restart re-org

windows/security/threat-protection/TOC.md

@@ -0,0 +1,321 @@
+# [Threat protection](index.md)
+
+
+## [The Windows Defender Security Center app](windows-defender-security-center\windows-defender-security-center.md)
+### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center\wdsc-customize-contact-information.md)
+### [Hide Windows Defender Security Center app notifications](windows-defender-security-center\wdsc-hide-notifications.md)
+### [Virus and threat protection](windows-defender-security-center\wdsc-virus-threat-protection.md)
+### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
+### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
+### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
+### [Family options](windows-defender-security-center\wdsc-family-options.md)
+
+
+
+
+
+
+## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
+### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
+##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
+#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
+##### [Incident graph](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
+##### [Alert timeline](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
+#### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
+#### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
+#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
+#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
+#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
+#### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+#### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
+#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
+#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
+##### Actor
+###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+##### Alerts
+###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+##### Domain
+######  [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+##### File
+###### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
+###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
+
+##### IP
+###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+##### Machines
+###### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+
+
+##### User
+###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
+#### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+#### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
+#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
+
+### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
+### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
+
+### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+
+
+### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+
+
+### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
+### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
+##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
+##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
+##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
+### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+
+
+### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
+### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+
+
+## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
+### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
+
+### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+## [Windows Defender Application Control](windows-defender-application-control.md)
+
+
+## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
+## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
+### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
+#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
+##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
+##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
+##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
+#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)
+### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
+#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
+### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
+### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
+### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md)
+### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md)
+### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md)
+### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md)
+### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md)
+#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)
+#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
+#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
+#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
+## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
+
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
+
+## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
+## [Change history for Threat Protection](change-history-for-threat-protection.md)

windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md

@@ -0,0 +1,25 @@
+---
+title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10)
+description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
+ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Add rules for packaged apps to existing AppLocker rule-set
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
+
+You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
+
+RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
+ 
+ 

windows/security/threat-protection/applocker/administer-applocker.md

@@ -0,0 +1,69 @@
+---
+title: Administer AppLocker (Windows 10)
+description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Administer AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+
+AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
+
+-   Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
+-   Assign a rule to a security group or an individual user.
+-   Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
+-   Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+-   Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
+-   Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
+> **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+ 
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
+| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
+| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
+| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
+| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
+| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
+| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
+| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
+| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
+| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
+| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
+
+## <a href="" id="bkmk-using-snapins"></a>Using the MMC snap-ins to administer AppLocker
+
+You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
+
+### Administer Applocker using Group Policy
+
+You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
+
+1.  Open the Group Policy Management Console (GPMC).
+2.  Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
+3.  In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+
+### Administer AppLocker on the local PC
+
+1.  Click **Start**, type **local security policy**, and then click **Local Security Policy**.
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+3.  In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+
+## Using Windows PowerShell to administer AppLocker
+
+For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).
+ 
+ 

windows/security/threat-protection/applocker/applocker-architecture-and-components.md

@@ -0,0 +1,41 @@
+---
+title: AppLocker architecture and components (Windows 10)
+description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
+ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker architecture and components
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professional describes AppLocker’s basic architecture and its major components.
+
+AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
+
+AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy.
+
+**A new process is created**
+
+When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run.
+
+**A DLL is loaded**
+
+When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.
+
+**A script is run**
+
+Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log.
+
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)
+ 
+ 

windows/security/threat-protection/applocker/applocker-functions.md

@@ -0,0 +1,52 @@
+---
+title: AppLocker functions (Windows 10)
+description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
+ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker functions
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
+
+## Functions
+
+The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN:
+
+-   [SaferGetPolicyInformation Function](https://go.microsoft.com/fwlink/p/?LinkId=159781)
+-   [SaferCreateLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159782)
+-   [SaferCloseLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159783)
+-   [SaferIdentifyLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159784)
+-   [SaferComputeTokenFromLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159785)
+-   [SaferGetLevelInformation Function](https://go.microsoft.com/fwlink/p/?LinkId=159787)
+-   [SaferRecordEventLogEntry Function](https://go.microsoft.com/fwlink/p/?LinkId=159789)
+-   [SaferiIsExecutableFileType Function](https://go.microsoft.com/fwlink/p/?LinkId=159790)
+
+## Security level ID
+
+AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
+
+| Security level ID | SRP | AppLocker |
+| - | - | - |
+| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported | 
+| SAFER_LEVELID_NORMALUSER | Supported | Not supported |
+| SAFER_LEVELID_CONSTRAINED | Supported | Not supported |
+| SAFER_LEVELID_UNTRUSTED | Supported | Not supported |
+| SAFER_LEVELID_DISALLOWED | Supported | Supported | 
+ 
+In addition, URL zone ID is not supported in AppLocker.
+
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)
+ 
+ 

windows/security/threat-protection/applocker/applocker-overview.md

@@ -0,0 +1,138 @@
+---
+title: AppLocker (Windows 10)
+description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
+ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 10/16/2017
+---
+
+# AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+
+AppLocker can help you:
+
+-   Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
+-   Assign a rule to a security group or an individual user.
+-   Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
+-   Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+-   Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
+-   Simplify creating and managing AppLocker rules by using Windows PowerShell.
+
+AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
+
+-   **Application inventory**
+
+    AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+
+-   **Protection against unwanted software**
+
+    AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.
+
+-   **Licensing conformance**
+
+    AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
+
+-   **Software standardization**
+
+    AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
+
+-   **Manageability improvement**
+
+    AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
+
+
+## When to use AppLocker
+
+In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
+
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.
+Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.
+
+AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
+
+The following are examples of scenarios in which AppLocker can be used:
+
+-   Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
+-   An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+-   The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+-   The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
+-   A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
+-   Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
+-   A single user or small group of users needs to use a specific app that is denied for all others.
+-   Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+-   In addition to other measures, you need to control the access to sensitive data through app usage.
+
+AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
+
+## System requirements
+
+AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
+
+AppLocker rules can be created on domain controllers.
+
+## Installing AppLocker
+
+AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
+
+> **Note:**  The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
+ 
+### Using AppLocker on Server Core
+
+AppLocker on Server Core installations is not supported.
+
+### Virtualization considerations
+
+You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
+
+### Security considerations
+
+Application control policies specify which apps are allowed to run on the local computer.
+
+The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
+
+The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
+
+A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
+
+For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
+
+When you use AppLocker to create application control policies, you should be aware of the following security considerations:
+
+-   Who has the rights to set AppLocker policies?
+-   How do you validate that the policies are enforced?
+-   What events should you audit?
+
+For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
+
+| Setting | Default value |
+| - | - |
+| Accounts created | None |
+| Authentication method | Not applicable | 
+| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
+| Ports opened | None | 
+| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
+| Protocols used | Not applicable | 
+| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
+| Security Policies | None required. AppLocker creates security policies. | 
+| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
+| Storage of credentials | None | 
+ 
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
+| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
+| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
+| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
+

windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md

@@ -0,0 +1,55 @@
+---
+title: AppLocker deployment guide (Windows 10)
+description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
+ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+
+# AppLocker deployment guide
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
+
+This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.
+
+This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+
+## Prerequisites to deploying AppLocker policies
+
+The following are prerequisites or recommendations to deploying policies:
+
+-   Understand the capabilities of AppLocker:
+    -   [AppLocker](applocker-overview.md)
+-   Document your application control policy deployment plan by addressing these tasks:
+    -   [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+    -   [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+    -   [Determine your application control objectives](determine-your-application-control-objectives.md)
+    -   [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+    -   [Select types of rules to create](select-types-of-rules-to-create.md)
+    -   [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+    -   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+    -   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+## Contents of this guide
+
+This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. |
+| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. |
+| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
+| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
+| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
+

windows/security/threat-protection/applocker/applocker-policies-design-guide.md

@@ -0,0 +1,39 @@
+---
+title: AppLocker design guide (Windows 10)
+description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
+ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker design guide
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
+
+This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group.
+
+This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+
+To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. |
+| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. |
+| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
+| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
+| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
+| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
+| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. | 
+ 
+After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
+ 

windows/security/threat-protection/applocker/applocker-policy-use-scenarios.md

@@ -0,0 +1,64 @@
+---
+title: AppLocker policy use scenarios (Windows 10)
+description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
+ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker policy use scenarios
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
+
+AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows:
+
+1.  **App inventory**
+
+    AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access.
+
+2.  **Protection against unwanted software**
+
+    AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails.
+
+3.  **Licensing conformance**
+
+    AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
+
+4.  **Software standardization**
+
+    AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
+
+5.  **Manageability improvement**
+
+    AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use 
+    the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
+
+### Use scenarios
+
+The following are examples of scenarios in which AppLocker can be used:
+
+-   Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
+-   The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed.
+-   Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software.
+-   An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+-   Your organization needs to restrict the use of Universal Windows apps to just those your organization approves of or develops.
+-   The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+-   The license to an app has been revoked or is expired in your organization, so you need to prevent it from being used by everyone.
+-   A new app or a new version of an app is deployed, and you need to allow certain groups to use it.
+-   Specific software tools are not allowed within the organization, or only specific users have access to those tools.
+-   A single user or small group of users needs to use a specific app that is denied for all others.
+-   Some computers in your organization are shared by people who have different software usage needs.
+-   In addition to other measures, you need to control the access to sensitive data through app usage.
+
+## Related topics
+- [AppLocker technical reference](applocker-technical-reference.md)
+ 
+ 

windows/security/threat-protection/applocker/applocker-processes-and-interactions.md

@@ -0,0 +1,100 @@
+---
+title: AppLocker processes and interactions (Windows 10)
+description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
+ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker processes and interactions
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
+
+## How policies are implemented by AppLocker
+
+AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure.
+
+The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary—even if product or binary names are empty—to the results pane of the Local Security Policy snap-in.
+
+AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information:
+
+-   Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form).
+-   The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.)
+-   The rule condition containing the **appid** attributes.
+
+For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*").
+
+An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made.
+
+### Understanding AppLocker rules
+
+An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files:
+
+-   An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications.
+-   A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js.
+-   A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, mst and .msp (Windows Installer patch).
+-   A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx.
+-   A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension.
+
+There are three different types of conditions that can be applied to rules:
+
+-   A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed.
+-   A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories.
+-   A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes.
+
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+
+    An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps.
+
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+
+    Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
+
+    -   [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+    -   [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+    -   [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+    AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
+
+    -   [Executable rules in AppLocker](executable-rules-in-applocker.md)
+    -   [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+    -   [Script rules in AppLocker](script-rules-in-applocker.md)
+    -   [DLL rules in AppLocker](dll-rules-in-applocker.md)
+    -   [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+
+    You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset.
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+
+    Each AppLocker rule collection functions as an allowed list of files.
+
+### Understanding AppLocker policies
+
+An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers.
+
+-   [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+
+    Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced.
+
+### Understanding AppLocker and Group Policy
+
+Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies.
+
+-   [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+
+    When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. 
+    AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied.
+
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)

windows/security/threat-protection/applocker/applocker-settings.md

@@ -0,0 +1,35 @@
+---
+title: AppLocker settings (Windows 10)
+description: This topic for the IT professional lists the settings used by AppLocker.
+ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker settings
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional lists the settings used by AppLocker.
+
+The following table describes the settings and values used by AppLocker.
+
+| Setting | Value |
+| - | - |
+| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** |
+| Firewall ports | Not applicable | 
+| Security policies | Custom created, no default | 
+| Group Policy settings | Custom created, no default |
+| Network ports | Not applicable | 
+| Service accounts | Not applicable | 
+| Performance counters | Not applicable | 
+ 
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)

windows/security/threat-protection/applocker/applocker-technical-reference.md

@@ -0,0 +1,35 @@
+---
+title: AppLocker technical reference (Windows 10)
+description: This overview topic for IT professionals provides links to the topics in the technical reference.
+ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# AppLocker technical reference
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This overview topic for IT professionals provides links to the topics in the technical reference.
+AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. |
+| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
+| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
+| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
+| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker’s basic architecture and its major components. | 
+| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. | 
+| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. | 
+| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. | 
+| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. | 
+| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. | 

windows/security/threat-protection/applocker/configure-an-applocker-policy-for-audit-only.md

@@ -0,0 +1,34 @@
+---
+title: Configure an AppLocker policy for audit only (Windows 10)
+description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
+ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Configure an AppLocker policy for audit only
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
+
+After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
+
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+>**Note:**  There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
+ 
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To audit rule collections**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
+2.  On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection.
+3.  Repeat the above step to configure the enforcement setting to **Audit only** for additional rule collections.
+4.  Click **OK**.

windows/security/threat-protection/applocker/configure-an-applocker-policy-for-enforce-rules.md

@@ -0,0 +1,33 @@
+---
+title: Configure an AppLocker policy for enforce rules (Windows 10)
+description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Configure an AppLocker policy for enforce rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+
+>**Note:**  When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
+ 
+For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To enable the Enforce rules enforcement setting**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
+2.  On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you are editing, and then verify that **Enforce rules** is selected.
+3.  Click **OK**.
+
+For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).

windows/security/threat-protection/applocker/configure-exceptions-for-an-applocker-rule.md

@@ -0,0 +1,37 @@
+---
+title: Add exceptions for an AppLocker rule (Windows 10)
+description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Add exceptions for an AppLocker rule
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+
+Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To configure exceptions for a rule**
+
+1.  Open the AppLocker console.
+2.  Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click **Properties**.
+3.  Click the **Exceptions** tab.
+4.  In the **Add exception** box, select the rule type that you want to create, and then click **Add**.
+
+    -   For a publisher exception, click **Browse**, select the file that contains the publisher to exclude, and then click **OK**.
+    -   For a path exception, choose the file or folder path to exclude, and then click **OK**.
+    -   For a file hash exception, edit the file hash rule, and click **Remove**.
+    -   For a packaged apps exception, click **Add** to create the exceptions based on reference app and rule scope.
+ 
+ 

windows/security/threat-protection/applocker/configure-the-appLocker-reference-device.md

@@ -0,0 +1,51 @@
+---
+title: Configure the AppLocker reference device (Windows 10)
+description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
+ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Configure the AppLocker reference device
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
+
+An AppLocker reference device that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference device, you can:
+
+-   Maintain an application list for each business group.
+-   Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules.
+-   Create the default rules to allow the Windows system files to run properly.
+-   Run tests and analyze the event logs to determine the affect of the policies that you intend to deploy.
+
+The reference device does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+>**Warning:**  Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
+ 
+**To configure a reference device**
+
+1.  If the operating system is not already installed, install one of the supported editions of Windows on the device.
+
+    >**Note:**  If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
+     
+2.  Configure the administrator account.
+
+    To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO).
+
+3.  Install all apps that run in the targeted business group or OU by using the same directory structure.
+
+    The reference device should be configured to mimic the structure of your production environment. It depends on having the same apps in the same directories to accurately create the rules.
+
+### See also
+
+-   After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see [Working with AppLocker rules](working-with-applocker-rules.md).
+-   [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+ 
+ 

windows/security/threat-protection/applocker/configure-the-application-identity-service.md

@@ -0,0 +1,41 @@
+---
+title: Configure the Application Identity service (Windows 10)
+description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
+ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Configure the Application Identity service
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
+
+The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.
+
+>**Important:**  When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
+ 
+**To start the Application Identity service automatically using Group Policy**
+
+1.  On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
+2.  Locate the GPO to edit, right-click the GPO, and then click **Edit**.
+3.  In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, click **System Services**.
+4.  In the details pane, double-click **Application Identity**.
+5.  In **Application Identity Properties**, configure the service to start automatically.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To start the Application Identity service manually**
+
+1.  Right-click the taskbar, and click **Task Manager**.
+2.  Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
+3.  Verify that the status for the Application Identity service is **Running**.
+
+Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic**. 

windows/security/threat-protection/applocker/create-a-rule-for-packaged-apps.md

@@ -0,0 +1,113 @@
+---
+title: Create a rule for packaged apps (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
+ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create a rule for packaged apps
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
+
+Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
+
+-   Publisher of the package
+-   Package name
+-   Package version
+
+All the files within a package as well as the package installer share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation as well as the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups.
+
+For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a packaged app rule**
+
+1.  Open the AppLocker console.
+2.  On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
+3.  On the **Before You Begin** page, click **Next**.
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+5.  On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Selection</th>
+    <th align="left">Description</th>
+    <th align="left">Example</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>Use an installed packaged app as a reference</strong></p></td>
+    <td align="left"><p>If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.</p></td>
+    <td align="left"><p>You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Use a packaged app installer as a reference</strong></p></td>
+    <td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.</p></td>
+    <td align="left"><p>Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.</p></td>
+    </tr>
+    </tbody>
+    </table>
+     
+    The following table describes setting the scope for the packaged app rule.
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Selection</th>
+    <th align="left">Description</th>
+    <th align="left">Example</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Applies to <strong>Any publisher</strong></p></td>
+    <td align="left"><p>This is the least restrictive scope condition for an <strong>Allow</strong> rule. It permits every packaged app to run or install.</p>
+    <p>Conversely, if this is a <strong>Deny</strong> rule, then this option is the most restrictive because it denies all apps from installing or running.</p></td>
+    <td align="left"><p>You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Applies to a specific <strong>Publisher</strong></p></td>
+    <td align="left"><p>This scopes the rule to all apps published by a particular publisher.</p></td>
+    <td align="left"><p>You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Applies to a <strong>Package name</strong></p></td>
+    <td align="left"><p>This scopes the rule to all packages that share the publisher name and package name as the reference file.</p></td>
+    <td align="left"><p>You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Applies to a <strong>Package version</strong></p></td>
+    <td align="left"><p>This scopes the rule to a particular version of the package.</p></td>
+    <td align="left"><p>You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Applying custom values to the rule</p></td>
+    <td align="left"><p>Selecting the <strong>Use custom values</strong> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
+    <td align="left"><p>You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <strong>Use custom values</strong> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
+    </tr>
+    </tbody>
+    </table>
+     
+6.  Click **Next**.
+7.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
+8.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.

windows/security/threat-protection/applocker/create-a-rule-that-uses-a-file-hash-condition.md

@@ -0,0 +1,40 @@
+---
+title: Create a rule that uses a file hash condition (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create a rule that uses a file hash condition
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+
+File hash rules use a system-computed cryptographic hash of the identified file.
+
+For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a new rule with a file hash condition**
+
+1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+2.  On the **Action** menu, click **Create New Rule**.
+3.  On the **Before You Begin** page, click **Next**.
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+5.  On the **Conditions** page, select the **File hash** rule condition, and then click **Next**.
+6.  **Browse Files** to locate the targeted application file.
+
+    >**Note:**  You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
+     
+7.  Click **Next**.
+8.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.

windows/security/threat-protection/applocker/create-a-rule-that-uses-a-path-condition.md

@@ -0,0 +1,42 @@
+---
+title: Create a rule that uses a path condition (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create a rule that uses a path condition
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+
+The path condition identifies an app by its location in the file system of the computer or on the network.
+
+>**Important:**  When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
+ 
+For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a new rule with a path condition**
+
+1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+2.  On the **Action** menu, click **Create New Rule**.
+3.  On the **Before You Begin** page, click **Next**.
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+5.  On the **Conditions** page, select the **Path** rule condition, and then click **Next**.
+6.  Click **Browse Files** to locate the targeted folder for the app.
+
+    >**Note:**  When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+     
+7.  Click **Next**.
+8.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
+9.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.

windows/security/threat-protection/applocker/create-a-rule-that-uses-a-publisher-condition.md

@@ -0,0 +1,39 @@
+---
+title: Create a rule that uses a publisher condition (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create a rule that uses a publisher condition
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+
+You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization.
+Packaged app rules are by definition rules that use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
+
+For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a new rule with a publisher condition**
+
+1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+2.  On the **Action** menu, click **Create New Rule**.
+3.  On the **Before You Begin** page, click **Next**.
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+5.  On the **Conditions** page, select the **Publisher** rule condition, and then click **Next**.
+6.  On the **Publisher** page, click **Browse** to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the **Use custom values** check box. For example, you can use the asterisk (\*) wildcard character within a publisher rule to specify that any value should be matched.
+7.  Click **Next**.
+8.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
+9.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.

windows/security/threat-protection/applocker/create-applocker-default-rules.md

@@ -0,0 +1,35 @@
+---
+title: Create AppLocker default rules (Windows 10)
+description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create AppLocker default rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
+
+>**Important:**  You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
+ 
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create default rules**
+
+1.  Open the AppLocker console.
+2.  Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
+3.  Click **Create Default Rules**.
+
+## Related topics
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

windows/security/threat-protection/applocker/create-list-of-applications-deployed-to-each-business-group.md

@@ -0,0 +1,73 @@
+---
+title: Create a list of apps deployed to each business group (Windows 10)
+description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
+ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create a list of apps deployed to each business group
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
+
+## Determining app usage
+
+For each business group, determine the following:
+
+-   The complete list of apps used, including different versions of an app
+-   The full installation path of the app
+-   The publisher and signed status of each app
+-   The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control.
+-   A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who cannot provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials.
+
+### How to perform the app usage assessment
+
+Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate 
+Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection.
+
+**Application inventory methods**
+
+Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer.
+
+Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules 
+initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
+
+>**Tip:**  If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.
+You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.
+ 
+The following topics in the [AppLocker Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method:
+
+-   [Automatically generating executable rules from a reference computer](https://go.microsoft.com/fwlink/p/?LinkId=160264)
+-   [Using auditing to track which apps are used](https://go.microsoft.com/fwlink/p/?LinkId=160281)
+
+### Prerequisites to completing the inventory
+
+Identify the business group and each organizational unit (OU) within that group to which you will apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics:
+
+-   [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+-   [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+## Next steps
+
+Identify and develop the list of apps. Record the name of the app, whether it is signed or not as indicated by the publisher's name, and whether or not it is a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For info about how to do this, see [Document your app list](document-your-application-list.md).
+
+After you have created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled:
+
+-   Use default rule or define new rule condition
+-   Allow or deny
+-   GPO name
+
+To do this, see the following topics:
+
+-   [Select the types of rules to create](select-types-of-rules-to-create.md)
+-   [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+ 
+ 

windows/security/threat-protection/applocker/create-your-applocker-planning-document.md

@@ -0,0 +1,379 @@
+---
+title: Create your AppLocker planning document (Windows 10)
+description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
+ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create your AppLocker planning document
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
+
+## The AppLocker deployment design
+
+The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using AppLocker.
+
+You should have completed these steps in the design and planning process:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+3.  [Select types of rules to create](select-types-of-rules-to-create.md)
+4.  [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+### AppLocker planning document contents
+
+Your planning document should contain:
+
+-   A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information.
+-   Application control policy project target dates, both for planning and deployment.
+-   A complete list of apps used by each business group (or organizational unit), including version information and installation paths.
+-   What condition to apply to rules governing each application (or whether to use the default set provided by AppLocker).
+-   A strategy for using Group Policy to deploy the AppLocker policies.
+-   A strategy in processing the application usage events generated by AppLocker.
+-   A strategy to maintain and manage AppLocker polices after deployment.
+
+### Sample template for an AppLocker planning document
+
+You can use the following form to construct your own AppLocker planning document.
+
+**Business group**:
+
+**Operating system environment**: (Windows and non-Windows)
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Contacts</strong></p></td>
+<td align="left"><p>Business contact:</p></td>
+<td align="left"><p>Technical contact:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Other departments</strong></p></td>
+<td align="left"><p>In this business group:</p></td>
+<td align="left"><p>Affected by this project:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Security policies</strong></p></td>
+<td align="left"><p>Internal:</p></td>
+<td align="left"><p>Regulatory/compliance:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Business goals</strong></p></td>
+<td align="left"><p>Primary:</p></td>
+<td align="left"><p>Secondary:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Project target dates</strong></p></td>
+<td align="left"><p>Design signoff date:</p></td>
+<td align="left"><p>Policy deployment date:</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Rules**
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p> </p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Event processing**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p> </p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Policy maintenance**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">App decommission policy</th>
+<th align="left">App version policy</th>
+<th align="left">App deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p> </p></td>
+<td align="left"><p>Planned:</p>
+<p>Emergency:</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+ 
+### Example of an AppLocker planning document
+
+**Rules**
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Applications</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Event processing**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes, summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Policy maintenance**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">App decommission policy</th>
+<th align="left">App version policy</th>
+<th align="left">App deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through business office triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office</p>
+<p>30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Monthly through HR triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through HR triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR</p>
+<p>30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
+ 
+### Additional resources
+
+-   The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md).
+-   For more general info, see [AppLocker](applocker-overview.md).
+ 
+ 

windows/security/threat-protection/applocker/create-your-applocker-policies.md

@@ -0,0 +1,71 @@
+---
+title: Create Your AppLocker policies (Windows 10)
+description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
+ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create Your AppLocker policies
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
+
+Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection can be configured to be enforced or to run in **Audit only** mode. An AppLocker policy includes the rules in the five rule collections and the enforcement settings for each rule collection.
+
+## Step 1: Use your plan
+
+You can develop an application control policy plan to guide you in making successful deployment decisions. For more info about how to do this and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group:
+
+1.  [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+2.  [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+3.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+4.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+5.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+6.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+7.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+8.  [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+## Step 2: Create your rules and rule collections
+
+Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md).
+
+## Step 3: Configure the enforcement setting
+
+An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that 
+policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
+## Step 4: Update the GPO
+
+AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to do this, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+## Step 5: Test the effect of the policy
+
+In a test environment or with the enforcement setting set at **Audit only**, verify that the results of the policy are what you intended. For info about testing a policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+## Step 6: Implement the policy
+
+Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**.
+
+## Step 7: Test the effect of the policy and adjust
+Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+## Next steps
+
+Follow the steps described in the following topics to continue the deployment process:
+
+1.  [Create Your AppLocker rules](create-your-applocker-rules.md)
+2.  [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+3.  [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+
+## See also
+
+- [AppLocker deployment guide](applocker-policies-deployment-guide.md)
+

