From 6ad2b380099407d9b8c0a0cc981e7c6dbaf0f347 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 11:20:55 -0700 Subject: [PATCH 01/13] Added formatting to the file. --- .../.vscode/settings.json | 8 ++ .../understanding-wdac-policy-settings.md | 76 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json create mode 100644 windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md diff --git a/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json b/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json new file mode 100644 index 0000000000..ed9462b7e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json @@ -0,0 +1,8 @@ +{ + "markdownlint.config": { + "MD028": false, + "MD025": { + "front_matter_title": "" + } + } +} \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md new file mode 100644 index 0000000000..e966d5669a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -0,0 +1,76 @@ +--- +title: Understanding WDAC secure settings. +description: Learn about secure settings in Windows Defender Application Control. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: creator of the word doc +ms.reviewer: jogeurte +ms.author: dansimp +manager: dansimp +ms.date: 10/11/2021 +ms.technology: mde +--- + +# Understanding WDAC Policy Settings +Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using [WldpQuerySecurityPolicy].
+ +An example settings section of a WDAC Policy: +```xml + + + + true + + + +``` + +### Example Scenario +An application that may want to restrict its capabilities, when used on a system with an active WDAC policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy.
+ + +### WldpQuerySecurityPolicy +API that queries the secure settings of a WDAC policy. + +#### Syntax +``` C++ +HRESULT WINAPI WldpQuerySecurityPolicy( + _In_ const UNICODE_STRING * Provider, + _In_ const UNICODE_STRING * Key, + _In_ const UNICODE_STRING * ValueName, + _Out_ PWLDP_SECURE_SETTING_VALUE_TYPE ValueType, + _Out_writes_bytes_opt_(*ValueSize) PVOID Value, + _Inout_ PULONG ValueSize) +``` + +#### Parameters +Provider [in] +Setting Provider name. + +Key [in] +Key name of the Key-Value pair under Setting Provider "Provider". + +ValueName [in] +The value name of the "Key-Value" pair. + +ValueType [in, out] +Pointer to receive the value type. + +Value [in, out] +Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value. + +ValueSize [in, out] +On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer. + +#### Return Value +This method returns S_OK if successful or a failure code otherwise. + +#### Remarks +See [WDAC Policy Settings] for more information on WDAC policy settings. From 371c645f32e0abf8712d513e98504e14c724c195 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 11:30:01 -0700 Subject: [PATCH 02/13] added new file to index and toc --- .../windows-defender-application-control/TOC.yml | 2 ++ .../windows-defender-application-control/index.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 6e2bbdd64b..47bc7d1ad7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,6 +22,8 @@ href: understand-windows-defender-application-control-policy-design-decisions.md - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md + - name: Understand WDAC secure settings + href: understand-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index ef5892459f..152d5cb75f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -69,6 +69,8 @@ landingContent: links: - text: Understanding policy and file rules url: select-types-of-rules-to-create.md + - text: Understanding WDAC secure settings + url: understanding-wdac-policy-settings.md - linkListType: how-to-guide links: - text: Allow managed installer and configure managed installer rules From 0ff09040b4199de166bd4486c7a9d05545432945 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 12:19:12 -0700 Subject: [PATCH 03/13] removed brackets in wldpquerysecuritypolicy --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index e966d5669a..6f583d977a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -19,7 +19,7 @@ ms.technology: mde --- # Understanding WDAC Policy Settings -Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using [WldpQuerySecurityPolicy].
+Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy.
