mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
endpoint manager rebrand
This commit is contained in:
MandiOhlinger
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Microsoft Defender Application Guard (Windows 10 or Windows 11)
|
||||
description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
|
||||
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
|
||||
ms.prod: windows-client
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
@ -39,13 +39,13 @@ For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoin
|
||||
|
||||
Application Guard has been created to target several types of devices:
|
||||
|
||||
- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
|
||||
- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
|
||||
|
||||
- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
|
||||
- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
|
||||
|
||||
- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
|
||||
- **Bring your own device (BYOD) mobile laptops**. These personally owned laptops aren't domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
|
||||
|
||||
- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
|
||||
- **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
|
||||
|
||||
## Related articles
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ Multiple WDAC policies can be managed from an MDM server through ApplicationCont
|
||||
|
||||
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
|
||||
|
||||
For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
|
||||
For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability.
|
||||
|
||||
> [!NOTE]
|
||||
> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies.
|
||||
|
||||
@ -127,7 +127,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
|
||||
</RuleCollection>
|
||||
```
|
||||
|
||||
4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This condition-based inclusion ensures the policy will merge successfully on devices that may already have an AppLocker policy in place.
|
||||
4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This condition-based inclusion ensures the policy will merge successfully on devices that may already have an AppLocker policy in place.
|
||||
|
||||
```xml
|
||||
<AppLockerPolicy Version="1">
|
||||
|
||||
@ -30,7 +30,7 @@ ms.technology: itpro-security
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
|
||||
|
||||
This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
|
||||
This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
|
||||
|
||||
> [!NOTE]
|
||||
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
|
||||
@ -46,7 +46,7 @@ Alice previously created a policy for the organization's lightly managed devices
|
||||
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices:
|
||||
|
||||
- All clients are running Windows 10 version 1903 or above or Windows 11;
|
||||
- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune;
|
||||
- All clients are managed by Configuration Manager or with Intune;
|
||||
- Most, but not all, apps are deployed using Configuration Manager;
|
||||
- Sometimes, IT staff install apps directly to these devices without using Configuration Manager;
|
||||
- All users except IT are standard users on these devices.
|
||||
|
||||
@ -37,7 +37,7 @@ This section outlines the process to create a Windows Defender Application Contr
|
||||
|
||||
As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
|
||||
|
||||
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing that Lamna currently has loose application usage policies and a culture of maximum app flexibility for users, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
|
||||
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
|
||||
|
||||
For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
|
||||
|
||||
@ -46,7 +46,7 @@ For most users and devices, Alice wants to create an initial policy that is as r
|
||||
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices:
|
||||
|
||||
- All clients are running Windows 10 version 1903 and above, or Windows 11;
|
||||
- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune.
|
||||
- All clients are managed by Configuration Manager or with Intune.
|
||||
- Some, but not all, apps are deployed using Configuration Manager;
|
||||
- Most users are local administrators on their devices;
|
||||
- Some teams may need more rules to authorize specific apps that don't apply generally to all other users.
|
||||
@ -154,7 +154,7 @@ Alice follows these steps to complete this task:
|
||||
ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
|
||||
```
|
||||
|
||||
1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
|
||||
1. Upload your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
|
||||
|
||||
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
|
||||
|
||||
@ -164,12 +164,12 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
|
||||
- **Users with administrative access**
|
||||
|
||||
This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
|
||||
This trade-off is the most impactful security trade-off. It allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
|
||||
|
||||
Possible mitigations:
|
||||
|
||||
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
|
||||
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
|
||||
- To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process.
|
||||
- Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
|
||||
|
||||
- **Unsigned policies**
|
||||
@ -187,7 +187,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
|
||||
Possible mitigations:
|
||||
|
||||
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
|
||||
- To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process.
|
||||
- Limit who can elevate to administrator on the device.
|
||||
|
||||
- **Intelligent Security Graph (ISG)**
|
||||
@ -196,7 +196,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
|
||||
Possible mitigations:
|
||||
|
||||
- Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
|
||||
- Implement policies that require apps be managed by IT. Audit existing app usage and deploy authorized apps using a software distribution solution, like Microsoft Intune. Move from ISG to managed installer or signature-based rules.
|
||||
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
|
||||
|
||||
- **Supplemental policies**
|
||||
@ -219,7 +219,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
|
||||
- **Signed files**
|
||||
|
||||
Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
|
||||
Although files that are code-signed verify the author's identity and ensures that the code hasn't been altered by anyone other than the author, it doesn't guarantee that the signed code is safe.