windows/security/threat-protection/applocker/create-your-applocker-rules.md

@@ -0,0 +1,76 @@
+---
+title: Create Your AppLocker rules (Windows 10)
+description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
+ms.assetid: b684a3a5-929c-4f70-8742-04088022f232
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Create Your AppLocker rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
+
+## Creating AppLocker rules
+
+AppLocker rules apply to the targeted app, and they are the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+### Automatically generate your rules
+
+You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics:
+
+-   [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
+-   [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+-   [Create AppLocker default rules](create-applocker-default-rules.md)
+-   [Edit AppLocker rules](edit-applocker-rules.md)
+-   [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+
+### Create your rules individually
+
+You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group.
+
+>**Note:**  AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
+ 
+For information about performing this task, see:
+
+1.  [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+2.  [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+3.  [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+4.  [Edit AppLocker rules](edit-applocker-rules.md)
+5.  [Enforce AppLocker rules](enforce-applocker-rules.md)
+6.  [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
+## About selecting rules
+
+AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they are implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer.
+
+When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group.
+
+For info about how to determine and document your AppLocker rules, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+For info about AppLocker rules and AppLocker policies, see the following topics:
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+-   [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+## Next steps
+
+1.  [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
+2.  [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
+3.  [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+4.  [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+
+## Related topics
+
+- [Create Your AppLocker policies](create-your-applocker-policies.md)

windows/security/threat-protection/applocker/delete-an-applocker-rule.md

@@ -0,0 +1,56 @@
+---
+title: Delete an AppLocker rule (Windows 10)
+description: This topic for IT professionals describes the steps to delete an AppLocker rule.
+ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Delete an AppLocker rule
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to delete an AppLocker rule.
+
+As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
+
+For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To delete a rule in an AppLocker policy**
+
+1.  Open the AppLocker console.
+2.  Click the appropriate rule collection for which you want to delete the rule.
+3.  In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**.
+
+>**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed.
+
+When this procedure is performed on the local device, the AppLocker policy takes effect immediately.
+
+**To clear AppLocker policies on a single system or remote systems**
+Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents:
+
+    <AppLockerPolicy Version="1">
+      <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
+    </AppLockerPolicy>
+
+To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules:
+    
+    PS C:\Users\Administrator> import-module AppLocker
+
+We will create a file (for example, clear.xml), place it in the same directory where we are executing our cmdlet, and add the preceding XML contents. Then run the following command:
+    
+    C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
+
+This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.

windows/security/threat-protection/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md

@@ -0,0 +1,56 @@
+---
+title: Deploy AppLocker policies by using the enforce rules setting (Windows 10)
+description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Deploy AppLocker policies by using the enforce rules setting
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+
+## Background and prerequisites
+
+These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
+
+For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
+
+For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+## Step 1: Retrieve the AppLocker policy
+
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+## Step 2: Alter the enforcement setting
+
+Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
+## Step 3: Update the policy
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the 
+Microsoft Desktop Optimization Pack.
+
+>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+ 
+For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+## Step 4: Monitor the effect of the policy
+
+When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+## Additional resources
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+ 
+ 

windows/security/threat-protection/applocker/deploy-the-applocker-policy-into-production.md

@@ -0,0 +1,48 @@
+---
+title: Deploy the AppLocker policy into production (Windows 10)
+description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
+ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Deploy the AppLocker policy into production
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
+
+After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs.
+
+### Understand your design decisions
+
+Before you deploy an AppLocker policy, you should determine:
+
+-   For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+-   How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md).
+-   How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+-   Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
+
+For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+
+### AppLocker deployment methods
+
+If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then 
+observe the events that are generated.
+-   [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+
+    This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means.
+
+-   [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+
+    This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**.
+
+## See also
+
+- [AppLocker deployment guide](applocker-policies-deployment-guide.md)

windows/security/threat-protection/applocker/determine-group-policy-structure-and-rule-enforcement.md

@@ -0,0 +1,36 @@
+---
+title: Determine the Group Policy structure and rule enforcement (Windows 10)
+description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
+ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Determine the Group Policy structure and rule enforcement
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. |
+| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.|
+| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. |
+ 
+When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following:
+
+-   Whether you are creating new GPOs or using existing GPOs
+-   Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO
+-   GPO naming conventions
+-   GPO size limits
+
+>**Note:**  There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.

windows/security/threat-protection/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md

@@ -0,0 +1,38 @@
+---
+title: Determine which apps are digitally signed on a reference device (Windows 10)
+description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
+ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Determine which apps are digitally signed on a reference device
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
+
+The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To determine which apps are digitally signed on a reference device**
+1.  Run **Get-AppLockerFileInformation** with the appropriate parameters.
+
+    The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
+
+2.  Analyze the publisher's name and digital signature status from the output of the command.
+
+For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx).
+
+## Related topics
+
+- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+ 
+ 

windows/security/threat-protection/applocker/determine-your-application-control-objectives.md

@@ -0,0 +1,160 @@
+---
+title: Determine your application control objectives (Windows 10)
+description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
+ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Determine your application control objectives
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
+
+AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps.
+
+There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.
+
+Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Application control function</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Scope</p></td>
+<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
+<td align="left"><p>AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy creation</p></td>
+<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
+<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
+<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy maintenance</p></td>
+<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
+<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy application</p></td>
+<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
+<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Enforcement mode</p></td>
+<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
+<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
+<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File types that can be controlled</p></td>
+<td align="left"><p>SRP can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+</ul>
+<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
+<td align="left"><p>AppLocker can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+<li><p>Packaged apps and installers</p></li>
+</ul>
+<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Designated file types</p></td>
+<td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td>
+<td align="left"><p>AppLocker does not support this. AppLocker currently supports the following file extensions:</p>
+<ul>
+<li><p>Executables (.exe, .com)</p></li>
+<li><p>Dlls (.ocx, .dll)</p></li>
+<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
+<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
+<li><p>Packaged app installers (.appx)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule types</p></td>
+<td align="left"><p>SRP supports four types of rules:</p>
+<ul>
+<li><p>Hash</p></li>
+<li><p>Path</p></li>
+<li><p>Signature</p></li>
+<li><p>Internet zone</p></li>
+</ul></td>
+<td align="left"><p>AppLocker supports three types of rules:</p>
+<ul>
+<li><p>Hash</p></li>
+<li><p>Path</p></li>
+<li><p>Publisher</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Editing the hash value</p></td>
+<td align="left"><p>SRP allows you to select a file to hash.</p></td>
+<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (Exe and Dll) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for different security levels</p></td>
+<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.</p>
+<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
+<td align="left"><p>AppLocker does not support security levels.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
+<td align="left"><p>Unable</p></td>
+<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
+<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
+<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for rule exceptions</p></td>
+<td align="left"><p>SRP does not support rule exceptions</p></td>
+<td align="left"><p>AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for audit mode</p></td>
+<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
+<td align="left"><p>AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for exporting and importing policies</p></td>
+<td align="left"><p>SRP does not support policy import/export.</p></td>
+<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule enforcement</p></td>
+<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode which is less secure.</p></td>
+<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+For more general info, see [AppLocker](applocker-overview.md).

windows/security/threat-protection/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md

@@ -0,0 +1,33 @@
+---
+title: Display a custom URL message when users try to run a blocked app (Windows 10)
+description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
+ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Display a custom URL message when users try to run a blocked app
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
+
+Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed.
+
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**To display a custom URL message when users try to run a blocked app**
+
+1.  On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
+2.  Navigate to the Group Policy Object (GPO) that you want to edit.
+3.  Right-click the GPO, and then click **Edit**.
+4.  In the console tree under **Policies\\Administrative Templates\\Windows Components**, click **File Explorer**.
+5.  In the details pane, double-click **Set a support web page link**.
+6.  Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box.
+7.  Click **OK** to apply the setting.

windows/security/threat-protection/applocker/dll-rules-in-applocker.md

@@ -0,0 +1,43 @@
+---
+title: DLL rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the DLL rule collection.
+ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# DLL rules in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the file formats and available default rules for the DLL rule collection.
+
+AppLocker defines DLL rules to include only the following file formats:
+
+-   .dll
+-   .ocx
+
+The following table lists the default rules that are available for the DLL rule collection.
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| 
+| BUILTIN\Administrators | Path: *| 
+| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | 
+| Everyone | Path: %windir%\*| 
+| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| 
+| Everyone | Path: %programfiles%\*| 
+ 
+>**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
+ 
+>**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+ 
+## Related topics
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md

@@ -0,0 +1,129 @@
+---
+title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10)
+description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
+ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+ms.pagetype: security
+ms.date: 09/21/2017
+---
+
+# Document the Group Policy structure and AppLocker rule enforcement
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
+
+## Record your findings
+
+To complete this AppLocker planning document, you should first complete the following steps:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+4.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
+
+The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
+<table>
+<colgroup>
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p>
+<p></p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p>
+<p></p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p>
+<p></p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use a default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+ 
+## Next steps
+
+After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
+-   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+-   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+ 
+ 

windows/security/threat-protection/applocker/document-your-application-control-management-processes.md

@@ -0,0 +1,236 @@
+---
+title: Document your application control management processes (Windows 10)
+description: This planning topic describes the AppLocker policy maintenance information to record for your design document.
+ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Document your application control management processes
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This planning topic describes the AppLocker policy maintenance information to record for your design document.
+
+## Record your findings
+
+To complete this AppLocker planning document, you should first complete the following steps:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+4.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+The three key areas to determine for AppLocker policy management are:
+
+1.  Support policy
+
+    Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.
+
+2.  Event processing
+
+    Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.
+
+3.  Policy maintenance
+
+    Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
+
+The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+</tbody>
+</table>
+ 
+The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
+
+**Event processing policy**
+
+One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
+
+The following table is an example of what to consider and record.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes, summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Policy maintenance policy**
+When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
+The following table is an example of what to consider and record.
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">Application decommission policy</th>
+<th align="left">Application version policy</th>
+<th align="left">Application deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through business office triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office</p>
+<p>30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Monthly through HR triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through HR triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR</p>
+<p>30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
+ 
+## Next steps
+
+After you have determined your application control management strategy for each of the business group's applications, the following task remains:
+-   [Create your AppLocker planning document](create-your-applocker-planning-document.md)

windows/security/threat-protection/applocker/document-your-application-list.md

@@ -0,0 +1,127 @@
+---
+title: Document your app list (Windows 10)
+description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
+ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Document your app list
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
+
+## Record your findings
+
+**Apps**
+
+Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*.
+
+**Installation path**
+
+Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
+
+The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules.
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+</tr>
+</tbody>
+</table>
+ 
+>**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+ 
+**Event processing**
+
+As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
+
+-   Will event forwarding be implemented for AppLocker events?
+-   What is the location of the AppLocker event collection?
+-   Should an event archival policy be implemented?
+-   Will the events be analyzed and how often?
+-   Should a security policy be in place for event collection?
+
+**Policy maintenance**
+
+As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record:
+
+-   How will rules be updated for emergency app access and permanent access?
+-   How will apps be removed?
+-   How many older versions of the same app will be maintained?
+-   How will new apps be introduced?
+
+## Next steps
+
+After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns:
+
+-   Use default rule or define new rule condition
+-   Allow or deny
+-   GPO name
+
+To identify the rule collections, see the following topics:
+
+-   [Select the types of rules to create](select-types-of-rules-to-create.md)
+-   [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

windows/security/threat-protection/applocker/document-your-applocker-rules.md

@@ -0,0 +1,121 @@
+---
+title: Document your AppLocker rules (Windows 10)
+description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
+ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Document your AppLocker rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
+
+## Record your findings
+
+To complete this AppLocker planning document, you should first complete the following steps:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+Document the following items for each business group or organizational unit:
+
+-   Whether your organization will use the built-in default AppLocker rules to allow system files to run.
+-   The types of rule conditions that you will use to create rules, stated in order of preference.
+
+The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
+
+<table style="width:100%;">
+<colgroup>
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Applications</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+ 
+## Next steps
+
+For each rule, determine whether to use the allow or deny option. Then, three tasks remain:
+
+-   [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+-   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+-   [Create your AppLocker planning document](create-your-applocker-planning-document.md)