An example settings section of a WDAC Policy: ```xml From 80c417c09fe88702e1623c22c5a1b7ad7468123b Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 13:19:02 -0700 Subject: [PATCH 04/13] updated the author --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 6f583d977a..530c147315 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: creator of the word doc +author: Robert Wait ms.reviewer: jogeurte ms.author: dansimp manager: dansimp From 000a26dc6eabada6db05cb2334017c03caa8c551 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 13:20:20 -0700 Subject: [PATCH 05/13] corrected the md file name --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 47bc7d1ad7..9cfa2e9982 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -23,7 +23,7 @@ - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md - name: Understand WDAC secure settings - href: understand-wdac-policy-settings.md + href: understanding-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md From e1834ca4c51520b046f39208eb864de39340bb5d Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 13:24:33 -0700 Subject: [PATCH 06/13] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 530c147315..28eb21e297 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: Robert Wait +author: Robert Waite ms.reviewer: jogeurte ms.author: dansimp manager: dansimp From 59eed88aea573972a8ddd291da37330535aad2e0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 1 Nov 2021 11:58:16 -0700 Subject: [PATCH 07/13] added headers for each parameter section Also removed Robert Waite as author since GitHub doesn't have him listed as an approved author. --- .../understanding-wdac-policy-settings.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 28eb21e297..9a9fe9f38b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,7 +10,6 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: Robert Waite ms.reviewer: jogeurte ms.author: dansimp manager: dansimp @@ -39,7 +38,7 @@ An application that may want to restrict its capabilities, when used on a system ### WldpQuerySecurityPolicy API that queries the secure settings of a WDAC policy. -#### Syntax +### Syntax ``` C++ HRESULT WINAPI WldpQuerySecurityPolicy( _In_ const UNICODE_STRING * Provider, @@ -50,23 +49,23 @@ HRESULT WINAPI WldpQuerySecurityPolicy( _Inout_ PULONG ValueSize) ``` -#### Parameters +### Parameters Provider [in] Setting Provider name. -Key [in] +#### Key [in] Key name of the Key-Value pair under Setting Provider "Provider". -ValueName [in] +#### ValueName [in] The value name of the "Key-Value" pair. -ValueType [in, out] +#### ValueType [in, out] Pointer to receive the value type. -Value [in, out] +#### Value [in, out] Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value. -ValueSize [in, out] +#### ValueSize [in, out] On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer. #### Return Value From d40a2d17978763a90dad4e3692e0e9c201fc9186 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 8 Nov 2021 12:21:00 -0800 Subject: [PATCH 08/13] added settings.json to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9841e0daea..3a642828d6 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ common/ .openpublishing.build.mdproj .openpublishing.buildcore.ps1 packages.config +settings.json # User-specific files .vs/ From 89d1befa026685fa1423ad6f39b1794dd044c12d Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 8 Nov 2021 12:23:08 -0800 Subject: [PATCH 09/13] Deleted settings.json from .vscode --- .../.vscode/settings.json | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json diff --git a/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json b/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json deleted file mode 100644 index ed9462b7e6..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "markdownlint.config": { - "MD028": false, - "MD025": { - "front_matter_title": "" - } - } -} \ No newline at end of file From 305a3a0479a7b601a621f64b5138eddfc2c1c13a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 9 Nov 2021 12:49:43 -0800 Subject: [PATCH 10/13] Listed jogeurte as the author --- .../understanding-wdac-policy-settings.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 9a9fe9f38b..d54ed1b819 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance +author: jogeurte ms.reviewer: jogeurte ms.author: dansimp manager: dansimp From cc9e3d5a617417f2fc5ddb8dabbb7499f73c5a7a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 9 Nov 2021 12:57:38 -0800 Subject: [PATCH 11/13] corrected Jordan's ID in both the author and ms.reviewer fields. --- .../understanding-wdac-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index d54ed1b819..d68f3d6a3f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,8 +10,8 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: jogeurte -ms.reviewer: jogeurte +author: jgeurten +ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 10/11/2021 From cb274fe19a032751c11fff88e7c9b14438e3b2e7 Mon Sep 17 00:00:00 2001 From: v-susne <95305712+v-susne@users.noreply.github.com> Date: Fri, 14 Jan 2022 11:49:40 -0800 Subject: [PATCH 12/13] Add latest competed evaluation to Common Criteria Topics The security evaluation team just completed the latest Common Criteria evaluation against Windows Server + Windows 10. Adding the evaluation to the Common Criteria topic, including links to downloadable evaluation documentation (Security Target, Admin Guide, Validation Report, Assurance Activities Report). Using the same format/approach as the rest of the evaluations listed in this topic. --- .../windows-platform-common-criteria.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index d87f9d1dcc..23ab9c183a 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -9,7 +9,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 3/20/2019 +ms.date: 1/14/2022 ms.reviewer: ms.technology: windows-sec --- @@ -22,6 +22,14 @@ Microsoft is committed to optimizing the security of its products and services. The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions. +### Microsoft Windows 10, Windows Server version 2004 (May 2020 Update); Microsoft Windows Server Core Datacenter (Azure Frabic Controller); Microsoft Windows Server Core Datacenter (Azure Stack) +Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. + +- [Security Target](https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf) +- [Administrative Guide](https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf) +- [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf) +- [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf) + ### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. From 98007ce9eb064c8c6581a27002d0ddde5cad7ae8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 27 Jan 2022 15:14:19 -0800 Subject: [PATCH 13/13] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index d68f3d6a3f..fd7b1f528e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -1,5 +1,5 @@ --- -title: Understanding WDAC secure settings. +title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb