deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 23:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into v-smandalika-5694287-B19

Browse Source
This commit is contained in:
Siddarth Mandalika
2022-07-18 17:15:24 +05:30
committed by GitHub
parent e86df16c5c 00fa1c897f
commit 7302da0dcb
277 changed files with 1034 additions and 1604 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -223,7 +223,7 @@ Value | Description
**4.** | If present, Secure Memory Overwrite is available.
**5.** | If present, NX protections are available.
**6.** | If present, SMM mitigations are available.
**7.** | If present, Mode Based Execution Control is available.
**7.** | If present, MBEC/GMET is available.
**8.** | If present, APIC virtualization is available.
#### InstanceIdentifier
@ -243,7 +243,7 @@ Value | Description
**4.** | If present, Secure Memory Overwrite is needed.
**5.** | If present, NX protections are needed.
**6.** | If present, SMM mitigations are needed.
**7.** | If present, Mode Based Execution Control is needed.
**7.** | If present, MBEC/GMET is needed.
#### SecurityServicesConfigured

3
windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
View File

@ -36,6 +36,9 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
> [!NOTE]
> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well.
### Possible values
- Enabled

2
windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
View File

@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
The **Log on as a batch job** user right presents a low-risk vulnerability that allows non-administrators to perform administrator-like functions. If not assessed, understood, and restricted accordingly, attackers can easily exploit this potential attack vector to compromise systems, credentials, and data. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
### Countermeasure

8
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
View File

@ -47,9 +47,13 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**.
- Not defined
- **Enable for domain servers**
This is the same as **Disable** and results in no auditing of NTLM traffic.
The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
- **Enable all**
The domain controller on which this policy is set will log all events for incoming NTLM traffic.
### Best practices

6
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 06/15/2022
ms.technology: windows-sec
---
@ -25,6 +25,10 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
> [!NOTE]
> For more information about configuring a server to be accessed remotely, see [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access).
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.

3
windows/security/threat-protection/security-policy-settings/security-policy-settings.md
View File

@ -23,6 +23,7 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
- Windows 11
This reference topic describes the common scenarios, architecture, and processes for security settings.
@ -404,4 +405,4 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| - | - |
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|

2
windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
View File

@ -38,7 +38,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagg
## Deploy AppId Tagging Policies with MDM
Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId Tagging Policies with Configuration Manager

8
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -73,13 +73,13 @@
href: windows-defender-application-control-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
href: deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with MEMCM
href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with Group Policy
href: deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Deploy WDAC policies with group policy
href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md
- name: Merge WDAC policies

9
windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
View File

@ -40,12 +40,9 @@ The following table lists the default rules that are available for the DLL rule
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs|
| BUILTIN\Administrators | Path: *|
| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs |
| Everyone | Path: %windir%\*|
| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder|
| Everyone | Path: %programfiles%\*|
| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| BUILTIN\Administrators | Path: *|
| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\*|
| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| Everyone | Path: %programfiles%\*|
> [!IMPORTANT]
> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps

2
windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
View File

@ -40,7 +40,9 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## <a href="" id="bkmk-editapppolinmdm"></a>Editing an AppLocker policy by using Mobile Device Management (MDM)
If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node.
For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy

30
windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
ms.date: 06/15/2022
ms.technology: windows-sec
---
@ -26,26 +26,30 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the file formats and available default rules for the script rule collection.
This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
- .ps1
- .bat
- .cmd
- .vbs
- .js
- `.ps1`
- `.bat`
- `.cmd`
- `.vbs`
- `.js`
The following table lists the default rules that are available for the script rule collection.
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` |
| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
## Related topics
> [!NOTE]
> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

4
windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
View File

@ -155,10 +155,10 @@ Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPo
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md)
1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM)](deployment/deploy-windows-defender-application-control-policies-using-intune.md)
2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md)
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)

7
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -113,3 +113,10 @@ See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-c
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
### Known Issues in Multiple Policy Format
* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.

85
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
View File

@ -1,22 +1,19 @@
---
title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)
description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
keywords: security, malware
title: Deploy Windows Defender Application Control policies with Configuration Manager
description: You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
ms.prod: m365-security
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 07/19/2021
ms.technology: windows-sec
ms.topic: article
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: aaroncz
ms.author: jogeurte
manager: jsuther
ms.date: 06/27/2022
ms.topic: how-to
ms.localizationpriority: medium
---
# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM)
# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager
**Applies to:**
@ -24,22 +21,70 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
## Use MEMCM's built-in policies
## Use Configuration Manager's built-in policies
Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
- Windows components
- Microsoft Store apps
- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer)
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
- (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG)
- (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
### Create a WDAC Policy in Configuration Manager
1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
![Create a WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy.jpg)
2. Enter the name of the policy > **Next**
3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)
5. Select **Next**
![Create an enforced WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy-2.jpg)
6. Select **Add** to begin creating rules for trusted software
![Create a WDAC path rule in Configuration Manager.](../images/memcm/memcm-create-wdac-rule.jpg)
7. Select **File** or **Folder** to create a path rule > **Browse**
![Select a file or folder to create a path rule.](../images/memcm/memcm-create-wdac-rule-2.jpg)
8. Select the executable or folder for your path rule > **OK**
![Select the executable file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg)
9. Select **OK** to add the rule to the table of trusted files or folder
10. Select **Next** to navigate to the summary page > **Close**
![Confirm the WDAC path rule in Configuration Manager.](../images/memcm/memcm-confirm-wdac-rule.jpg)
### Deploy the WDAC policy in Configuration Manager
1. Right-click the newly created policy > **Deploy Application Control Policy**
![Deploy WDAC via Configuration Manager.](../images/memcm/memcm-deploy-wdac.jpg)
2. Select **Browse**
![Select Browse.](../images/memcm/memcm-deploy-wdac-2.jpg)
3. Select the Device Collection you created earlier > **OK**
![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg)
4. Change the schedule > **OK**
![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg)
For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).