|
||||
|
||||
Possible mitigations:
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ When you're merging policies, the policy type and ID of the leftmost/first polic
|
||||
|
||||
## Deploying multiple policies
|
||||
|
||||
In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Endpoint Manager Intune's Custom OMA-URI feature.
|
||||
In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature.
|
||||
|
||||
### Deploying multiple policies locally
|
||||
|
||||
@ -106,7 +106,7 @@ Multiple Windows Defender Application Control policies can be managed from an MD
|
||||
|
||||
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
|
||||
|
||||
For more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
|
||||
For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
|
||||
|
||||
> [!NOTE]
|
||||
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
|
||||
|
||||
@ -82,7 +82,7 @@ You should now have one or more WDAC policies converted into binary form. If not
|
||||
|
||||
## Deploying signed policies
|
||||
|
||||
If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
|
||||
If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
|
||||
|
||||
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ ms.topic: how-to
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
|
||||
|
||||
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
|
||||
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
|
||||
|
||||
## Use Intune's built-in policies
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ When you create policies for use with Windows Defender Application Control (WDAC
|
||||
|
||||
| **Example Base Policy** | **Description** | **Where it can be found** |
|
||||
|----------------------------|---------------------------------------------------------------|--------|
|
||||
| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
|
||||
| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
|
||||
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
|
||||
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
|
||||
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
|
||||
|
||||
@ -42,11 +42,11 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
|
||||
|
||||
## An introduction to Lamna Healthcare Company
|
||||
|
||||
In the next set of topics, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
|
||||
In the next set of articles, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
|
||||
|
||||
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
|
||||
|
||||
Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Endpoint Manager to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
|
||||
Lamna uses [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Intune to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
|
||||
|
||||
Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized many new security IT responses, including tightening policies for application use and introducing application control.
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ ms.technology: itpro-security
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
|
||||
|
||||
This topic is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
|
||||
This article is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
|
||||
|
||||
When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
|
||||
|
||||
@ -62,7 +62,7 @@ Organizations with well-defined, centrally managed app management and deployment
|
||||
|
||||
| Possible answers | Design considerations|
|
||||
| - | - |
|
||||
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
|
||||
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
|
||||
| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide Windows Defender Application Control policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. |
|
||||
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | Windows Defender Application Control can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
|
||||
| Users and teams are free to download and install apps without restriction. | Windows Defender Application Control policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
|
||||
@ -74,7 +74,7 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
|
||||
| Possible answers | Design considerations |
|
||||
| - | - |
|
||||
| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
|
||||
| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
|
||||
| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. |
|
||||
|
||||
### Are there specific groups in your organization that need customized application control policies?
|
||||
|
||||
|
||||
@ -111,4 +111,4 @@ Packaged apps aren't supported with the ISG and will need to be separately autho
|
||||
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
|
||||
|
||||
> [!NOTE]
|
||||
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
|
||||
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
|
||||
|
||||
@ -26,7 +26,7 @@ appliesto:
|
||||
|
||||
To get started, Open the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type.
|
||||
Select Windows Defender Firewall.
|
||||
:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Endpoint Manager.":::
|
||||
:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Endpoint Manager admin center.":::
|
||||
|
||||
>[!IMPORTANT]
|
||||
>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get support for security baselines
|
||||
description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related topics.
|
||||
description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
ms.author: vinpa
|
||||
@ -32,13 +32,13 @@ Any version of Windows baseline before Windows 10 1703 can still be downloaded u
|
||||
|
||||
**What file formats are supported by the new SCT?**
|
||||
|
||||
The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported.
|
||||
The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported.
|
||||
|
||||
**Does SCT support Desired State Configuration (DSC) file format?**
|
||||
|
||||
No. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration.
|
||||
|
||||
**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?**
|
||||
**Does SCT support the creation of Microsoft Configuration Manager DCM packs?**
|
||||
|
||||
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
|
||||
|
||||
|
||||
@ -66,7 +66,7 @@ There are several ways to get and use security baselines:
|
||||
|
||||
2. [Mobile device management (MDM) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool.
|
||||
|
||||
3. MDM security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
|
||||
3. MDM security baselines can easily be configures in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
|
||||
|
||||
## Community
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
|
||||
|
||||
6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
|
||||
|
||||
7. The device then sends the report to the Microsoft Endpoint Manager cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
|
||||
7. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
|
||||
|
||||
8. Conditional access, along with device-compliance state then decides to allow or deny access.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user