windows/security/threat-protection/applocker/edit-an-applocker-policy.md

@@ -0,0 +1,102 @@
+---
+title: Edit an AppLocker policy (Windows 10)
+description: This topic for IT professionals describes the steps required to modify an AppLocker policy.
+ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Edit an AppLocker policy
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps required to modify an AppLocker policy.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
+
+There are two methods you can use to edit an AppLocker policy:
+
+-   [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo)
+-   [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
+
+## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy
+
+The steps to edit an AppLocker policy distributed by Group Policy include the following:
+
+### Step 1: Use Group Policy management software to export the AppLocker policy from the GPO
+
+AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker 
+policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md).
+
+### Step 2: Import the AppLocker policy into the AppLocker reference PC or the PC you use for policy maintenance
+
+After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+>**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.
+ 
+### Step 3: Use AppLocker to modify and test the rule
+
+AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection.
+
+-   For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md).
+-   For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md).
+-   For procedures to create rules, see:
+
+    -   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+    -   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+    -   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+    -   [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+
+-   For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+-   For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO
+
+For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+>**Caution:**  You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+ 
+>**Note:**  If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.
+ 
+## <a href="" id="bkmk-editapplolnotingpo"></a>Editing an AppLocker policy by using the Local Security Policy snap-in
+
+The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks.
+
+### Step 1: Import the AppLocker policy
+
+On the PC where you maintain policies, open the AppLocker snap-in from the Local Security Policy snap-in (secpol.msc). If you exported the AppLocker policy from another PC, use AppLocker to import it onto the PC.
+
+After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+>**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.
+ 
+### Step 2: Identify and modify the rule to change, delete, or add
+
+AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection.
+
+-   For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md).
+-   For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md).
+-   For procedures to create rules, see:
+
+    -   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+    -   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+    -   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+    -   [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+
+### Step 3: Test the effect of the policy
+
+For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+### Step 4: Export the policy to an XML file and propagate it to all targeted computers
+
+For procedures to export the updated policy from the reference computer to targeted computers, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+## Additional resources
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).

windows/security/threat-protection/applocker/edit-applocker-rules.md

@@ -0,0 +1,58 @@
+---
+title: Edit AppLocker rules (Windows 10)
+description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
+ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Edit AppLocker rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
+
+For more info about these rule types, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To edit a publisher rule**
+
+1.  Open the AppLocker console, and then click the appropriate rule collection.
+2.  In the **Action** pane, right-click the publisher rule, and then click **Properties**.
+3.  Click the appropriate tab to edit the rule properties.
+
+    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply.
+    -   Click the **Publisher** tab to configure the certificate's common name, the product name, the file name, or file version of the publisher.
+    -   Click the **Exceptions** tab to create or edit exceptions.
+    -   When you finish updating the rule, click **OK**.
+
+**To edit a file hash rule**
+
+1.  Open the AppLocker console, and then click the appropriate rule collection.
+2.  Choose the appropriate rule collection.
+3.  In the **Action** pane, right-click the file hash rule, and then click **Properties**.
+4.  Click the appropriate tab to edit the rule properties.
+
+    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
+    -   Click the **File Hash** tab to configure the files that should be used to enforce the rule. You can click **Browse Files** to add a specific file or click **Browse Folders** to add all files in a specified folder. To remove hashes individually, click **Remove**.
+    -   When you finish updating the rule, click **OK**.
+
+**To edit a path rule**
+
+1.  Open the AppLocker console, and then click the appropriate rule collection.
+2.  Choose the appropriate rule collection.
+3.  In the **Action** pane, right-click the path rule, and then click **Properties**.
+4.  Click the appropriate tab to edit the rule properties.
+
+    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
+    -   Click the **Path** tab to configure the path on the computer in which the rule should be enforced.
+    -   Click the **Exceptions** tab to create exceptions for specific files in a folder.
+    -   When you finish updating the rule, click **OK**.
+    

windows/security/threat-protection/applocker/enable-the-dll-rule-collection.md

@@ -0,0 +1,32 @@
+---
+title: Enable the DLL rule collection (Windows 10)
+description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
+ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Enable the DLL rule collection
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
+
+The DLL rule collection includes the .dll and .ocx file formats.
+
+For info about these rules, see [DLL rules in AppLocker](dll-rules-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To enable the DLL rule collection**
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties.**
+2.  Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+
+    >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.

windows/security/threat-protection/applocker/enforce-applocker-rules.md

@@ -0,0 +1,32 @@
+---
+title: Enforce AppLocker rules (Windows 10)
+description: This topic for IT professionals describes how to enforce application control rules by using AppLocker.
+ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Enforce AppLocker rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how to enforce application control rules by using AppLocker.
+
+After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only** on the rule collection.
+
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production.
+
+To enforce AppLocker rules by configuring an AppLocker policy to **Enforce rules**, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
+>**Caution:**  AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+ 
+ 
+ 

windows/security/threat-protection/applocker/executable-rules-in-applocker.md

@@ -0,0 +1,31 @@
+---
+title: Executable rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the executable rule collection.
+ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Executable rules in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the file formats and available default rules for the executable rule collection.
+
+AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection.
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files| BUILTIN\Administrators | Path: * |
+| Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder| Everyone| Path: %windir%\*| 
+| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\*| 
+ 
+## Related topics
+
+- [Understanding AppLocker Default Rules](understanding-applocker-default-rules.md)

windows/security/threat-protection/applocker/export-an-applocker-policy-from-a-gpo.md

@@ -0,0 +1,31 @@
+---
+title: Export an AppLocker policy from a GPO (Windows 10)
+description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
+ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Export an AppLocker policy from a GPO
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
+
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device.
+
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**Export the policy from the GPO**
+
+1.  In the Group Policy Management Console (GPMC), open the GPO that you want to edit.
+2.  In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**.
+3.  Right-click **AppLocker**, and then click **Export Policy**.
+4.  In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then click **Save**.
+5.  The **AppLocker** dialog box will notify you of how many rules were exported. Click **OK**.

windows/security/threat-protection/applocker/export-an-applocker-policy-to-an-xml-file.md

@@ -0,0 +1,26 @@
+---
+title: Export an AppLocker policy to an XML file (Windows 10)
+description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
+ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Export an AppLocker policy to an XML file
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To export an AppLocker policy to an XML file**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Export Policy**.
+2.  Browse to the location where you want to save the XML file.
+3.  In the **File name** box, type a file name for the XML file, and then click **Save**.

windows/security/threat-protection/applocker/how-applocker-works-techref.md

@@ -0,0 +1,50 @@
+---
+title: How AppLocker works (Windows 10)
+description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
+ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# How AppLocker works
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
+
+The following topics explain how AppLocker policies for each of the rule condition types are evaluated:
+
+-   [AppLocker architecture and components](applocker-architecture-and-components.md)
+-   [AppLocker processes and interactions](applocker-processes-and-interactions.md)
+
+The following topics explain how AppLocker rules and policies work:
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+-   [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+
+    -   [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+    -   [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+    -   [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+    -   [Executable rules in AppLocker](executable-rules-in-applocker.md)
+    -   [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+    -   [Script rules in AppLocker](script-rules-in-applocker.md)
+    -   [DLL rules in AppLocker](dll-rules-in-applocker.md)
+    -   [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+
+## Additional resources
+
+-   [AppLocker Design Guide](applocker-policies-design-guide.md)
+-   [AppLocker deployment guide](applocker-policies-deployment-guide.md)
+-   [Administer AppLocker](administer-applocker.md)

windows/security/threat-protection/applocker/import-an-applocker-policy-from-another-computer.md

@@ -0,0 +1,32 @@
+---
+title: Import an AppLocker policy from another computer (Windows 10)
+description: This topic for IT professionals describes how to import an AppLocker policy.
+ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Import an AppLocker policy from another computer
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how to import an AppLocker policy.
+
+Before completing this procedure, you should have exported an AppLocker policy. For more information, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md).
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+>**Caution:**  Importing a policy will overwrite the existing policy on that computer.
+ 
+**To import an AppLocker policy**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**.
+2.  In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**.
+3.  The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy.
+4.  The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**.

windows/security/threat-protection/applocker/import-an-applocker-policy-into-a-gpo.md

@@ -0,0 +1,32 @@
+---
+title: Import an AppLocker policy into a GPO (Windows 10)
+description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
+ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Import an AppLocker policy into a GPO
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
+AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
+
+>**Important:**  Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md).
+ 
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**To import an AppLocker policy into a GPO**
+
+1.  In the Group Policy Management Console (GPMC), open the GPO that you want to edit.
+2.  In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**.
+3.  Right-click **AppLocker**, and then click **Import Policy**.
+4.  In the **Import Policy** dialog box, locate the XML policy file, and click **Open**.
+5.  The **AppLocker** dialog box will notify you of how many rules were imported. Click **OK**.

windows/security/threat-protection/applocker/maintain-applocker-policies.md

@@ -0,0 +1,103 @@
+---
+title: Maintain AppLocker policies (Windows 10)
+description: This topic describes how to maintain rules within AppLocker policies.
+ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Maintain AppLocker policies
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes how to maintain rules within AppLocker policies.
+
+Common AppLocker maintenance scenarios include:
+
+-   A new app is deployed, and you need to update an AppLocker policy.
+-   A new version of an app is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy.
+-   An app is no longer supported by your organization, so you need to prevent it from being used.
+-   An app appears to be blocked but should be allowed.
+-   An app appears to be allowed but should be blocked.
+-   A single user or small subset of users needs to use a specific app that is blocked.
+
+There are two methods you can use to maintain AppLocker policies:
+
+-   [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp)
+-   [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin)
+
+As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create 
+versions of GPOs.
+
+>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+ 
+## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
+
+For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
+
+### Step 1: Understand the current behavior of the policy
+
+Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use **Test-AppLockerPolicy** to verify the effectiveness of your current policy for that app.
+
+### Step 2: Export the AppLocker policy from the GPO
+
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy for modification, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md).
+
+### Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule
+
+After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required.
+
+To modify AppLocker rules, see the following:
+
+-   [Edit AppLocker rules](edit-applocker-rules.md)
+-   [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
+-   [Delete an AppLocker rule](delete-an-applocker-rule.md)
+-   [Enforce AppLocker rules](enforce-applocker-rules.md)
+
+### Step 4: Test the AppLocker policy
+
+You should test each collection of rules to ensure that the rules perform as intended. (Because AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous testing in all test GPOs.) For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+### Step 5: Import the AppLocker policy into the GPO
+
+After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+### Step 6: Monitor the resulting policy behavior
+After deploying a policy, evaluate the policy's effectiveness.
+
+## <a href="" id="bkmk-applkr-use-locsnapin"></a>Maintaining AppLocker policies by using the Local Security Policy snap-in
+For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks.
+
+### Step 1: Understand the current behavior of the policy
+
+Before modifying a policy, evaluate how the policy is currently implemented.
+
+### Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule
+
+Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed.
+
+To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md).
+
+### Step 3: Test the AppLocker policy
+
+You should test each collection of rules to ensure that the rules perform as intended. For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+### Step 4: Deploy the policy with the modified rule
+
+You can export and then import AppLocker policies to deploy the policy to other computers running Windows 8 or later. To perform this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+### Step 5: Monitor the resulting policy behavior
+
+After deploying a policy, evaluate the policy's effectiveness.
+
+## Additional resources
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).

windows/security/threat-protection/applocker/manage-packaged-apps-with-applocker.md

@@ -0,0 +1,74 @@
+---
+title: Manage packaged apps with AppLocker (Windows 10)
+description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
+ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Manage packaged apps with AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
+
+## Understanding Packaged apps and Packaged app installers for AppLocker
+
+Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. 
+With packaged apps, it is possible to control the entire app by using a single AppLocker rule.
+
+>**Note:**  AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
+ 
+Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
+
+### <a href="" id="bkmk-compareclassicmetro"></a>Comparing classic Windows apps and packaged apps
+
+AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 
+2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
+
+-   **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
+-   **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes.
+-   **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
+
+AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
+
+For info about controlling classic Windows apps, see [Administer AppLocker](administer-applocker.md).
+
+For more info about packaged apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+## Design and deployment decisions
+
+You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet.
+
+>**Note:**  Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+ 
+For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+
+For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
+
+Consider the following info when you are designing and deploying apps:
+
+-   Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary.
+-   You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules.
+-   By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or 
+Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design.
+
+    To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection.
+
+## Using AppLocker to manage packaged apps
+
+Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy:
+
+1.  Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+
+2.  Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](http://technet.microsoft.com/library/ee460941(WS.10).aspx).
+
+3.  Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
+
+4.  Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).

windows/security/threat-protection/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md

