Merge branch 'main' into repo_sync_working_branch

windows/deployment/update/waas-overview.md

@@ -110,7 +110,7 @@ Specialized systems—such as devices that control medical equipment, point-of-s
 >
 > The Long-term Servicing channel is not intended for deployment on most or all the devices in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the General Availability channel.
 
-Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSC. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSC. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a the product lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product lifecycle information](/lifecycle/products/) page.
 
 > [!NOTE]
 > LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows).

windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md

@@ -14,20 +14,49 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 12/06/2018
+ms.date: 03/01/2022
 ms.technology: windows-sec
 ---
 
 # Querying Application Control events centrally using Advanced hunting  
 
-A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. 
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
-While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. 
+While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems.
 
-In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view WDAC events centrally from all systems that are connected to Defender for Endpoint. 
+In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view WDAC events centrally from all connected systems.
 
-Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. 
+Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
 This capability is supported beginning with Windows version 1607.
 
+## Action Types
+
+| ActionType Name | ETW Source Event ID | Description |
+| - | - | - |
+| AppControlCodeIntegrityDriverRevoked | 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. |
+| AppControlCodeIntegrityImageRevoked | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| AppControlCodeIntegrityPolicyAudited | 3076 | This event is the main WDAC block event for audit mode policies. It indicates the file would have been blocked if the WDAC policy was enforced. |
+| AppControlCodeIntegrityPolicyBlocked | 3077 | This event is the main WDAC block event for enforced policies. It indicates the file didn't pass your WDAC policy and was blocked. |
+| AppControlExecutableAudited | 8003 | Applied only when the Audit only enforcement mode is enabled. Specifies the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled. |
+| AppControlExecutableBlocked | 8004 | The .exe or .dll file can't run. |
+| AppControlPackagedAppAudited | 8021 | Applied only when the Audit only enforcement mode is enabled. Specifies the packaged app would be blocked if the Enforce rules enforcement mode were enabled. |
+| AppControlPackagedAppBlocked | 8022 | The packaged app was blocked by the policy. |
+| AppControlScriptAudited | 8006 | Applied only when the Audit only enforcement mode is enabled. Specifies the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. |
+| AppControlScriptBlocked | 8007 | Access to file name is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run. |
+| AppControlCIScriptAudited | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. |
+| AppControlCIScriptBlocked | 8029 | Block script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. |
+| AppControlCodeIntegrityOriginAllowed | 3090 | File was allowed due to good reputation (ISG) or installation source (managed installer). |
+| AppControlCodeIntegrityOriginAudited | 3091 | Reputation (ISG) and installation source (managed installer) information for an audited file. |
+| AppControlCodeIntegrityOriginBlocked | 3092 | Reputation (ISG) and installation source (managed installer) information for a blocked file. |
+| AppControlCodeIntegrityPolicyLoaded | 3099 | Indicates a policy has been successfully loaded. |
+| AppControlCodeIntegritySigningInformation | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. |
+| AppControlPolicyApplied | 8001 | Indicates the AppLocker policy was successfully applied to the computer. |
+
+Learn more about the [Understanding Application Control event IDs (Windows)](event-id-explanations.md)
+
+## Example Advanced Hunting Application Control Queries
+
+Query Example 1: Query the application control action types summarized by type for past seven days
+
 Here's a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
 
 ```
@@ -40,7 +69,29 @@ ActionType startswith "AppControl"
 
 The query results can be used for several important functions related to managing WDAC including:
 
-- Assessing the impact of deploying policies in audit mode 
+- Assessing the impact of deploying policies in audit mode
-  Since applications still run in audit mode, it's an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real-world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
+  Since applications still run in audit mode, it's an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced Hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would influence those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
 - Monitoring blocks from policies in enforced mode
-  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. 
+  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation.
+
+
+Query Example #2: Query to determine audit blocks in the past seven days
+
+```
+DeviceEvents 
+| where ActionType startswith "AppControlExecutableAudited"
+| where Timestamp > ago(7d)
+|project DeviceId,                               // the device ID where the audit block happened
+FileName,                                        // The audit blocked app's filename
+FolderPath,                                      // The audit blocked app's system path without the FileName
+InitiatingProcessFileName,                       // The file name of the parent process loading the executable
+InitiatingProcessVersionInfoCompanyName,         // The company name of the parent process loading the executable
+InitiatingProcessVersionInfoOriginalFileName,    // The original file name of the parent process loading the executable
+InitiatingProcessVersionInfoProductName,         // The product name of the parent process loading the executable
+InitiatingProcessSHA256,                         // The SHA256 flat hash of the parent process loading the executable
+Timestamp,                                       // The event creation timestamp
+ReportId,                                        // The report ID - randomly generated by MDE AH
+InitiatingProcessVersionInfoProductVersion,      // The product version of the parent process loading the executable
+InitiatingProcessVersionInfoFileDescription,     // The file description of the parent process loading the executable
+AdditionalFields                                 // Additional fields contains FQBN for signed binaries.  These contain the CN of the leaf certificate, product name, original filename and version of the audited binary
+```

windows/whats-new/ltsc/index.md

@@ -42,7 +42,7 @@ The following table summarizes equivalent feature update versions of Windows 10
 > [!NOTE]
 > The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
 
-With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. 
+With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades, or even skip releases. Microsoft is committed to providing bug fixes and security patches for each LTSC release during the extended LTSC servicing lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product lifecycle information](/lifecycle/products/) page.
 
 > [!IMPORTANT]
 > The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).