21
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md → windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
ms.date: 06/27/2022
ms.technology: windows-sec
---
@ -22,14 +22,13 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
- Windows 10
- Windows 11
- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
>
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
@ -41,9 +40,9 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png)
![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png)
3. Name the new GPO. You can choose any name.
@ -51,7 +50,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png)
![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png)
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
@ -60,7 +59,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png)
![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png)
> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.

16
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md → windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 04/29/2020
ms.date: 06/27/2022
ms.technology: windows-sec
---
@ -22,12 +22,12 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
@ -51,7 +51,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
## Deploy WDAC policies with custom OMA-URI
> [!NOTE]
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
### Deploy custom WDAC policies on Windows 10 1903+
@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png)
> ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.

37
windows/security/threat-protection/windows-defender-application-control/feature-availability.md
View File

@ -1,40 +1,35 @@
---
title: Windows Defender Application Control Feature Availability
title: Windows Defender Application Control feature availability
description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: denisebmsft
ms.reviewer: jgeurten
ms.author: deniseb
manager: dansimp
ms.date: 05/09/2022
ms.custom: asr
ms.technology: windows-sec
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: aaroncz
ms.author: jogeurte
manager: jsuther
ms.date: 06/27/2022
ms.custom: asr
ms.topic: overview
---
# Windows Defender Application Control and AppLocker feature availability
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
| Capability | Windows Defender Application Control | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
| Management solutions | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
| Management solutions | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 270 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

8
windows/security/threat-protection/windows-defender-application-control/index.yml
View File

@ -99,13 +99,13 @@ landingContent:
- linkListType: tutorial
links:
- text: Deployment with MDM
url: deploy-windows-defender-application-control-policies-using-intune.md
- text: Deployment with MEMCM
url: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- text: Deployment with Configuration Manager
url: deployment/deploy-wdac-policies-with-memcm.md
- text: Deployment with script and refresh policy
url: deployment/deploy-wdac-policies-with-script.md
- text: Deployment with Group Policy
url: deploy-windows-defender-application-control-policies-using-group-policy.md
- text: Deployment with group policy
url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
# Card
- title: Learn how to monitor WDAC events
linkLists:

12
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_FSI" />
<FileRuleRef RuleID="ID_DENY_FSI_ANYCPU" />
<FileRuleRef RuleID="ID_DENY_INFINSTALL" />
<FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
<FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
<FileRuleRef RuleID="ID_DENY_KD" />
<FileRuleRef RuleID="ID_DENY_KILL" />
<FileRuleRef RuleID="ID_DENY_LXSS" />
@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
<FileRuleRef RuleID="ID_DENY_WSLHOST" />
<!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />

16
windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
View File

@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 04/14/2021
ms.date: 07/01/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@ -25,19 +25,23 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic covers tips and tricks for admins as well as known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
## Managed Installer and ISG will cause garrulous events
When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
## .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
## MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command will not work:
For example, this command won't work:
```console
msiexec i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi

2
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -108,7 +108,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.

7
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 09/23/2021
ms.date: 06/15/2022
ms.technology: windows-sec
---
@ -24,7 +24,8 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NETs capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
When the Dynamic Code Security option is enabled, Windows Defender Application Control policy is applied to libraries that .NET loads from external sources.
When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries.
@ -39,4 +40,4 @@ To enable Dynamic Code Security, add the following option to the `<Rules>` secti
<Rule>
<Option>Enabled:Dynamic Code Security</Option>
</Rule>
```
```

4
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
View File

@ -129,5 +129,5 @@ Packaged apps are not supported with the Microsoft Intelligent Security Graph he
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
>[!NOTE]
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
> [!NOTE]
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).

31
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
View File

@ -1,21 +1,16 @@
---
title: Deploying Windows Defender Application Control (WDAC) policies (Windows)
title: Deploying Windows Defender Application Control (WDAC) policies
description: Learn how to plan and implement a WDAC deployment.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/16/2018
ms.technology: windows-sec
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: aaroncz
ms.author: jogeurte
manager: jsuther
ms.date: 06/27/2022
ms.topic: overview
---
# Deploying Windows Defender Application Control (WDAC) policies
@ -41,7 +36,7 @@ All Windows Defender Application Control policy changes should be deployed in au
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
2. [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
- [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
- [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
- [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)

2
windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
View File

@ -48,7 +48,7 @@ The blocking filters can be categorized under these filter origins:
g. Windows Service Hardening (WSH) default
The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release.
The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases.
## Improved firewall audit

2
windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
View File

@ -112,7 +112,7 @@ An array of folders, each representing a location on the host machine that will
### Logon command
Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an administrator account.
```xml
<LogonCommand>