From 6ad42996cea451a6a91dbee709f54812de4d5d57 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 16 Dec 2022 14:32:08 -0500 Subject: [PATCH] clarified WDAC evaluation of COM objects with multipolicy --- ...stration-in-windows-defender-application-control-policy.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 21694d67d5..b3e65b47bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -70,6 +70,10 @@ One attribute: - The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName) +### Multiple policy considerations + +Similar to executable files, COM objects must pass each policy on the system to be allowed by WDAC. For example, if the COM object under evaluation passes most but not all of your WDAC policies, the COM object will not be allowed. If you are using a combination of base and supplemental policies, the COM object just needs to be allowlisted in either the base policy or one of the supplemental policies. + ### Examples Example 1: Allows registration of all COM object GUIDs in any provider