@@ -0,0 +1,39 @@
+---
+title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10)
+description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
+ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Merge AppLocker policies by using Set-ApplockerPolicy
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
+
+The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.
+
+For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx).
+
+For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+
+You can also manually merge AppLocker policies. For the procedure to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md).
+
+**To merge a local AppLocker policy with another AppLocker policy by using LDAP paths**
+1.  Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+2.  At the command prompt, type **C:\\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP: //***<string>***"** **-Merge** where *<string>* specifies the LDAP path of the unique GPO.
+
+## Example
+
+Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path.
+
+``` syntax
+C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge
+```

windows/security/threat-protection/applocker/merge-applocker-policies-manually.md

@@ -0,0 +1,53 @@
+---
+title: Merge AppLocker policies manually (Windows 10)
+description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
+ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Merge AppLocker policies manually
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
+
+If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
+
+The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table:
+
+| Rule collection | RuleCollection Type element |
+| - | - |
+| Executable rules| Exe| 
+| Windows Installer rules| Msi| 
+| Script rules | Script| 
+| DLL rules | Dll| 
+| Packaged apps and packaged app installers|Appx| 
+ 
+Rule enforcement is specified with the **EnforcementMode** element. The three enforcement modes in the XML correspond to the three enforcement modes in the AppLocker console, as shown in the following table:
+
+| XML enforcement mode |Enforcement mode in Group Policy |
+| - | - |
+| NotConfigured | Not configured (rules are enforced)| 
+| AuditOnly | Audit only| 
+| Enabled | Enforce rules| 
+ 
+Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To merge two or more AppLocker policies**
+
+1.  Open an XML policy file in a text editor or XML editor, such as Notepad.
+2.  Select the rule collection where you want to copy rules from.
+3.  Select the rules that you want to add to another policy file, and then copy the text.
+4.  Open the policy where you want to add the copied rules.
+5.  Select and expand the rule collection where you want to add the rules.
+6.  At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy.
+7.  Upload the policy to a reference computer to ensure that it is functioning properly within the GPO.

windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md

@@ -0,0 +1,86 @@
+---
+title: Monitor app usage with AppLocker (Windows 10)
+description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
+ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Monitor app usage with AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
+
+Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected.
+
+### <a href="" id="bkmk-applkr-disc-effect-pol"></a>Discover the effect of an AppLocker policy
+
+You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
+
+-   **Analyze the AppLocker logs in Event Viewer**
+
+    When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs.
+
+    For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log).
+
+-   **Enable the Audit only AppLocker enforcement setting**
+
+    By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+    For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
+-   **Review AppLocker events with Get-AppLockerFileInformation**
+
+    For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file.
+
+    For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events).
+
+-   **Review AppLocker events with Test-AppLockerPolicy**
+
+    You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.
+
+    For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+### <a href="" id="bkmk-applkr-review-events"></a>Review AppLocker events with Get-AppLockerFileInformation
+
+For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+>**Note:**  If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.
+ 
+**To review AppLocker events with Get-AppLockerFileInformation**
+
+1.  At the command prompt, type **PowerShell**, and then press ENTER.
+2.  Run the following command to review how many times a file would have been blocked from running if rules were enforced:
+
+    `Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics`
+
+3.  Run the following command to review how many times a file has been allowed to run or prevented from running:
+
+    `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics`
+
+### <a href="" id="bkmk-applkr-view-log"></a>View the AppLocker Log in Event Viewer
+
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To view events in the AppLocker log by using Event Viewer**
+
+1.  Open Event Viewer. To do this, click **Start**, type **eventvwr.msc**, and then press ENTER.
+2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**.
+
+AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file 
+formats for further analysis.
+
+## Related topics
+
+- [AppLocker](applocker-overview.md)

windows/security/threat-protection/applocker/optimize-applocker-performance.md

@@ -0,0 +1,34 @@
+---
+title: Optimize AppLocker performance (Windows 10)
+description: This topic for IT professionals describes how to optimize AppLocker policy enforcement.
+ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Optimize AppLocker performance
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how to optimize AppLocker policy enforcement.
+
+## Optimization of Group Policy
+
+AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs.
+
+For more info, see the [Optimizing Group Policy Performance](https://go.microsoft.com/fwlink/p/?LinkId=163238) article in TechNet Magazine.
+
+### AppLocker rule limitations
+
+The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash 
+condition.
+
+### Using the DLL rule collection
+
+When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation.

windows/security/threat-protection/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md

@@ -0,0 +1,35 @@
+---
+title: Packaged apps and packaged app installer rules in AppLocker (Windows 10)
+description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
+ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 10/13/2017
+---
+
+# Packaged apps and packaged app installer rules in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
+
+Universal Windows apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation.
+Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule.
+
+AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app:
+
+-   Publisher name
+-   Package name
+-   Package version
+
+In summary, including AppLocker rules for Universal Windows apps in your policy design provides:
+
+-   The ability to control the installation and running of the app
+-   The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app
+-   The ability to create application control policies that survive app updates
+-   Management of Universal Windows apps through Group Policy.

windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md

@@ -0,0 +1,115 @@
+---
+title: Plan for AppLocker policy management (Windows 10)
+description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
+ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Plan for AppLocker policy management
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
+
+## Policy management
+
+Before you begin the deployment process, consider how the AppLocker rules will be managed. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization.
+
+### Application and user support policy
+
+Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. Considerations include:
+
+-   What type of end-user support is provided for blocked applications?
+-   How are new rules added to the policy?
+-   How are existing rules updated?
+-   Are events forwarded for review?
+
+**Help desk support**
+
+If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies:
+
+-   What documentation does your support department require for new policy deployments?
+-   What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
+-   Who are the contacts in the support department?
+-   How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules?
+
+**End-user support**
+
+Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
+
+-   Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+-   How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
+
+**Using an intranet site**
+
+AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used.
+
+The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
+
+![applocker blocked application error message](images/blockedappmsg.gif)
+
+For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
+
+**AppLocker event management**
+
+Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The 
+AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs:
+
+1.  **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx).
+2.  **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js).
+3.  **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx).
+
+Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012).
+
+### Policy maintenance
+
+As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013).
+
+>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+ 
+**New version of a supported app**
+
+When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied.
+
+To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version.
+
+For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions.
+
+For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app
+
+**Recently deployed app**
+
+To support a new app, you must add one or more rules to the existing AppLocker policy.
+
+**App is no longer supported**
+
+If your organization has determined that it will no longer support an application that has AppLocker rules associated with it, the easiest way to prevent users from running the app is to delete these rules.
+
+**App is blocked but should be allowed**
+
+A file could be blocked for three reasons:
+
+-   The most common reason is that no rule exists to allow the app to run.
+-   There may be an existing rule that was created for the file that is too restrictive.
+-   A deny rule, which cannot be overridden, is explicitly blocking the file.
+
+Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=160269) (https://go.microsoft.com/fwlink/p/?LinkId=160269).
+
+## Next steps
+
+After deciding how your organization will manage your AppLocker policy, record your findings.
+
+-   **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary.
+-   **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
+-   **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined.
+
+For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md).

windows/security/threat-protection/applocker/refresh-an-applocker-policy.md

@@ -0,0 +1,58 @@
+---
+title: Refresh an AppLocker policy (Windows 10)
+description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
+ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Refresh an AppLocker policy
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to force an update for an AppLocker policy.
+
+If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers.
+
+To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md)
+
+[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+
+To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**To manually refresh the AppLocker policy by using Group Policy**
+
+1.  From a command prompt, type **gpupdate /force**, and then press ENTER.
+2.  When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied."
+
+To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information 
+about creating a new rule for an existing policy, see:
+-   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+-   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+-   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To refresh the AppLocker policy on the local computer**
+
+-   Update the rule collection by using the Local Security Policy console with one of the following procedures:
+
+    -   [Edit AppLocker rules](edit-applocker-rules.md)
+    -   [Delete an AppLocker rule](delete-an-applocker-rule.md)
+    -   [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+
+When finished, the policy is in effect.
+
+To make the same change on another device, you can use any of the following methods:
+
+-   From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
+
+    >**Caution:**  When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+     
+-   Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).

windows/security/threat-protection/applocker/requirements-for-deploying-applocker-policies.md

@@ -0,0 +1,224 @@
+---
+title: Requirements for deploying AppLocker policies (Windows 10)
+description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
+ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Requirements for deploying AppLocker policies
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
+
+The following requirements must be met or addressed before you deploy your AppLocker policies:
+-   [Deployment plan](#bkmk-reqdepplan)
+-   [Supported operating systems](#bkmk-reqsupportedos)
+-   [Policy distribution mechanism](#bkmk-reqpolicydistmech)
+-   [Event collection and analysis system](#bkmk-reqeventcollectionsystem)
+
+### <a href="" id="bkmk-reqdepplan"></a>Deployment plan
+
+An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help Desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help Desk</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help Desk</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Event processing policy**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Do not forward</p>
+<p></p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes; summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Policy maintenance policy**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">App decommission policy</th>
+<th align="left">App version policy</th>
+<th align="left">App deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through Help Desk</p></td>
+<td align="left"><p>Through business office triage; 30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office; 30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Through HR triage</p>
+<p>Emergency: Request through Help Desk</p></td>
+<td align="left"><p>Through HR triage; 30-day notice required</p>
+<p></p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR; 30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
+ 
+### <a href="" id="bkmk-reqsupportedos"></a>Supported operating systems
+
+AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+### <a href="" id="bkmk-reqpolicydistmech"></a>Policy distribution mechanism
+
+You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in.
+
+### <a href="" id="bkmk-reqeventcollectionsystem"></a>Event collection and analysis system
+
+Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:
+-   [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+-   [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+-   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+## See also
+
+- [AppLocker deployment guide](applocker-policies-deployment-guide.md)

windows/security/threat-protection/applocker/requirements-to-use-applocker.md

@@ -0,0 +1,63 @@
+---
+title: Requirements to use AppLocker (Windows 10)
+description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Requirements to use AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+
+## General requirements
+
+To use AppLocker, you need:
+
+-   A device running a supported operating system to create the rules. The computer can be a domain controller.
+-   For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
+-   Devices running a supported operating system to enforce the AppLocker rules that you create.
+
+>**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
+ 
+## Operating system requirements
+
+The following table show the on which operating systems AppLocker features are supported.
+
+| Version | Can be configured | Can be enforced | Available rules | Notes |
+| - | - | - | - | - |
+| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
+| Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| | 
+| Windows 8.1 Pro| Yes| No| N/A||
+| Windows 8.1 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| | 
+| Windows RT 8.1| No| No| N/A||  
+| Windows 8 Pro| Yes| No| N/A||
+| Windows 8 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL||  
+| Windows RT| No| No| N/A| |  
+| Windows Server 2008 R2 Standard| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.| 
+| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.| 
+| Windows 7 Ultimate| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
+| Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.| 
+| Windows 7 Professional| Yes| No| Executable<br/>Windows Installer<br/>Script<br/>DLL| No AppLocker rules are enforced.| 
+ 
+
+AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
+
+## See also
+- [Administer AppLocker](administer-applocker.md)
+- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+- [Optimize AppLocker performance](optimize-applocker-performance.md)
+- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+- [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
+- [AppLocker Design Guide](applocker-policies-design-guide.md)

windows/security/threat-protection/applocker/run-the-automatically-generate-rules-wizard.md

@@ -0,0 +1,43 @@
+---
+title: Run the Automatically Generate Rules wizard (Windows 10)
+description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Run the Automatically Generate Rules wizard
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+
+AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder.
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To automatically generate rules**
+
+1.  Open the AppLocker console.
+2.  Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules.
+3.  Click **Automatically Generate Rules**.
+4.  On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this is the Program Files folder.
+5.  Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group.
+6.  The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**.
+7.  On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+    >**Note:**  The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select:
+    
+    -   One publisher condition is created for all files that have the same publisher and product name.
+    -   One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**.
+    -   One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file.
+     
+8.  Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**.
+
+>**Note:**  If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.

windows/security/threat-protection/applocker/script-rules-in-applocker.md

@@ -0,0 +1,38 @@
+---
+title: Script rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the script rule collection.
+ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Script rules in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the file formats and available default rules for the script rule collection.
+
+AppLocker defines script rules to include only the following file formats:
+-   .ps1
+-   .bat
+-   .cmd
+-   .vbs
+-   .js
+
+The following table lists the default rules that are available for the script rule collection.
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| 
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*| 
+ 
+## Related topics
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

windows/security/threat-protection/applocker/security-considerations-for-applocker.md

