diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 04826145f2..595710639b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19564,6 +19564,16 @@ "source_path": "education/windows/get-minecraft-device-promotion.md", "redirect_url": "/education/windows/get-minecraft-for-education", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune", + "redirect_document_id": false } ] } diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 5d7d191d40..a7d64bd225 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -74,11 +74,11 @@ items: - name: Deploy WDAC policies with MDM href: deployment/deploy-windows-defender-application-control-policies-using-intune.md - - name: Deploy WDAC policies with MEMCM + - name: Deploy WDAC policies with Configuration Manager href: deployment/deploy-wdac-policies-with-memcm.md - name: Deploy WDAC policies with script href: deployment/deploy-wdac-policies-with-script.md - - name: Deploy WDAC policies with Group Policy + - name: Deploy WDAC policies with group policy href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md - name: Audit WDAC policies href: audit-windows-defender-application-control-policies.md diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index d562ed260f..2efe41d1ae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -1,22 +1,19 @@ --- -title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows) -description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware +title: Deploy Windows Defender Application Control policies with Configuration Manager +description: You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. ms.prod: m365-security -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: jogeurte -ms.manager: jsuther -manager: dansimp -ms.date: 06/27/2022 ms.technology: windows-sec -ms.topic: article +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: aaroncz +ms.author: jogeurte +manager: jsuther +ms.date: 06/27/2022 +ms.topic: how-to ms.localizationpriority: medium --- -# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM) +# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager **Applies to:** @@ -24,14 +21,14 @@ ms.localizationpriority: medium - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md). You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines. ## Use Configuration Manager's built-in policies -Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: +Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: - Windows components - Microsoft Store apps @@ -39,60 +36,58 @@ Microsoft Endpoint Configuration Manager includes native support for WDAC, which - (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG) - (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints. -Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. +Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. ### Create a WDAC Policy in Configuration Manager 1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy** -![Create a WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy.jpg) + ![Create a WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy.jpg) 2. Enter the name of the policy > **Next** 3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes** -4. Select the mode which you want the policy to run (Enforcement enabled / Audit Only) -5. Click **Next** +4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only) +5. Select **Next** -![Create an enforced WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy-2.jpg) + ![Create an enforced WDAC policy in Configuration Manager.](../images/memcm/memcm-create-wdac-policy-2.jpg) 6. Select **Add** to begin creating rules for trusted software -![Create a WDAC path rule in Configuration Manager.](../images/memcm/memcm-create-wdac-rule.jpg) + ![Create a WDAC path rule in Configuration Manager.](../images/memcm/memcm-create-wdac-rule.jpg) 7. Select **File** or **Folder** to create a path rule > **Browse** -![Select a file or folder to create a path rule.](../images/memcm/memcm-create-wdac-rule-2.jpg) + ![Select a file or folder to create a path rule.](../images/memcm/memcm-create-wdac-rule-2.jpg) 8. Select the executable or folder for your path rule > **OK** -![Select the executable file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg) + ![Select the executable file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg) 9. Select **OK** to add the rule to the table of trusted files or folder 10. Select **Next** to navigate to the summary page > **Close** -![Confirm the WDAC path rule in Configuration Manager.](../images/memcm/memcm-confirm-wdac-rule.jpg) + ![Confirm the WDAC path rule in Configuration Manager.](../images/memcm/memcm-confirm-wdac-rule.jpg) -### Deploy the WDAC Policy in Configuration Manager +### Deploy the WDAC policy in Configuration Manager 1. Right-click the newly created policy > **Deploy Application Control Policy** -![Deploy WDAC via Configuration Manager.](../images/memcm/memcm-deploy-wdac.jpg) + ![Deploy WDAC via Configuration Manager.](../images/memcm/memcm-deploy-wdac.jpg) 2. Select **Browse** -![Select Browse.](../images/memcm/memcm-deploy-wdac-2.jpg) + ![Select Browse.](../images/memcm/memcm-deploy-wdac-2.jpg) 3. Select the Device Collection you created earlier > **OK** -![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg) + ![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg) 4. Change the schedule > **OK** -![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg) + ![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg) For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). -The entire WDAC in Configuration Manager Lab Paper is available for download [here](/pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf). - ## Deploy custom WDAC policies using Packages/Programs or Task Sequences Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index d398ed16cb..4edab9bde3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -1,31 +1,26 @@ --- -title: Windows Defender Application Control Feature Availability +title: Windows Defender Application Control feature availability description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.technology: windows-sec ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance -author: denisebmsft -ms.reviewer: jgeurten -ms.author: deniseb -manager: dansimp +author: jgeurten +ms.reviewer: aaroncz +ms.author: jogeurte +manager: jsuther ms.date: 06/27/2022 ms.custom: asr -ms.technology: windows-sec +ms.topic: overview --- # Windows Defender Application Control and AppLocker feature availability **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more. @@ -34,7 +29,7 @@ ms.technology: windows-sec |-------------|------|-------------| | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | | SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. | -| Management solutions | |