanding App Control event IDs
href: operations/event-id-explanations.md href: operations/event-id-explanations.md
- name: Understanding Application Control event tags - name: Understanding App Control event tags
href: operations/event-tag-explanations.md href: operations/event-tag-explanations.md
- name: Query WDAC events with Advanced hunting - name: Query App Control events with Advanced hunting
href: operations/querying-application-control-events-centrally-using-advanced-hunting.md href: operations/querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues - name: Known Issues
href: operations/known-issues.md href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide - name: Managed installer and ISG technical reference and troubleshooting guide
href: operations/configure-wdac-managed-installer.md href: operations/configure-appcontrol-managed-installer.md
- name: CITool.exe technical reference - name: CITool.exe technical reference
href: operations/citool-commands.md href: operations/citool-commands.md
- name: Inbox WDAC policies - name: Inbox App Control policies
href: operations/inbox-wdac-policies.md href: operations/inbox-appcontrol-policies.md
- name: WDAC AppId Tagging guide - name: AppId Tagging guide
href: AppIdTagging/wdac-appid-tagging-guide.md href: AppIdTagging/appcontrol-appid-tagging-guide.md
items: items:
- name: Creating AppId Tagging Policies - name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md href: AppIdTagging/design-create-appid-tagging-policies.md

64
windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md Normal file
View File

@ -0,0 +1,64 @@
---
title: App Control and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.topic: conceptual
---
# App Control for Business and AppLocker Overview
[!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: App Control for Business and AppLocker.
## App Control for Business
App Control was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md)
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
> [!NOTE]
> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy.
### App Control System Requirements
App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md).
## AppLocker
AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but doesn't meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries.
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
- The path from which the app or file is launched.
AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md).
### AppLocker System Requirements
AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use App Control or AppLocker
Generally, customers who are able to implement application control using App Control, rather than AppLocker, should do so. App Control is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
However, in some cases, AppLocker might be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on shared computers.
- You don't want to enforce application control on application files such as DLLs or drivers.
AppLocker can also be deployed as a complement to App Control to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce App Control at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.

21
windows/security/application-security/application-control/windows-defender-application-control/wdac.md → windows/security/application-security/application-control/app-control-for-business/appcontrol.md
View File

@ -4,14 +4,13 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium ms.localizationpriority: medium
ms.collection: ms.collection:
- tier3 - tier3
ms.date: 08/30/2023 ms.date: 09/11/2024
ms.topic: overview ms.topic: overview
--- ---
# Application Control for Windows # Application Control for Windows
> [!NOTE] [!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks. With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks.
@ -26,14 +25,14 @@ Application control is a crucial line of defense for protecting enterprises give
Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
- **Windows Defender Application Control (WDAC)**; and - **App Control for Business**; and
- **AppLocker** - **AppLocker**
## WDAC and Smart App Control ## App Control and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description | | Value | Description |
|-------|-------------| |-------|-------------|
@ -46,7 +45,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks ### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control: Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-appcontrol.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
- Infdefaultinstall.exe - Infdefaultinstall.exe
- Microsoft.Build.dll - Microsoft.Build.dll
@ -57,7 +56,7 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](design
## Related articles ## Related articles
- [WDAC design guide](design/wdac-design-guide.md) - [App Control design guide](design/appcontrol-design-guide.md)
- [WDAC deployment guide](deployment/wdac-deployment-guide.md) - [App Control deployment guide](deployment/appcontrol-deployment-guide.md)
- [WDAC operational guide](operations/wdac-operational-guide.md) - [App Control operational guide](operations/appcontrol-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md) - [AppLocker overview](applocker/applocker-overview.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md → windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
View File

@ -3,7 +3,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set
description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Add rules for packaged apps to existing AppLocker rule-set # Add rules for packaged apps to existing AppLocker rule-set

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md
View File

@ -3,7 +3,7 @@ title: Administer AppLocker
description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies. description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# Administer AppLocker # Administer AppLocker
@ -27,11 +27,11 @@ AppLocker helps administrators control how users can access and use files, such
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. | | [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. |
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. | | [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. |
| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. | | [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. | | [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker policies. |
| [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. | | [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. |
| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. | | [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. | | [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. | | [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your policies. |
| [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. | | [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. |
## Using the MMC snap-ins to administer AppLocker ## Using the MMC snap-ins to administer AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md
View File

@ -3,7 +3,7 @@ title: AppLocker architecture and components
description: This article for IT professional describes AppLockers basic architecture and its major components. description: This article for IT professional describes AppLockers basic architecture and its major components.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# AppLocker architecture and components # AppLocker architecture and components