@@ -0,0 +1,50 @@
+---
+title: Security considerations for AppLocker (Windows 10)
+description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
+ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Security considerations for AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
+
+The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for 
+AppLocker:
+
+AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions.
+
+AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.
+
+Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx).
+
+AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy.
+
+When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy.
+
+AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe.
+
+You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+
+AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros.
+
+>**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+ 
+AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.
+
+>**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.
+
+You can block the Windows Subsystem for Linux by blocking LxssManager.dll.
+ 
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)

windows/security/threat-protection/applocker/select-types-of-rules-to-create.md

@@ -0,0 +1,74 @@
+---
+title: Select the types of rules to create (Windows 10)
+description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
+ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Select the types of rules to create
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
+
+When determining what types of rules to create for each of your groups, you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some apps, depending on the way that the applications are deployed in a specific business group.
+
+The following topics provide additional information about AppLocker rules that can help you decide what rules to use for your applications:
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+-   [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+### Select the rule collection
+
+The rules you create will be in one of the following rule collections:
+
+-   Executable files: .exe and .com
+-   Windows Installer files: .msi, .msp, and .mst
+-   Scripts: .ps1, .bat, .cmd, .vbs, and .js
+-   Packaged apps and packaged app installers: .appx
+-   DLLs: .dll and .ocx
+
+By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default.
+
+In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well.
+
+### Determine the rule condition
+
+A rule condition is criteria upon which an AppLocker rule is based and can only be one of the rule conditions in the following table.
+
+| Rule condition | Usage scenario | Resources |
+| - | - | - |
+| Publisher | To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.|For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+| Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). |
+| File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). |
+ 
+In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same.
+
+### Determine how to allow system files to run
+
+Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
+
+You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+
+-   Traverse Folder/Execute File
+-   Create Files/Write Data
+-   Create Folders/Append Data
+
+These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing apps to be run from this location might conflict with your organization's security policy.
+
+## Next steps
+
+After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md).
+
+After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).

windows/security/threat-protection/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md

@@ -0,0 +1,45 @@
+---
+title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10)
+description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
+ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Test an AppLocker policy by using Test-AppLockerPolicy
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
+
+The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied.
+
+Any user account can be used to complete this procedure.
+
+**To test an AppLocker policy by using Test-AppLockerPolicy**
+
+1.  Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet.
+
+    1.  Open a Windows PowerShell command prompt window as an administrator.
+    2.  Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file:
+
+        `Get-AppLockerPolicy –Effective –XML > <PathofFiletoExport.XML>`
+
+2.  Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed:
+
+    `Get-ChildItem <DirectoryPathtoReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy <PathToExportedPolicyFile> -User <domain\username> -Filter <TypeofRuletoFilterFor> | Export-CSV <PathToExportResultsTo.CSV>`
+
+The following shows example input for **Test-AppLockerPolicy**:
+
+```syntax
+PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml
+PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv
+```
+
+In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy.

windows/security/threat-protection/applocker/test-and-update-an-applocker-policy.md

@@ -0,0 +1,64 @@
+---
+title: Test and update an AppLocker policy (Windows 10)
+description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
+ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Test and update an AppLocker policy
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic discusses the steps required to test an AppLocker policy prior to deployment.
+
+You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
+
+## Step 1: Enable the Audit only enforcement setting
+
+By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
+## Step 2: Configure the Application Identity service to start automatically
+
+Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied.
+
+## Step 3: Test the policy
+
+Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy.
+
+The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+## Step 4: Analyze AppLocker events
+You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis.
+
+**To manually analyze AppLocker events**
+
+You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+**To analyze AppLocker events by using Get-AppLockerFileInformation**
+
+You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.
+
+For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names.
+
+## Step 5: Modify the AppLocker policy
+
+After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md).
+
+## Step 6: Repeat policy testing, analysis, and policy modification
+
+Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement.
+
+## Additional resources
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+ 
+ 

windows/security/threat-protection/applocker/tools-to-use-with-applocker.md

@@ -0,0 +1,55 @@
+---
+title: Tools to use with AppLocker (Windows 10)
+description: This topic for the IT professional describes the tools available to create and administer AppLocker policies.
+ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Tools to use with AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the tools available to create and administer AppLocker policies.
+
+The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+-   **AppLocker Local Security Policy MMC snap-in**
+
+    The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md).
+
+-   **Generate Default Rules tool**
+
+    AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules).
+
+-   **Automatically Generate AppLocker Rules wizard**
+
+    By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
+
+-   **Group Policy**
+
+    You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC).
+
+    If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack.
+
+-   **Remote Server Administration Tools (RSAT)**
+
+    You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies.
+
+-   **Event Viewer**
+
+    The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+-   **AppLocker PowerShell cmdlets**
+
+    The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/itpro/powershell/windows/applocker/applocker).
+
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)

windows/security/threat-protection/applocker/understand-applocker-enforcement-settings.md

@@ -0,0 +1,31 @@
+---
+title: Understand AppLocker enforcement settings (Windows 10)
+description: This topic describes the AppLocker enforcement settings for rule collections.
+ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understand AppLocker enforcement settings
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the AppLocker enforcement settings for rule collections.
+
+Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection.
+
+| Enforcement setting | Description |
+| - | - |
+| Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| 
+| Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| 
+| Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.| 
+ 
+For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md).
+
+When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied.

windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md

@@ -0,0 +1,230 @@
+---
+title: Understand AppLocker policy design decisions (Windows 10)
+description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
+ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 10/13/2017
+---
+
+# Understand AppLocker policy design decisions
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
+
+When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
+
+You should consider using AppLocker as part of your organization's application control policies if all the following are true:
+
+-   You have deployed or plan to deploy the supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
+-   You need improved control over the access to your organization's applications and the data your users access.
+-   The number of applications in your organization is known and manageable.
+-   You have resources to test policies against the organization's requirements.
+-   You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
+-   The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
+
+The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment).
+
+### Which apps do you need to control in your organization?
+
+You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage.
+
+| Possible answers | Design considerations|
+| - | - |
+| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).|
+| Control specific apps | When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).|
+|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.<br/>For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.|
+| Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.|
+| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.|
+|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.|
+ 
+>**Important:**  The following list contains files or types of files that cannot be managed by AppLocker:
+
+-   AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe.
+
+-   You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+
+-   AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros.
+
+    >**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+     
+-   AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules.
+    
+    For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
+ 
+### <a href="" id="bkmk-compareclassicmetro"></a>Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions
+
+AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are:
+
+-   All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps.
+-   Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes.
+-   Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution.
+
+AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both.
+
+For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+### How do you currently control app usage in your organization?
+
+Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. AppLocker includes improvements over SRP in the architecture and management of application control policies.
+
+| Possible answers | Design considerations |
+| - | - |
+| Security polices (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| 
+| Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.| 
+| Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| 
+| Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| 
+| Other | Using AppLocker requires a complete app control policy evaluation and implementation.| 
+ 
+### Which Windows desktop and server operating systems are running in your organization?
+
+If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system.
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Your organization's computers are running a combination of the following operating systems:</p>
+<ul>
+<li><p>Windows 10</p></li>
+<li><p>Windows 8</p></li>
+<li><p>Windows 7</p></li>
+<li><p>Windows Vista</p></li>
+<li><p>Windows XP</p></li>
+<li><p>Windows Server 2012</p></li>
+<li><p>Windows Server 2008 R2</p></li>
+<li><p>Windows Server 2008</p></li>
+<li><p>Windows Server 2003</p></li>
+</ul></td>
+<td align="left"><p>AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</p>
+</div>
+<div>
+ 
+</div>
+<p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Your organization's computers are running only the following operating systems:</p>
+<ul>
+<li><p>Windows 10</p></li>
+<li><p>Windows 8.1</p></li>
+<li><p>Windows 8</p></li>
+<li><p>Windows 7</p></li>
+<li><p>Windows Server 2012 R2</p></li>
+<li><p>Windows Server 2012</p></li>
+<li><p>Windows Server 2008 R2</p></li>
+</ul></td>
+<td align="left"><p>Use AppLocker to create your application control policies.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+### Are there specific groups in your organization that need customized application control policies?
+
+Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.<br/>If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.|
+| No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|
+ 
+### Does your IT department have resources to analyze application usage, and to design and manage the policies?
+
+The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.|
+| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |
+ 
+### Does your organization have Help Desk support?
+
+Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. |
+| No | Invest time in developing online support processes and documentation before deployment. |
+
+ 
+### Do you know what applications require restrictive policies?
+Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. |
+| No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.|
+ 
+### How do you deploy or sanction applications (upgraded or new) in your organization?
+
+Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies.
+
+| Possible answers | Design considerations |
+| - | - |
+| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| 
+|  Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. |
+| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. |
+
+ 
+### Does your organization already have SRP deployed?
+
+Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.<br/><br/>**Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.|
+| No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. |
+ 
+### What are your organization's priorities when implementing application control policies?
+
+Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker.
+
+| Possible answers | Design considerations |
+| - | - |
+| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. |
+| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps|
+| Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.|
+ 
+### How are apps currently accessed in your organization?
+
+AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules.
+
+| Possible answers | Design considerations |
+| - | - |
+| Users run without administrative rights. | Apps are installed by using an installation deployment technology.|
+| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.<br/>**Note: **AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. 
+| Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.|
+ 
+### Is the structure in Active Directory Domain Services based on the organization's hierarchy?
+
+Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. 
+Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.|
+| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.|
+ 
+## Record your findings
+
+The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
+
+-   For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+-   For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md).

windows/security/threat-protection/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md

@@ -0,0 +1,46 @@
+---
+title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10)
+description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
+ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understand AppLocker rules and enforcement setting inheritance in Group Policy
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
+
+Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy.
+
+Group Policy merges AppLocker policy in two ways:
+
+-   **Rules.** Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, 62 rules are applied to all computers that receive the AppLocker policy.
+    >**Important:**  When determining whether a file is permitted to run, AppLocker processes rules in the following order:
+
+    1.  **Explicit deny.** An administrator created a rule to deny a file.
+    2.  **Explicit allow.** An administrator created a rule to allow a file.
+    3.  **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked.
+     
+-   **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced.
+Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO.
+
+The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
+
+![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif)
+
+In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
+
+When constructing the Group Policy architecture for applying AppLocker policies, it is important to remember:
+
+-   Rule collections that are not configured will be enforced.
+-   Group Policy does not overwrite or replace rules that are already present in a linked GPO.
+-   AppLocker processes the explicit deny rule configuration before the allow rule configuration.
+-   For rule enforcement, the last write to the GPO is applied.

windows/security/threat-protection/applocker/understand-the-applocker-policy-deployment-process.md

@@ -0,0 +1,36 @@
+---
+title: Understand the AppLocker policy deployment process (Windows 10)
+description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
+ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understand the AppLocker policy deployment process
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
+
+To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications.
+
+The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
+
+![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif)
+
+## Resources to support the deployment process
+
+The following topics contain information about designing, planning, deploying, and maintaining AppLocker policies:
+
+-   For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+-   For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md).
+-   For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md).
+-   For info about AppLocker policy architecture, components, and processing, see [AppLocker technical reference](applocker-technical-reference.md).
+ 
+ 

windows/security/threat-protection/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md

@@ -0,0 +1,41 @@
+---
+title: Understanding AppLocker allow and deny actions on rules (Windows 10)
+description: This topic explains the differences between allow and deny actions on AppLocker rules.
+ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding AppLocker allow and deny actions on rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic explains the differences between allow and deny actions on AppLocker rules.
+
+## Allow action versus deny action on rules
+
+Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied.
+
+You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file.
+
+### Deny rule considerations
+
+Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. The following table details security concerns for different rule conditions with deny actions.
+
+| Rule condition | Security concern with deny action |
+| - | - |
+| Publisher | A user could modify the properties of a file (for example, re-signing the file with a different certificate).|
+| File hash | A user could modify the hash for a file.|
+| Path | A user could move the denied file to a different location and run it from there.|
+ 
+>**Important:**  If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.
+ 
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/understanding-applocker-default-rules.md

@@ -0,0 +1,47 @@
+---
+title: Understanding AppLocker default rules (Windows 10)
+description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
+ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding AppLocker default rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
+
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
+
+>**Important:**  You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
+ 
+If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. 
+The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+
+-   Traverse Folder/Execute File
+-   Create Files/Write Data
+-   Create Folders/Append Data
+
+These permissions settings are applied to this folder for app compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy.
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This topic describes the file formats and available default rules for the executable rule collection. |
+| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This topic describes the file formats and available default rules for the Windows Installer rule collection.|
+| [Script rules in AppLocker](script-rules-in-applocker.md) | This topic describes the file formats and available default rules for the script rule collection.| 
+| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This topic describes the file formats and available default rules for the DLL rule collection.| 
+| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This topic explains the AppLocker rule collection for packaged app installers and packaged apps.| 
+ 
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)
+- [Create AppLocker default rules](create-applocker-default-rules.md)

windows/security/threat-protection/applocker/understanding-applocker-rule-behavior.md

@@ -0,0 +1,32 @@
+---
+title: Understanding AppLocker rule behavior (Windows 10)
+description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
+ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding AppLocker rule behavior
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
+
+If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+
+A rule can be configured to use either an allow or deny action:
+
+-   **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+-   **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+>**Important:**  You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
+ 
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/understanding-applocker-rule-collections.md

