Merge branch 'WDAC-Docs' of https://github.com/jsuther1974/windows-docs-pr into WDAC-Docs

windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md

@@ -2,7 +2,7 @@
 title: App Control and AppLocker Overview
 description: Compare Windows application control technologies.
 ms.localizationpriority: medium
-ms.date: 09/11/2024
+ms.date: 01/28/2025
 ms.topic: conceptual
 ---
 
@@ -18,21 +18,21 @@ App Control was introduced with Windows 10 and allows organizations to control w
 
 App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on:
 
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the codesigning certificate used to sign an app and its binaries
 - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
 - The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md)
 - The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md))
-- The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
+- The [path where the app or file exists on disk](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
 - The process that launched the app or binary
 
 > [!NOTE]
-> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy.
+> App Control for Business was originally released as part of Device Guard and called configurable code integrity. The terms "Device Guard" and "configurable code integrity" are no longer used with App Control except when deploying policies through Group Policy.
 
 ### App Control System Requirements
 
 App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
 
-For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md).
+For more information on which individual App Control features are available on your version of Windows, see [App Control feature availability](feature-availability.md).
 
 ## AppLocker
 
@@ -40,9 +40,9 @@ AppLocker was introduced with Windows 7, and allows organizations to control whi
 
 AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
 
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries.
+- Attributes of the codesigning certificate used to sign an app and its binaries.
 - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
-- The path from which the app or file is launched.
+- The path where the app or file exists on disk.
 
 AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md).
 

windows/security/application-security/application-control/app-control-for-business/appcontrol.md

@@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed
 ms.localizationpriority: medium
 ms.collection:
 - tier3
-ms.date: 10/25/2024
+ms.date: 01/28/2025
 ms.topic: overview
 ---
 
@@ -19,7 +19,7 @@ Application control works alongside your AV solution to help mitigate these type
 It moves you from a trust model where all code runs unless your AV solution confidently predicts it's bad, to one where apps run only if your policy says so. Government and security organizations, like the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.).
 
 > [!NOTE]
-> Although application control can significantly harden your computers against malicious code, it is not a replacement for antivirus. You should continue to maintain your active antivirus solution alongside App Control for a well-rounded enterprise security portfolio.
+> Although application control can significantly harden your computers against malicious code, it's not a replacement for antivirus. You should continue to maintain your active antivirus solution alongside App Control for a well-rounded enterprise security portfolio.
 
 Windows 10 and Windows 11 include two application control technologies that your organization can use depending on your specific scenarios and requirements:
 
@@ -28,9 +28,9 @@ Windows 10 and Windows 11 include two application control technologies that your
 
 ## App Control and Smart App Control
 
-Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs as well as code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop positive reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked.
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) brings robust application control to consumers and to some small businesses with simpler app portfolios. Smart App Control ensures only signed code runs as well as code predicted to be safe by our intelligent cloud-powered security service. When code is unsigned and the service is unable to predict with confidence that it is safe to run, it is blocked but can develop better reputation over time as new signals are processed by the service. Meanwhile, code determined to be unsafe is always blocked.
 
-While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since it's built entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization depends on. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where its called the Intelligent Security Graph (ISG).
+While Smart App Control is designed for consumers, we believe it's the ideal starting point for most organizations. And since it's built entirely upon App Control for Business, you can create a policy with the same security and compatibility as Smart App Control but which also trusts the line-of-business (LOB) apps that your organization depends on. The service providing Smart App Control's intelligence to predict what code is safe to run is also available in App Control for Business, where it's called the Intelligent Security Graph (ISG).
 
 Smart App Control starts in evaluation mode and will switch itself off within 48 hours for enterprise managed devices unless the user has turned it on first. If you want to proactively turn off Smart App Control across your organization's endpoints, set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must run [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
 
@@ -43,7 +43,7 @@ Smart App Control starts in evaluation mode and will switch itself off within 48
 > [!IMPORTANT]
 > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
 
-The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy. 
+The App Control policy used for Smart App Control comes bundled with the [App Control Wizard](design/appcontrol-wizard.md) policy authoring tool and is also found as an [example policy](design/example-appcontrol-base-policies.md) at *%windir%/schemas/CodeIntegrity/ExamplePolicies/SmartAppControl.xml*. To use this example policy as a starting point for your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). When using the Smart App Control example policy as the basis for your own custom policy, you must remove the option **Enabled:Conditional Windows Lockdown Policy** so it is ready for use as an App Control for Business policy.
 
 [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)]
 

windows/security/application-security/application-control/app-control-for-business/design/allow-com-object-registration-in-appcontrol-policy.md

@@ -2,7 +2,7 @@
 title: Allow COM object registration in an App Control policy
 description: You can allow COM object registration in an App Control for Business policy.
 ms.localizationpriority: medium
-ms.date: 09/11/2024
+ms.date: 02/01/2025
 ms.topic: how-to
 ---
 
@@ -14,13 +14,12 @@ The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-
 
 ## COM object configurability in App Control policy
 
-App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you may need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article.
+App Control for Business enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you might need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your App Control policy as described in this article.
 
-> [!NOTE]
-> To add this functionality to other versions of Windows 10, you can install the following or later updates.
-
-- [Windows 10, 1809 June 18, 2019-KB4501371 (OS Build 17763.592)](https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
-- [Windows 10, 1607 June 18, 2019-KB4503294 (OS Build 14393.3053)](https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
+> [!IMPORTANT]
+> When any App Control for Business policy with option **0 - Enabled:UMCI** is enforced on a device, .NET adds an extra validation check before running COM objects. The check verifies the COM object's system registration matches the code being run. If there is a mismatch between the GUID calculated by .NET and the GUID stored in the COM registration, .NET won't load the object and the user sees a general error dialog informing them about the failure. This mitigates certain COM-based attacks which could otherwise be used to run an attacker's own malicious or vulnerable payload.
+>
+> The COM allow list mechanism described in this article **doesn't affect .NET's GUID validation check for COM objects**. Any .NET app attempting to run a COM object with a mismatched GUID are thus incompatible with App Control at this time. There are no policy control options to manage the GUID verification check, meaning the check is always performed. If you see COM object failures after an App Control policy is deployed, contact the software developer or the Independent Software Vendor (ISV) who produces the app to request a fix for the issue.
 
 ### Get COM object GUID