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md
View File

@ -3,7 +3,7 @@ title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for AppLocker. description: This article for the IT professional lists the functions and security levels for AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# AppLocker functions # AppLocker functions

10
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md
View File

@ -1,23 +1,23 @@
--- ---
title: AppLocker title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies.
ms.collection: ms.collection:
- tier3 - tier3
- must-keep - must-keep
ms.topic: conceptual ms.topic: conceptual
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# AppLocker # AppLocker
This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control. This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of App Control for Business.
> [!NOTE] > [!NOTE]
> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. > AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [App Control for Business](../appcontrol-and-applocker-overview.md) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
> [!NOTE] > [!NOTE]
> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement). > By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](rule-collection-extensions.md#services-enforcement).
AppLocker can help you: AppLocker can help you:

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md
View File

@ -3,7 +3,7 @@ title: AppLocker deployment guide
description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# AppLocker deployment guide # AppLocker deployment guide

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md
View File

@ -3,7 +3,7 @@ title: AppLocker design guide
description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# AppLocker design guide # AppLocker design guide
@ -12,14 +12,14 @@ This article for the IT professional introduces the design and planning steps re
This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group. This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group.
To understand if AppLocker is the correct application control solution for your organization, see [Windows Defender Application Control and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). To understand if AppLocker is the correct application control solution for your organization, see [App Control for Business and AppLocker overview](../appcontrol-and-applocker-overview.md).
## In this section ## In this section
| Article | Description | | Article | Description |
| --- | --- | | --- | --- |
| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. | | [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. |
| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. | | [Determine your application control objectives](../appcontrol-and-applocker-overview.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. |
| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | | [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. | | [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. |
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. | | [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. |

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md
View File

@ -3,7 +3,7 @@ title: AppLocker policy use scenarios
description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# AppLocker policy use scenarios # AppLocker policy use scenarios

7
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md
View File

@ -3,13 +3,12 @@ title: AppLocker processes and interactions
description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# AppLocker processes and interactions # AppLocker processes and interactions
> [!NOTE] [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
@ -77,7 +76,7 @@ There are three different types of conditions that can be applied to rules:
An AppLocker policy is a set of rule collections and their corresponding configured enforcement mode settings applied to one or more computers. An AppLocker policy is a set of rule collections and their corresponding configured enforcement mode settings applied to one or more computers.
- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) - [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes)
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md
View File

@ -3,7 +3,7 @@ title: AppLocker technical reference
description: This overview article for IT professionals provides links to the articles in the technical reference. description: This overview article for IT professionals provides links to the articles in the technical reference.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# AppLocker technical reference # AppLocker technical reference

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md
View File

@ -3,7 +3,7 @@ title: Configure an AppLocker policy for audit only
description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Configure an AppLocker policy for audit only # Configure an AppLocker policy for audit only

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md
View File

@ -3,7 +3,7 @@ title: Configure an AppLocker policy for enforce rules
description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting. description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Configure an AppLocker policy for enforce rules # Configure an AppLocker policy for enforce rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md
View File

@ -3,7 +3,7 @@ title: Add exceptions for an AppLocker rule
description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule. description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Add exceptions for an AppLocker rule # Add exceptions for an AppLocker rule

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md
View File

@ -3,7 +3,7 @@ title: Configure the AppLocker reference device
description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Configure the AppLocker reference device # Configure the AppLocker reference device

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md
View File

@ -3,7 +3,7 @@ title: Configure the Application Identity service
description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Configure the Application Identity service # Configure the Application Identity service

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md
View File

@ -3,7 +3,7 @@ title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Create a rule for packaged apps # Create a rule for packaged apps

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md
View File

@ -3,7 +3,7 @@ title: Create a rule that uses a file hash condition
description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition. description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Create a rule that uses a file hash condition # Create a rule that uses a file hash condition

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md
View File

@ -3,7 +3,7 @@ title: Create a rule that uses a path condition
description: This article for IT professionals shows how to create an AppLocker rule with a path condition. description: This article for IT professionals shows how to create an AppLocker rule with a path condition.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Create a rule that uses a path condition # Create a rule that uses a path condition

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md
View File

@ -3,7 +3,7 @@ title: Create a rule that uses a publisher condition
description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition. description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Create a rule that uses a publisher condition # Create a rule that uses a publisher condition

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md
View File

@ -3,7 +3,7 @@ title: Create AppLocker default rules
description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run. description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Create AppLocker default rules # Create AppLocker default rules