@@ -0,0 +1,39 @@
+---
+title: Understanding AppLocker rule collections (Windows 10)
+description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
+ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding AppLocker rule collections
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
+
+An AppLocker rule collection is a set of rules that apply to one of five types:
+
+-   Executable files: .exe and .com
+-   Windows Installer files: .msi, mst, and .msp
+-   Scripts: .ps1, .bat, .cmd, .vbs, and .js
+-   DLLs: .dll and .ocx
+-   Packaged apps and packaged app installers: .appx
+
+If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps.
+
+>**Important:**  Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.
+ 
+For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
+
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+

windows/security/threat-protection/applocker/understanding-applocker-rule-condition-types.md

@@ -0,0 +1,58 @@
+---
+title: Understanding AppLocker rule condition types (Windows 10)
+description: This topic for the IT professional describes the three types of AppLocker rule conditions.
+ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding AppLocker rule condition types
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the three types of AppLocker rule conditions.
+
+Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
+
+**Publisher**
+
+To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
+**Path**
+
+Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
+**File hash**
+
+Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
+
+### Considerations
+
+Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use.
+
+1.  Is the file digitally signed by a software publisher?
+
+    If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can:
+
+    -   Sign the file by using an internal certificate.
+    -   Create a rule by using a file hash condition.
+    -   Create a rule by using a path condition.
+    
+        >**Note:**  To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, 
+        `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.
+         
+2.  What rule condition type does your organization prefer?
+    
+    If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place.
+    
+    >**Note:**  For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+     
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/understanding-applocker-rule-exceptions.md

@@ -0,0 +1,29 @@
+---
+title: Understanding AppLocker rule exceptions (Windows 10)
+description: This topic describes the result of applying AppLocker rule exceptions to rule collections.
+ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding AppLocker rule exceptions
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the result of applying AppLocker rule exceptions to rule collections.
+
+You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset.
+
+For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule).  
+The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks.  
+To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
+
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/understanding-the-file-hash-rule-condition-in-applocker.md

@@ -0,0 +1,31 @@
+---
+title: Understanding the file hash rule condition in AppLocker (Windows 10)
+description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
+ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding the file hash rule condition in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
+
+File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition.
+
+| File hash condition advantages | File hash condition disadvantages |
+| - | - |
+| Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.|
+ 
+For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/understanding-the-path-rule-condition-in-applocker.md

@@ -0,0 +1,69 @@
+---
+title: Understanding the path rule condition in AppLocker (Windows 10)
+description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
+ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding the path rule condition in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
+
+The path condition identifies an application by its location in the file system of the computer or on the network.
+
+When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Path condition advantages</th>
+<th align="left">Path condition disadvantages</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>You can easily control many folders or a single file.</p></li>
+<li><p>You can use the asterisk (*) as a wildcard character within path rules.</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.</p></li>
+<li><p>You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+ 
+AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.
+
+The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule.
+
+AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables.
+
+| Windows directory or drive | AppLocker path variable | Windows environment variable |
+| - | - | - |
+| Windows | %WINDIR% | %SystemRoot% | 
+| System32 | %SYSTEM32%| %SystemDirectory%| 
+| Windows installation directory | %OSDRIVE%|%SystemDrive%| 
+| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| 
+| Removable media (for example, CD or DVD) | %REMOVABLE%| |
+| Removable storage device (for example, USB flash drive)| %HOT%|||  
+ 
+For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/understanding-the-publisher-rule-condition-in-applocker.md

@@ -0,0 +1,91 @@
+---
+title: Understanding the publisher rule condition in AppLocker (Windows 10)
+description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
+ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Understanding the publisher rule condition in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
+
+Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization.
+Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages 
+of the publisher condition.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Publisher condition advantages</th>
+<th align="left">Publisher condition disadvantages</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Frequent updating is not required.</p></li>
+<li><p>You can apply different values within a certificate.</p></li>
+<li><p>A single rule can be used to allow an entire product suite.</p></li>
+<li><p>You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>The file must be signed.</p></li>
+<li><p>Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+ 
+Wildcard characters can be used as values in the publisher rule fields according to the following specifications:
+
+-   **Publisher**
+
+    The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field.
+
+-   **Product name**
+
+    The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field.
+
+-   **File name**
+
+    Either the asterisk (\*) or question mark (?) characters used by themselves represent any and all file names. When combined with any string value, the string is matched with any file name containing that string.
+
+-   **File version**
+
+    The asterisk (\*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:
+
+    -   **Exactly**. The rule applies only to this version of the app
+    -   **And above**. The rule applies to this version and all later versions.
+    -   **And Below**. The rule applies to this version and all earlier versions.
+
+The following table describes how a publisher condition is applied.
+
+| Option | The publisher condition allows or denies…|
+| - | - |
+| **All signed files** | All files that are signed by a publisher.| 
+| **Publisher only** | All files that are signed by the named publisher.| 
+| **Publisher and product name** | All files for the specified product that are signed by the named publisher.| 
+| **Publisher, product name, and file name** | Any version of the named file for the named product that is signed by the publisher.| 
+| **Publisher, product name, file name, and file version** | **Exactly**<br/>The specified version of the named file for the named product that is signed by the publisher.| 
+| **Publisher, product name, file name, and file version** | **And above**<br/>The specified version of the named file and any new releases for the product that are signed by the publisher.| 
+| **Publisher, product name, file name, and file version**| **And below**<br/>The specified version of the named file and any older versions for the product that are signed by the publisher.| 
+| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule.| 
+ 
+For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+## Related topics
+
+- [How AppLocker works](how-applocker-works-techref.md)

windows/security/threat-protection/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md

@@ -0,0 +1,86 @@
+
+---
+title: Use a reference device to create and maintain AppLocker policies (Windows 10)
+description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
+ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Use a reference device to create and maintain AppLocker policies
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
+
+## Background and prerequisites
+
+An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md).
+
+An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment.
+
+>**Important:**  The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+ 
+You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies.
+
+## Step 1: Automatically generate rules on the reference device
+
+With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
+
+>**Note:**  If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.
+ 
+## Step 2: Create the default rules on the reference device
+
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
+>**Important:**  You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
+ 
+## Step 3: Modify rules and the rule collection on the reference device
+
+If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures:
+
+-   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+-   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+-   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+-   [Edit AppLocker rules](edit-applocker-rules.md)
+-   [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+-   [Delete an AppLocker rule](delete-an-applocker-rule.md)
+-   [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+-   [Enforce AppLocker rules](enforce-applocker-rules.md)
+
+## Step 4: Test and update AppLocker policy on the reference device
+
+You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step:
+
+-   [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx)
+-   [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+
+>**Caution:**  If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
+ 
+## Step 5: Export and import the policy into production
+
+When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures:
+
+-   [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
+-   [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or
+-   [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+
+If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
+## Step 6: Monitor the effect of the policy in production
+
+If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy:
+
+-   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+-   [Edit an AppLocker policy](edit-an-applocker-policy.md)
+-   [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
+
+## See also
+
+- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)

windows/security/threat-protection/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md

@@ -0,0 +1,163 @@
+---
+title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10)
+description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Use AppLocker and Software Restriction Policies in the same domain
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+
+## Using AppLocker and Software Restriction Policies in the same domain
+
+AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running 
+Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, 
+Windows 7 and later, the SRP policies are ignored.
+
+The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Application control function</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Scope</p></td>
+<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
+<td align="left"><p>AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy creation</p></td>
+<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
+<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
+<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy maintenance</p></td>
+<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
+<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy application</p></td>
+<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
+<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Enforcement mode</p></td>
+<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
+<p>SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
+<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File types that can be controlled</p></td>
+<td align="left"><p>SRP can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+</ul>
+<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
+<td align="left"><p>AppLocker can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+<li><p>Packaged apps and installers</p></li>
+</ul>
+<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Designated file types</p></td>
+<td align="left"><p>SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.</p></td>
+<td align="left"><p>AppLocker currently supports the following file extensions:</p>
+<ul>
+<li><p>Executables (.exe, .com)</p></li>
+<li><p>Dlls (.ocx, .dll)</p></li>
+<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
+<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
+<li><p>Packaged app installers (.appx)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule types</p></td>
+<td align="left"><p>SRP supports four types of rules:</p>
+<ul>
+<li><p>Hash</p></li>
+<li><p>Path</p></li>
+<li><p>Signature</p></li>
+<li><p>Internet zone</p></li>
+</ul></td>
+<td align="left"><p>AppLocker supports three types of rules:</p>
+<ul>
+<li><p>File hash</p></li>
+<li><p>Path</p></li>
+<li><p>Publisher</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Editing the hash value</p></td>
+<td align="left"><p>In Windows XP, you could use SRP to provide custom hash values.</p>
+<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.</p></td>
+<td align="left"><p>AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for different security levels</p></td>
+<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
+<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
+<td align="left"><p>AppLocker does not support security levels.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
+<td align="left"><p>Not supported</p></td>
+<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
+<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
+<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for rule exceptions</p></td>
+<td align="left"><p>SRP does not support rule exceptions.</p></td>
+<td align="left"><p>AppLocker rules can have exceptions which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for audit mode</p></td>
+<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
+<td align="left"><p>AppLocker supports audit mode which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for exporting and importing policies</p></td>
+<td align="left"><p>SRP does not support policy import/export.</p></td>
+<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule enforcement</p></td>
+<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode which is less secure.</p></td>
+<td align="left"><p>Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+ 
+ 

windows/security/threat-protection/applocker/use-the-applocker-windows-powershell-cmdlets.md

@@ -0,0 +1,54 @@
+---
+title: Use the AppLocker Windows PowerShell cmdlets (Windows 10)
+description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
+ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Use the AppLocker Windows PowerShell cmdlets
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
+
+## AppLocker Windows PowerShell cmdlets
+
+The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the 
+Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
+
+To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the 
+Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
+
+### Retrieve application information
+
+The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. 
+
+File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
+
+### Set AppLocker policy
+
+The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
+
+### Retrieve an AppLocker policy
+
+The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
+
+### Generate rules for a given user or group
+
+The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the 
+list of file information.
+
+### Test the AppLocker Policy against a file set
+
+The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
+
+## Additional resources
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).

windows/security/threat-protection/applocker/using-event-viewer-with-applocker.md

@@ -0,0 +1,64 @@
+---
+title: Using Event Viewer with AppLocker (Windows 10)
+description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Using Event Viewer with AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+
+The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
+
+-   Which file is affected and the path of that file
+-   Which packaged app is affected and the package identifier of the app
+-   Whether the file or packaged app is allowed or blocked
+-   The rule type (path, file hash, or publisher)
+-   The rule name
+-   The security identifier (SID) for the user or group identified in the rule
+
+Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
+
+For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+**To review the AppLocker log in Event Viewer**
+
+1.  Open Event Viewer.
+2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**.
+
+The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
+
+| Event ID | Level | Event message | Description |
+| - | - | - | - |
+| 8000 | Error| Application Identity Policy conversion failed. Status  *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
+| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| 
+| 8002 | Information|  *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| 
+| 8003 | Warning|  *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the  **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the  **Enforce rules ** enforcement mode were enabled. |
+| 8004 | Error|  *<File name> * was not allowed to run.| Access to  *<file name> * is restricted by the administrator. Applied only when the  **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| 
+| 8005| Information|  *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| 
+| 8006 | Warning|  *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the  **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the  **Enforce rules ** enforcement mode were enabled. |
+| 8007 | Error|  *<File name> * was not allowed to run.| Access to  *<file name> * is restricted by the administrator. Applied only when the  **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| 
+| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| 
+| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| 
+| 8021|  Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| 
+| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| 
+| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
+| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| 
+| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| 
+| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| 
+ 
+## Related topics
+
+- [Tools to use with AppLocker](tools-to-use-with-applocker.md)
+ 
+ 

windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies.md

@@ -0,0 +1,63 @@
+---
+title: Use Software Restriction Policies and AppLocker policies (Windows 10)
+description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
+ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Use Software Restriction Policies and AppLocker policies
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
+
+## Understand the difference between SRP and AppLocker
+
+You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+
+## Use SRP and AppLocker in the same domain
+
+SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
+
+>**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
+ 
+The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO.
+
+| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP |
+| - | - | - | - |
+| Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| 
+| Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| 
+| Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| 
+ 
+>**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+ 
+## Test and validate SRPs and AppLocker policies that are deployed in the same environment
+
+Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools.
+
+### Step 1: Test the effect of SRPs
+
+You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs.
+
+### Step 2: Test the effect of AppLocker policies
+
+You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see:
+
+-   [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
+-   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see:
+
+- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
+## See also
+
+- [AppLocker deployment guide](applocker-policies-deployment-guide.md)

