From 3d59a35fb0b5c20f26c35c67a7454d79eda48ab5 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 7 Jan 2019 16:36:10 -0800 Subject: [PATCH 1/3] added Intune is optional --- .../windows-defender-application-control.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 27e5ec8d90..b5c590602d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jsuther1974 -ms.date: 11/28/2018 +ms.date: 01/08/2019 --- # Windows Defender Application Control @@ -38,7 +38,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. +They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality From dab9730f1148e0a1e17c9528fce7a74f79880b3b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 7 Jan 2019 17:23:34 -0800 Subject: [PATCH 2/3] added xml example --- .../mdm/policy-csp-deviceinstallation.md | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 5d54218565..a696446f77 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/14/2018 +ms.date: 01/08/2019 --- # Policy CSP - DeviceInstallation @@ -339,6 +339,37 @@ ADMX Info: +To enable this policy, use the following SyncML. This example prevents Windows from retrieving device metadata. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + integer + + + + + + +``` + +To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
From 2d25492898cfe8d1b6fbceaac545943ec1096c20 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 7 Jan 2019 17:27:06 -0800 Subject: [PATCH 3/3] edits --- .../mdm/policy-csp-deviceinstallation.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index a696446f77..c59542326a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -139,7 +139,7 @@ To enable this policy, use the following SyncML. This example allows Windows to ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -256,7 +256,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt @@ -361,7 +361,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -530,7 +530,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -630,7 +630,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check]