From 78ea6aa00821ee7b53c750b61ca6e1c7dc91c027 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 13 Mar 2024 13:00:11 -0700 Subject: [PATCH] Updated policy limit information to reflect current state. Fixed acrolinx issues --- .../design/deploy-multiple-wdac-policies.md | 28 ++++++++----------- .../operations/known-issues.md | 23 +++++++-------- 2 files changed, 22 insertions(+), 29 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md index 1d76e0e5a9..b9655217a3 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md @@ -2,7 +2,7 @@ title: Use multiple Windows Defender Application Control Policies description: Windows Defender Application Control supports multiple code integrity policies for one device. ms.localizationpriority: medium -ms.date: 07/19/2021 +ms.date: 03/13/2024 ms.topic: article --- @@ -11,17 +11,19 @@ ms.topic: article >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: +Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, March 12, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies and you must not exceed that number. + +Here are some common scenarios where multiple side-by-side policies are useful: 1. Enforce and Audit Side-by-Side - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy 2. Multiple Base Policies - Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent - - If two base policies exist on a device, an application has to be allowed by both to run + - If two base policies exist on a device, an application must pass both policies for it to run 3. Supplemental Policies - Users can deploy one or more supplemental policies to expand a base policy - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy - - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run + - For supplemental policies, applications allowed by either the base policy or its supplemental policy/policies run > [!NOTE] > Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies. @@ -31,11 +33,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a - Multiple base policies: intersection - Only applications allowed by both policies run without generating block events - Base + supplemental policy: union - - Files that are allowed by either the base policy or the supplemental policy aren't blocked + - Files allowed by either the base policy or the supplemental policy run ## Creating WDAC policies in Multiple Policy Format -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique values generated for the policy ID and 2) the policy type set as a Base policy. The below example describes the process of creating a new policy in the multiple policy format. ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash @@ -55,7 +57,7 @@ Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-K ### Supplemental policy creation -In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown above. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. +In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown earlier. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. - "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to @@ -66,11 +68,11 @@ Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicy ### Merging policies -When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. +When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy is a base policy with ID \. ## Deploying multiple policies -In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature. +In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP. ### Deploying multiple policies locally @@ -86,15 +88,9 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are unenrolled from an MDM server, the CSP attempts to remove every policy not actively deployed, not just the policies added by the CSP. This behavior happens because the system doesn't know what deployment methods were used to apply individual policies. For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies. - -### Known Issues in Multiple Policy Format - -* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. -* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit. -* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md index 91af264958..fbccba4c71 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md @@ -2,7 +2,7 @@ title: WDAC Admin Tips & Known Issues description: WDAC Known Issues ms.manager: jsuther -ms.date: 11/22/2023 +ms.date: 03/13/2024 ms.topic: article ms.localizationpriority: medium --- @@ -43,32 +43,28 @@ When the WDAC engine evaluates files against the active set of policies on the d 4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option. -5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. +5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly. ## Known issues ### Boot stop failure (blue screen) occurs if more than 32 policies are active -If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. +Until you apply the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, March 12, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies. ### Audit mode policies can change the behavior for some apps or cause app crashes -Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: +Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: - Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors. - Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening). -### Managed Installer and ISG may cause excessive events - -When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy. - ### .NET native images may generate false positive block events In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. ### Signatures using elliptical curve cryptography (ECC) aren't supported -WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. +WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If WDAC blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. ### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule @@ -88,18 +84,19 @@ As a workaround, download the MSI file and run it locally: ```console msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi ``` + ### Slow boot and performance with custom policies -WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies. +WDAC evaluates all processes that run, including inbox Windows processes. You can cause slower boot times, degraded performance, and possibly boot issues if your policies don't build upon the WDAC templates or don't trust the Windows signers. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies. #### AppId Tagging policy considerations -If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes). +AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes). -If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance: +If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance: :::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy."::: :::image type="content" source="../images/known-issue-appid-dll-rule-xml.png" alt-text="Allow all dll files in the xml policy."::: -Since AppId Tagging policies evaluate but can't tag dll files, this rule will short circuit dll evaluation and improve evaluation performance. +Since AppId Tagging policies evaluate but can't tag dll files, this rule short circuits dll evaluation and improve evaluation performance.