Merge pull request #6245 from MicrosoftDocs/master

Publish 01/28/2022, 10:30 AM
2025-05-27 20:57:23 +00:00 · 2022-01-28 10:39:43 -08:00 · 2022-01-28 10:39:43 -08:00 · 85511758d2
commit 85511758d2
parent f5726d8754 58ea6aaad8
5 changed files with 90 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,6 +14,7 @@ common/
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
 packages.config
+settings.json

 # User-specific files
 .vs/
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@ -22,6 +22,8 @@
              href: understand-windows-defender-application-control-policy-design-decisions.md
            - name: Understand WDAC policy rules and file rules
              href: select-types-of-rules-to-create.md
+            - name: Understand WDAC secure settings
+              href: understanding-wdac-policy-settings.md
              items: 
                - name: Allow apps installed by a managed installer
                  href: configure-authorized-apps-deployed-with-a-managed-installer.md
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@ -71,6 +71,8 @@ landingContent:
        links:
          - text: Understanding policy and file rules
            url: select-types-of-rules-to-create.md
+          - text: Understanding WDAC secure settings
+            url: understanding-wdac-policy-settings.md
      - linkListType: how-to-guide
        links:
          - text: Allow managed installer and configure managed installer rules
--- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@ -0,0 +1,76 @@
+---
+title: Understanding Windows Defender Application Control (WDAC) secure settings
+description: Learn about secure settings in Windows Defender Application Control.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jgeurten
+ms.author: dansimp
+manager: dansimp
+ms.date: 10/11/2021
+ms.technology: mde
+---
+
+# Understanding WDAC Policy Settings
+Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy. <br/>
+
+An example settings section of a WDAC Policy:
+```xml
+<Settings>
+  <Setting Provider="Contoso" Key="FooApplication" ValueName="DisableMacroExecution">
+    <Value>
+      <Boolean>true</Boolean>
+    </Value>
+  </Setting>
+</Settings>
+```
+
+### Example Scenario
+An application that may want to restrict its capabilities, when used on a system with an active WDAC policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy.<br/>
+
+
+### WldpQuerySecurityPolicy
+API that queries the secure settings of a WDAC policy.
+
+### Syntax
+``` C++
+HRESULT WINAPI WldpQuerySecurityPolicy(
+    _In_ const UNICODE_STRING * Provider,
+    _In_ const UNICODE_STRING * Key,
+    _In_ const UNICODE_STRING * ValueName,
+    _Out_ PWLDP_SECURE_SETTING_VALUE_TYPE ValueType,
+    _Out_writes_bytes_opt_(*ValueSize) PVOID Value,
+    _Inout_ PULONG ValueSize)
+```
+
+### Parameters
+Provider [in]
+Setting Provider name.
+
+#### Key [in]
+Key name of the Key-Value pair under Setting Provider "Provider".
+
+#### ValueName [in]
+The value name of the "Key-Value" pair.
+
+#### ValueType [in, out]
+Pointer to receive the value type.
+
+#### Value [in, out]
+Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value.
+
+#### ValueSize [in, out]
+On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer.
+
+#### Return Value
+This method returns S_OK if successful or a failure code otherwise.
+
+#### Remarks
+See [WDAC Policy Settings] for more information on WDAC policy settings. 
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@ -9,7 +9,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 3/20/2019
+ms.date: 1/14/2022
 ms.reviewer: 
 ms.technology: windows-sec
 ---
@ -22,6 +22,14 @@ Microsoft is committed to optimizing the security of its products and services.

 The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/).  The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation.  The Administrative Guide provides guidance on configuring the product to match the evaluated configuration.  The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions.

+### Microsoft Windows 10, Windows Server version 2004 (May 2020 Update); Microsoft Windows Server Core Datacenter (Azure Frabic Controller); Microsoft Windows Server Core Datacenter (Azure Stack)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
+
+- [Security Target](https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf)
+- [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf)
+
 ### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V
 Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.