Merge pull request #8659 from MicrosoftDocs/main

Publish main to live, Wednesday 10:30 AM PDT, 8/2
2025-06-27 16:23:36 +00:00 · 2023-08-02 13:46:14 -04:00
parent 6ba11dc099 b6b00b1126
commit 82d88a9592
6 changed files with 64 additions and 17 deletions
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@ -80,6 +80,11 @@
      "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines",
      "redirect_document_id": false
    },
+    {
+      "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md",
+      "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+      "redirect_document_id": false
+    },
    {
      "source_path": "windows/security/apps.md",
      "redirect_url": "/windows/security/application-security",
--- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
@ -55,8 +55,8 @@
              href: design/create-wdac-policy-using-reference-computer.md
            - name: Create a WDAC deny list policy
              href: design/create-wdac-deny-policy.md
-            - name: Microsoft recommended block rules
-              href: design/microsoft-recommended-block-rules.md
+            - name: Applications that can bypass WDAC and how to block them
+              href: design/applications-that-can-bypass-wdac.md
            - name: Microsoft recommended driver block rules
              href: design/microsoft-recommended-driver-block-rules.md
        - name: Use the WDAC Wizard tool
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
@ -1,15 +1,15 @@
 ---
-title: Microsoft recommended block rules
+title: Applications that can bypass WDAC and how to block them
 description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
 ms.localizationpriority: medium
 ms.date: 06/14/2023
 ms.topic: reference
 ---

-# Microsoft recommended block rules
+# Applications that can bypass WDAC and how to block them

->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).

 Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.

--- a/windows/security/application-security/application-control/windows-defender-application-control/index.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/index.yml
@ -33,8 +33,8 @@ landingContent:
        links:
          - text: Using code signing to simplify application control
            url: deployment/use-code-signing-for-better-control-and-protection.md
-          - text: Microsoft's Recommended Blocklist
-            url: design/microsoft-recommended-block-rules.md
+          - text: Applications that can bypass WDAC and how to block them
+            url: design/applications-that-can-bypass-wdac.md
          - text: Microsoft's Recommended Driver Blocklist
            url: design/microsoft-recommended-driver-block-rules.md
          - text: Example WDAC policies
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@ -47,7 +47,7 @@ Smart App Control is only available on clean installation of Windows 11 version

 ### Smart App Control Enforced Blocks

-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:

 - Infdefaultinstall.exe
 - Microsoft.Build.dll
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@ -1,19 +1,25 @@
 ---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections
-description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 09/23/2021
+title: How to configure cryptographic settings for IKEv2 VPN connections
+description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
+ms.date: 06/28/2023
 ms.topic: how-to
 ---

-# How to configure Diffie Hellman protocol over IKEv2 VPN connections
+# How to configure cryptographic settings for IKEv2 VPN connections

-In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
+In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
+
+- Encryption Algorithm           : DES3  
+- Integrity, Hash Algorithm      : SHA1  
+- Diffie Hellman Group (Key Size): DH2
+
+These settings aren't secure for IKE exchanges.  

 To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.

 ## VPN server

-For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
+For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. These settings are effective for all IKEv2 VPN connections.

 ```powershell
 Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
@ -30,7 +36,43 @@ Set-VpnServerIPsecConfiguration -CustomPolicy
 For VPN client, you need to configure each VPN connection. 
 For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:

-
 ```powershell
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
 ```
+
+## IKEv2 Crypto Settings Example
+
+The following commands configure the IKEv2 cryptographic settings to:  
+
+- Encryption Algorithm           : AES128  
+- Integrity, Hash Algorithm      : SHA256  
+- Diffie Hellman Group (Key Size): DH14  
+
+### IKEv2 VPN Server  
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000  
+restart-service RemoteAccess -PassThru
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault  
+restart-service RemoteAccess -PassThru
+```
+
+### IKEv2 VPN Client  
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -RevertToDefault -Force
+```
+
+> [!TIP]  
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.