From 61270ecfed2161180818a7098aadb9deeb96d670 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 26 Jul 2021 17:40:56 -0700 Subject: [PATCH 1/3] Edited select-type and event-id documents. - select-type-of-rules-to-create: added option 20 to table 1. - event-id-explanations: Added a new System Integrity Policy Options table for event ID 3099. --- .../event-id-explanations.md | 29 +++++++++++++++++++ .../select-types-of-rules-to-create.md | 1 + 2 files changed, 30 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 6ac3422250..2d450b1c94 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -86,6 +86,35 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` +## System Integrity Policy Options +Below are the policy options in event 3099. + +| Bit Address | Policy Rule Option | +|-------|------| +| 2 | Enabled:UMCI | +| 3 | Enabled:Boot Menu Protection | +| 4 | Enabled:Intelligent Security Graph Authorization | +| 5 | Enabled:Invalidate EAs on Reboot | +| 7 |Required:WHQL | +| 8 | Enabled:Developer Dynamic Code Security | +| 9 | Enabled: No Revalidation Upon Refresh | +| 10 | Enabled:Allow Supplemental Policies | +| 11 | Disabled:Runtime FilePath Rule Protection | +| 13 | Enabled: Revoked Expired As Unsigned | +| 16 |Enabled:Audit Mode (Default) | +| 17 | Disabled:Flight Signing | +| 18 | Enabled:Inherit Default Policy | +| 19 | Enabled:Unsigned System Integrity Policy (Default) | +| 20 | Enabled:Dynamic Code Security | +| 21 | Required:EV Signers | +| 22 | Enabled:Boot Audit on Failure | +| 23 | Enabled:Advanced Boot Options Menu | +| 24 | Disabled:Script Enforcement | +| 25 | Required:Enforce Store Applications | +| 26 | Enabled: Host Policy Enforcement | +| 27 |Enabled:Managed Installer | +| 28 |Enabled:Update Policy No Reboot | + ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 794cefca57..0d7b426112 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels From 5a52a3bd439485aaaea3ae0095582ec5d2db1186 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 27 Jul 2021 16:20:28 -0700 Subject: [PATCH 2/3] Added the suggested feedback to select-types-of-rules and event-id-explanations documents. --- .../event-id-explanations.md | 16 ++++++++-------- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 2d450b1c94..e3ae7a65ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ``` ## System Integrity Policy Options -Below are the policy options in event 3099. +The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). | Bit Address | Policy Rule Option | |-------|------| @@ -95,13 +95,13 @@ Below are the policy options in event 3099. | 3 | Enabled:Boot Menu Protection | | 4 | Enabled:Intelligent Security Graph Authorization | | 5 | Enabled:Invalidate EAs on Reboot | -| 7 |Required:WHQL | +| 7 | Required:WHQL | | 8 | Enabled:Developer Dynamic Code Security | -| 9 | Enabled: No Revalidation Upon Refresh | +| 9 | Enabled:No Revalidation Upon Refresh | | 10 | Enabled:Allow Supplemental Policies | | 11 | Disabled:Runtime FilePath Rule Protection | -| 13 | Enabled: Revoked Expired As Unsigned | -| 16 |Enabled:Audit Mode (Default) | +| 13 | Enabled:Revoked Expired As Unsigned | +| 16 | Enabled:Audit Mode (Default) | | 17 | Disabled:Flight Signing | | 18 | Enabled:Inherit Default Policy | | 19 | Enabled:Unsigned System Integrity Policy (Default) | @@ -111,9 +111,9 @@ Below are the policy options in event 3099. | 23 | Enabled:Advanced Boot Options Menu | | 24 | Disabled:Script Enforcement | | 25 | Required:Enforce Store Applications | -| 26 | Enabled: Host Policy Enforcement | -| 27 |Enabled:Managed Installer | -| 28 |Enabled:Update Policy No Reboot | +| 26 | Enabled:Host Policy Enforcement | +| 27 | Enabled:Managed Installer | +| 28 | Enabled:Update Policy No Reboot | ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 0d7b426112..8f9b6ac45d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | -| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels From 20f3b55c1616b754a0a1fd8620bfd30511831146 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 2 Aug 2021 10:07:49 -0700 Subject: [PATCH 3/3] Updated the last of the suggestions. --- .../event-id-explanations.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e3ae7a65ba..ff7f78475a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -96,8 +96,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | 4 | Enabled:Intelligent Security Graph Authorization | | 5 | Enabled:Invalidate EAs on Reboot | | 7 | Required:WHQL | -| 8 | Enabled:Developer Dynamic Code Security | -| 9 | Enabled:No Revalidation Upon Refresh | | 10 | Enabled:Allow Supplemental Policies | | 11 | Disabled:Runtime FilePath Rule Protection | | 13 | Enabled:Revoked Expired As Unsigned | @@ -111,7 +109,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | 23 | Enabled:Advanced Boot Options Menu | | 24 | Disabled:Script Enforcement | | 25 | Required:Enforce Store Applications | -| 26 | Enabled:Host Policy Enforcement | | 27 | Enabled:Managed Installer | | 28 | Enabled:Update Policy No Reboot |