deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Removed duplicate "new supported scenarios" from multiple policies page

Browse Source
This commit is contained in:
brbrahm
2019-05-15 21:46:34 -07:00
committed by GitHub
parent 0c29692554
commit 81777d6050
1 changed files with 1 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -20,7 +20,7 @@ ms.date: 05/10/2019
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to light up the following scenarios:
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
@ -38,19 +38,6 @@ The restriction of only having a single code integrity policy active on a system
- Base + supplemental policy: union
- Files that are allowed by the base policy or the supplemental policy are not blocked
## Newly supported scenarios
With the ability to support multiple CI policies, three new scenarios are supported:
1. Enforce and Audit Side-by-Side (Intersection)
- To validate policy changes before deploying in enforcement mode, deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
2. Multiple Base Policies (Intersection)
- Enforce two or more base policies simultaneously to allow simpler policy targeting for policies with different scope/intent
- Ex. Base1 is a corporate standard policy that is relatively loose to accommodate all organizations while forcing minimum corp standards (e.g. Windows works + Managed Installer + path rules). Base2 is a team-specific policy that further restricts what is allowed to run (e.g. Windows works + Managed Installer + corporate signed apps only)
3. Supplemental Policies (Union)
- Deploy a supplemental policy (or policies) to expand a base policy
- Ex. The Azure host base policy restricts tightly to just allow Windows and hardware drivers. Can add a supplemental policy to allow just the additional signer rules needed to support signed code from the Exchange team.
## PowerShell parameters
New-CIPolicy