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md
View File

@ -3,7 +3,7 @@ title: Create a list of apps deployed to each business group
description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker. description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Gathering app usage requirements # Gathering app usage requirements
@ -44,7 +44,7 @@ The following articles describe how to perform each method:
Identify the business group and each organizational unit (OU) within that group for application control policies. In addition, you should identify whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following articles: Identify the business group and each organizational unit (OU) within that group for application control policies. In addition, you should identify whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following articles:
- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
- [Determine your application control objectives](determine-your-application-control-objectives.md) - [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
## Next steps ## Next steps

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Create Your AppLocker policies
description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Create Your AppLocker policies # Create Your AppLocker policies
@ -18,7 +18,7 @@ You can develop an application control policy plan to guide you in making succes
1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) 1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) 2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
3. [Determine your application control objectives](determine-your-application-control-objectives.md) 3. [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
5. [Select the types of rules to create](select-types-of-rules-to-create.md) 5. [Select the types of rules to create](select-types-of-rules-to-create.md)
6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Create Your AppLocker rules
description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Create Your AppLocker rules # Create Your AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md → windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md
View File

@ -3,7 +3,7 @@ title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule. description: This article for IT professionals describes the steps to delete an AppLocker rule.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Delete an AppLocker rule # Delete an AppLocker rule

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md → windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
View File

@ -3,7 +3,7 @@ title: Deploy AppLocker policies by using the enforce rules setting
description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# Deploy AppLocker policies by using the enforce rules setting # Deploy AppLocker policies by using the enforce rules setting
@ -14,7 +14,7 @@ This article for IT professionals describes the steps to deploy AppLocker polici
These procedures assume that your AppLocker policies are deployed with the enforcement mode set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design. These procedures assume that your AppLocker policies are deployed with the enforcement mode set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md). For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes).
For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md). For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
@ -24,7 +24,7 @@ Updating an AppLocker policy that is currently enforced in your production envir
## Step 2: Alter the enforcement setting ## Step 2: Alter the enforcement setting
Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](working-with-applocker-rules.md#enforcement-modes). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
## Step 3: Update the policy ## Step 3: Update the policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md → windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md
View File

@ -3,7 +3,7 @@ title: Deploy the AppLocker policy into production
description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Deploy the AppLocker policy into production # Deploy the AppLocker policy into production

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md → windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md
View File

@ -3,7 +3,7 @@ title: Determine the Group Policy structure and rule enforcement
description: This overview article describes the process to follow when you're planning to deploy AppLocker rules. description: This overview article describes the process to follow when you're planning to deploy AppLocker rules.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Determine the Group Policy structure and rule enforcement # Determine the Group Policy structure and rule enforcement
@ -14,7 +14,7 @@ This overview article describes the process to follow when you're planning to de
| Article | Description | | Article | Description |
| --- | --- | | --- | --- |
| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This article describes the AppLocker enforcement settings for rule collections. | | [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes) | This article describes the AppLocker enforcement settings for rule collections. |
| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| | [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.|
| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning article describes what you need to investigate, determine, and document for your policy plan when you use AppLocker. | | [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning article describes what you need to investigate, determine, and document for your policy plan when you use AppLocker. |

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md → windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
View File

@ -3,7 +3,7 @@ title: Find digitally signed apps on a reference device
description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Determine which apps are digitally signed on a reference device # Determine which apps are digitally signed on a reference device

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md → windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
View File

@ -3,7 +3,7 @@ title: Display a custom URL message when users try to run a blocked app
description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app. description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Display a custom URL message when users try to run a blocked app # Display a custom URL message when users try to run a blocked app

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: DLL rules in AppLocker
description: This article describes the file formats and available default rules for the DLL rule collection. description: This article describes the file formats and available default rules for the DLL rule collection.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# DLL rules in AppLocker # DLL rules in AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md → windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
View File

@ -3,7 +3,7 @@ title: Document Group Policy structure & AppLocker rule enforcement
description: This planning article describes what you need to include in your plan when you use AppLocker. description: This planning article describes what you need to include in your plan when you use AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Document the Group Policy structure and AppLocker rule enforcement # Document the Group Policy structure and AppLocker rule enforcement
@ -14,7 +14,7 @@ This planning article describes what you should include in your plan when you us
To complete this AppLocker planning document, you should first complete the following steps: To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md) 1. [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md → windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md
View File

@ -3,7 +3,7 @@ title: Document your app list
description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies. description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Document your app list # Document your app list

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Document your AppLocker rules
description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation. description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Document your AppLocker rules # Document your AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md
View File

@ -3,7 +3,7 @@ title: Edit an AppLocker policy
description: This article for IT professionals describes the steps required to modify an AppLocker policy. description: This article for IT professionals describes the steps required to modify an AppLocker policy.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# Edit an AppLocker policy # Edit an AppLocker policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Edit AppLocker rules
description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Edit AppLocker rules # Edit AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md → windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md
View File

@ -3,7 +3,7 @@ title: Enable the DLL rule collection
description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Enable the DLL rule collection # Enable the DLL rule collection

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Enforce AppLocker rules
description: This article for IT professionals describes how to enforce application control rules by using AppLocker. description: This article for IT professionals describes how to enforce application control rules by using AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Enforce AppLocker rules # Enforce AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Executable rules in AppLocker
description: This article describes the file formats and available default rules for the executable rule collection. description: This article describes the file formats and available default rules for the executable rule collection.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Executable rules in AppLocker # Executable rules in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md → windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md
View File

@ -3,7 +3,7 @@ title: Export an AppLocker policy from a GPO
description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Export an AppLocker policy from a GPO # Export an AppLocker policy from a GPO

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md → windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md
View File

@ -3,7 +3,7 @@ title: Export an AppLocker policy to an XML file
description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Export an AppLocker policy to an XML file # Export an AppLocker policy to an XML file

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md → windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md
View File

@ -3,7 +3,7 @@ title: How AppLocker works
description: This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. description: This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# How AppLocker works # How AppLocker works

0
windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif → windows/security/application-security/application-control/app-control-for-business/applocker/images/applocker-plan-inheritance.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 22 KiB

0
windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif → windows/security/application-security/application-control/app-control-for-business/applocker/images/applocker-plandeploy-quickreference.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
windows/security/application-security/application-control/windows-defender-application-control/applocker/images/blockedappmsg.gif → windows/security/application-security/application-control/app-control-for-business/applocker/images/blockedappmsg.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md → windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md
View File

@ -3,7 +3,7 @@ title: Import an AppLocker policy from another computer
description: This article for IT professionals describes how to import an AppLocker policy. description: This article for IT professionals describes how to import an AppLocker policy.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Import an AppLocker policy from another computer # Import an AppLocker policy from another computer

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md → windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md
View File

@ -3,7 +3,7 @@ title: Import an AppLocker policy into a GPO
description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Import an AppLocker policy into a GPO # Import an AppLocker policy into a GPO

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies. description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# Maintain AppLocker policies # Maintain AppLocker policies

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Manage packaged apps with AppLocker
description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy. description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/20/2023 ms.date: 09/11/2024
--- ---
# Manage packaged apps with AppLocker # Manage packaged apps with AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md → windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
View File

@ -3,14 +3,14 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy
description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Merge AppLocker policies by using Set-ApplockerPolicy # Merge AppLocker policies by using Set-ApplockerPolicy
This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy. The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](working-with-applocker-rules.md#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy.
For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy). For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy).

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md → windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md
View File

@ -3,7 +3,7 @@ title: Merge AppLocker policies manually
description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Merge AppLocker policies manually # Merge AppLocker policies manually
@ -12,7 +12,7 @@ This article for IT professionals describes the steps to manually merge AppLocke
If you need to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. For info about merging policies by using Windows PowerShell, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). If you need to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. For info about merging policies by using Windows PowerShell, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules). The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](working-with-applocker-rules.md).
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Monitor app usage with AppLocker
description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/19/2023 ms.date: 09/11/2024
--- ---
# Monitor app usage with AppLocker # Monitor app usage with AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md → windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md
View File

@ -3,7 +3,7 @@ title: Optimize AppLocker performance
description: This article for IT professionals describes how to optimize AppLocker policy enforcement. description: This article for IT professionals describes how to optimize AppLocker policy enforcement.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# Optimize AppLocker performance # Optimize AppLocker performance

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Packaged apps and packaged app installer rules in AppLocker
description: This article explains the AppLocker rule collection for packaged app installers and packaged apps. description: This article explains the AppLocker rule collection for packaged app installers and packaged apps.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Packaged apps and packaged app installer rules in AppLocker # Packaged apps and packaged app installer rules in AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md → windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md
View File

@ -3,7 +3,7 @@ title: Plan for AppLocker policy management
description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Plan for AppLocker policy management # Plan for AppLocker policy management
@ -101,7 +101,7 @@ Before editing the rule collection, first determine what rule is preventing the
To complete this AppLocker planning document, you should first complete the following steps: To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md) 1. [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md
View File

@ -3,7 +3,7 @@ title: Refresh an AppLocker policy
description: This article for IT professionals describes the steps to force an update for an AppLocker policy. description: This article for IT professionals describes the steps to force an update for an AppLocker policy.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Refresh an AppLocker policy # Refresh an AppLocker policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Requirements for deploying AppLocker policies
description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Requirements for deploying AppLocker policies # Requirements for deploying AppLocker policies

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md
View File

@ -3,7 +3,7 @@ title: Requirements to use AppLocker
description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Requirements to use AppLocker # Requirements to use AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md → windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md
View File

@ -6,7 +6,7 @@ ms.collection:
- must-keep - must-keep
ms.topic: conceptual ms.topic: conceptual
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 06/07/2024 ms.date: 09/11/2024
--- ---
# AppLocker rule collection extensions # AppLocker rule collection extensions
@ -29,7 +29,7 @@ This article describes the rule collection extensions added in Windows 10 and la
## Services enforcement ## Services enforcement
By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with Windows Defender Application Control's (WDAC) [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) feature. By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with App Control for Business's [managed installer](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) feature.
To apply AppLocker policy to nonuser processes, set ``<Services EnforcementMode="Enabled"/>`` in the ``<ThresholdExtensions>`` section as shown in the preceding XML fragment. To apply AppLocker policy to nonuser processes, set ``<Services EnforcementMode="Enabled"/>`` in the ``<ThresholdExtensions>`` section as shown in the preceding XML fragment.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md → windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md
View File

@ -3,7 +3,7 @@ title: Run the Automatically Generate Rules wizard
description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/21/2023 ms.date: 09/11/2024
--- ---
# Run the Automatically Generate Rules wizard # Run the Automatically Generate Rules wizard

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Script rules in AppLocker
description: This article describes the file formats and available default rules for the script rule collection. description: This article describes the file formats and available default rules for the script rule collection.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Script rules in AppLocker # Script rules in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md
View File

@ -3,7 +3,7 @@ title: Security considerations for AppLocker
description: This article for the IT professional describes the security considerations you need to address when implementing AppLocker. description: This article for the IT professional describes the security considerations you need to address when implementing AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Security considerations for AppLocker # Security considerations for AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md → windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md
View File

@ -3,7 +3,7 @@ title: Select the types of rules to create
description: This article lists resources you can use when selecting your application control policy rules by using AppLocker. description: This article lists resources you can use when selecting your application control policy rules by using AppLocker.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Select the types of rules to create # Select the types of rules to create

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md → windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
View File

@ -3,7 +3,7 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy
description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Test an AppLocker policy by using Test-AppLockerPolicy # Test an AppLocker policy by using Test-AppLockerPolicy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md
View File

@ -3,7 +3,7 @@ title: Test and update an AppLocker policy
description: This article discusses the steps required to test an AppLocker policy prior to deployment. description: This article discusses the steps required to test an AppLocker policy prior to deployment.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 01/03/2024 ms.date: 09/11/2024
--- ---
# Test and update an AppLocker policy # Test and update an AppLocker policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Tools to use with AppLocker
description: This article for the IT professional describes the tools available to create and administer AppLocker policies. description: This article for the IT professional describes the tools available to create and administer AppLocker policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Tools to use with AppLocker # Tools to use with AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md → windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md
View File

@ -3,7 +3,7 @@ title: Understand AppLocker policy design decisions
description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment. description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Understand AppLocker policy design decisions # Understand AppLocker policy design decisions

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
View File

@ -3,14 +3,14 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group P
description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Understand AppLocker rules and enforcement setting inheritance in Group Policy # Understand AppLocker rules and enforcement setting inheritance in Group Policy
This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#rule-collections). Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](working-with-applocker-rules.md#rule-collections).
Group Policy merges AppLocker policy in two ways: Group Policy merges AppLocker policy in two ways:

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md → windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md
View File

@ -3,7 +3,7 @@ title: Understand the AppLocker policy deployment process
description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/22/2023 ms.date: 09/11/2024
--- ---
# Understand the AppLocker policy deployment process # Understand the AppLocker policy deployment process

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker allow and deny actions on rules
description: This article explains the differences between allow and deny actions on AppLocker rules. description: This article explains the differences between allow and deny actions on AppLocker rules.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/23/2023 ms.date: 09/11/2024
--- ---
# Understanding AppLocker allow and deny actions on rules # Understanding AppLocker allow and deny actions on rules

Some files were not shown because too many files have changed in this diff Show More