windows/security/threat-protection/applocker/what-is-applocker.md

@@ -0,0 +1,188 @@
+---
+title: What Is AppLocker (Windows 10)
+description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
+ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# What Is AppLocker?
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
+
+AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
+
+Using AppLocker, you can:
+
+-   Control the following types of apps: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx).
+-   Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
+-   Assign a rule to a security group or an individual user.
+-   Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
+-   Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+-   Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
+-   Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.
+
+AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps
+
+For information about the application control scenarios that AppLocker addresses, see [AppLocker policy use scenarios](applocker-policy-use-scenarios.md).
+
+## What features are different between Software Restriction Policies and AppLocker?
+
+**Feature differences**
+
+The following table compares AppLocker to Software Restriction Policies.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Feature</th>
+<th align="left">Software Restriction Policies</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Rule scope</p></td>
+<td align="left"><p>All users</p></td>
+<td align="left"><p>Specific user or group</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule conditions provided</p></td>
+<td align="left"><p>File hash, path, certificate, registry path, and Internet zone</p></td>
+<td align="left"><p>File hash, path, and publisher</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Rule types provided</p></td>
+<td align="left"><p>Defined by the security levels:</p>
+<ul>
+<li><p>Disallowed</p></li>
+<li><p>Basic User</p></li>
+<li><p>Unrestricted</p></li>
+</ul></td>
+<td align="left"><p>Allow and deny</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default rule action</p></td>
+<td align="left"><p>Unrestricted</p></td>
+<td align="left"><p>Implicit deny</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Audit-only mode</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Wizard to create multiple rules at one time</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy import or export</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule collection</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows PowerShell support</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Custom error messages</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Application control function differences**
+
+The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Application control function</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Operating system scope</p></td>
+<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
+<td align="left"><p>AppLocker policies apply only to those supported operating system versions and editions listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). But these systems can also use SRP.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Use different GPOs for SRP and AppLocker rules.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>User support</p></td>
+<td align="left"><p>SRP allows users to install applications as an administrator.</p></td>
+<td align="left"><p>AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.</p>
+<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy maintenance</p></td>
+<td align="left"><p>SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).</p></td>
+<td align="left"><p>AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.</p>
+<p>AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy management infrastructure</p></td>
+<td align="left"><p>To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
+<td align="left"><p>To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Block malicious scripts</p></td>
+<td align="left"><p>Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.</p></td>
+<td align="left"><p>AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Manage software installation</p></td>
+<td align="left"><p>SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.</p></td>
+<td align="left"><p>The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Manage all software on the computer</p></td>
+<td align="left"><p>All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.</p></td>
+<td align="left"><p>Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Different policies for different users</p></td>
+<td align="left"><p>Rules are applied uniformly to all users on a particular device.</p></td>
+<td align="left"><p>On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+## Related topics
+
+- [AppLocker technical reference](applocker-technical-reference.md)
+ 
+ 

windows/security/threat-protection/applocker/windows-installer-rules-in-applocker.md

@@ -0,0 +1,39 @@
+---
+title: Windows Installer rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
+ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Windows Installer rules in AppLocker
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic describes the file formats and available default rules for the Windows Installer rule collection.
+
+AppLocker defines Windows Installer rules to include only the following file formats:
+
+-   .msi
+-   .msp
+-   .mst
+
+The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *| 
+| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)| 
+| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*| 
+ 
+## Related topics
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+ 
+ 

windows/security/threat-protection/applocker/working-with-applocker-policies.md

@@ -0,0 +1,38 @@
+---
+title: Working with AppLocker policies (Windows 10)
+description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Working with AppLocker policies
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| 
+| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to  **Audit only ** within your IT environment by using AppLocker.| 
+| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| 
+| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| 
+| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| 
+| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.| 
+| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.| 
+| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).| 
+| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).| 
+| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.| 
+| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).| 
+| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.| 
+| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.| 
+

windows/security/threat-protection/applocker/working-with-applocker-rules.md

@@ -0,0 +1,215 @@
+---
+title: Working with AppLocker rules (Windows 10)
+description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 09/21/2017
+---
+
+# Working with AppLocker rules
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.| 
+| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.| 
+| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.| 
+| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.| 
+| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.| 
+| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.| 
+| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.| 
+| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.| 
+| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.| 
+| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.| 
+| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.| 
+ 
+The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.
+
+| Enforcement mode | Description |
+| - | - |
+| **Not configured** | This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| 
+| **Enforce rules** | Rules are enforced.| 
+| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection are not enforced| 
+
+When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied.
+## Rule collections
+
+The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
+
+| Rule collection | Associated file formats |
+| - | - |
+| Executable files | .exe<br/>.com| 
+| Scripts| .ps1<br/>.bat<br/>.cmd<br/>.vbs<br/>.js| 
+| Windows Installer files | .msi<br/>.msp<br/>.mst| 
+| Packaged apps and packaged app installers | .appx| 
+| DLL files | .dll<br/>.ocx| 
+ 
+>**Important:**  If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+
+When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+
+The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
+ 
+## Rule conditions
+
+Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.
+
+-   [Publisher](#bkmk-publisher): Identifies an app based on its digital signature
+-   [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network
+-   [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file
+
+### <a href="" id="bkmk-publisher"></a>Publisher
+
+This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+
+>**Note:**  Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
+ 
+>**Note:**  Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
+ 
+When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields.
+
+>**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+ 
+The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
+
+-   **Exactly.** The rule applies only to this version of the app
+-   **And above.** The rule applies to this version and all later versions.
+-   **And below.** The rule applies to this version and all earlier versions.
+
+The following table describes how a publisher condition is applied.
+
+
+| Option | The publisher condition allows or denies… |
+|---|---|
+| **All signed files** | All files that are signed by any publisher.| 
+| **Publisher only**| All files that are signed by the named publisher.| 
+| **Publisher and product name**| All files for the specified product that are signed by the named publisher.| 
+| **Publisher and product name, and file name**| Any version of the named file or package for the named product that are signed by the publisher.| 
+| **Publisher, product name, file name, and file version**| **Exactly**<br/>The specified version of the named file or package for the named product that are signed by the publisher.| 
+| **Publisher, product name, file name, and file version**| **And above**<br/>The specified version of the named file or package and any new releases for the product that are signed by the publisher.| 
+| **Publisher, product name, file name, and file version**| **And below**<br/>The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.| 
+| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.| 
+
+### <a href="" id="bkmk-path"></a>Path
+
+This rule condition identifies an application by its location in the file system of the computer or on the network.
+
+AppLocker uses custom path variables for well-known paths, such as Program Files and Windows.
+
+The following table details these path variables.
+
+| Windows directory or disk | AppLocker path variable | Windows environment variable |
+| - | - | - |
+| Windows| %WINDIR%| %SystemRoot%| 
+| System32| %SYSTEM32%| %SystemDirectory%| 
+| Windows installation directory| %OSDRIVE%| %SystemDrive%| 
+| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | 
+| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
+| Removable storage device (for example, a USB flash drive)| %HOT% | |
+ 
+>**Important:**  Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
+ 
+### <a href="" id="bkmk-filehash"></a>File hash
+
+When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.
+
+## AppLocker default rules
+
+AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
+Executable default rule types include:
+
+-   Allow members of the local **Administrators** group to run all apps.
+-   Allow members of the **Everyone** group to run apps that are located in the Windows folder.
+-   Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
+
+Script default rule types include:
+
+-   Allow members of the local **Administrators** group to run all scripts.
+-   Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
+-   Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
+
+Windows Installer default rule types include:
+
+-   Allow members of the local **Administrators** group to run all Windows Installer files.
+-   Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
+-   Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
+
+DLL default rule types:
+
+-   Allow members of the local **Administrators** group to run all DLLs.
+-   Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
+-   Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
+
+Packaged apps default rule types:
+
+-   Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
+
+## AppLocker rule behavior
+
+If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+
+A rule can be configured to use allow or deny actions:
+
+-   **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+-   **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+>**Important:**  For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
+ 
+>**Important:**  If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
+ 
+## Rule exceptions
+
+You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor.
+
+The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.
+
+## <a href="" id="bkmk-dllrulecollections"></a>DLL rule collection
+
+Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To enable the DLL rule collection**
+
+1.  Click **Start**, type **secpol.msc**, and then press ENTER.
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+3.  In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
+4.  Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+
+    >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+     
+## AppLocker wizards
+
+You can create rules by using two AppLocker wizards:
+
+1.  The Create Rules Wizard enables you to create one rule at a time.
+2.  The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
+
+## Additional considerations
+
+-   By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.
+-   There are two types of AppLocker conditions that do not persist following an update of an app:
+
+    -   **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.
+
+    -   **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
+
+-   If an app is not digitally signed, you cannot use a publisher rule condition for that app.
+-   AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
+-   The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
+-   When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection does not contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.
+-   When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
+-   A custom configured URL can be included in the message that is displayed when an app is blocked.
+-   Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed.

windows/security/threat-protection/change-history-for-device-security.md

@@ -0,0 +1,52 @@
+---
+title: Change history for device security (Windows 10)
+description: This topic lists new and updated topics in the Windows 10 device security documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 11/27/2017
+---
+
+# Change history for device security
+This topic lists new and updated topics in the [Device security](index.md) documentation.
+
+## November 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [How to enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI.  |
+
+## October 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [TPM fundamentals](tpm/tpm-fundamentals.md)<br>[BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
+| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. |
+| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. |
+| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions.  |
+
+
+
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
+
+
+## July 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+
+
+## May 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
+| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. |
+
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md) | Updated to include additional security qualifications starting with Windows 10, version 1703.|

windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md

@@ -0,0 +1,72 @@
+---
+title: Enable virtualization-based protection of code integrity 
+description: This article explains the steps to opt in to using HVCI on Windows devices. 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: justinha
+author: brianlic-msft
+ms.date: 11/28/2017
+---
+
+# Enable virtualization-based protection of code integrity 
+
+**Applies to**  
+
+- Windows 10
+- Windows Server 2016 
+
+Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. 
+Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.  
+
+Some applications, including device drivers, may be incompatible with HVCI. 
+This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
+
+## How to turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709) 
+
+These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. 
+
+The following instructions are intended for Windows 10 client systems running the Fall Creators Update (version 1709) that have hypervisor support and that are not already using a [Windows Defender Application Control (WDAC)](https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-defender-application-control/) policy. 
+If your device already has a WDAC policy (SIPolicy.p7b), please contact your IT administrator to request HVCI. 
+
+> [!NOTE]
+> You must be an administrator to perform this procedure. 
+
+1. Download the [Enable HVCI cabinet file](http://download.microsoft.com/download/7/A/F/7AFBCDD1-578B-49B0-9B27-988EAEA89A8B/EnableHVCI.cab).
+
+2. Open the cabinet file.
+
+3. Right-click the SIPolicy.p7b file and extract it. Then move it to the following location: 
+
+   C:\Windows\System32\CodeIntegrity
+
+   > [!NOTE]
+   > Do not perform this step if a SIPolicy.p7b file is already in this location.
+
+4. Turn on the hypervisor:
+
+   a. Click Start, type **Turn Windows Features on or off** and press ENTER. 
+
+   b. Select **Hyper-V** > **Hyper-V Platform** > **Hyper-V Hypervisor** and click **OK**.  
+
+      ![Turn Windows features on or off](images\turn-windows-features-on-or-off.png)
+
+   c. After the installation completes, restart your computer. 
+
+5. To confirm HVCI was successfully enabled, open **System Information** and check **Virtualization-based security Services Running**, which should now display **Hypervisor enforced Code Integrity**.      
+
+
+## Troubleshooting
+
+A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
+
+B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+
+C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+
+## How to turn off HVCI on the Windows 10 Fall Creators Update
+
+1.	Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
+2.	Restart the device.
+3.	To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.

windows/security/threat-protection/get-support-for-security-baselines.md

@@ -0,0 +1,97 @@
+---
+title: Get support
+description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: brianlic-msft
+ms.date: 10/23/2017
+---
+
+# Get Support
+
+**What is the Microsoft Security Compliance Manager (SCM)?**
+
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+
+More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
+
+**Where can I get an older version of a Windows baseline?**
+
+Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+
+-   [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+-   [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
+-   [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
+-   [SCM Baseline Download Help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+
+**What file formats are supported by the new SCT?**
+
+The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
+
+**Does SCT support Desired State Configuration (DSC) file format?**
+
+Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
+
+**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
+
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+
+**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+
+No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
+
+<br />
+
+## Version Matrix
+
+**Client Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+<br />
+
+**Server Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+<br />
+
+**Microsoft Products**
+
+| Name | Details | Security Tools |
+|---|---|---|
+Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+
+<br />
+
+> [!NOTE]
+> Browser baselines are built-in to new OS versions starting with Windows 10
+
+## See also
+
+[Windows Security Baselines](windows-security-baselines.md)

windows/security/threat-protection/index.md

@@ -0,0 +1,29 @@
+---
+title: Threat Protection (Windows 10)
+description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 08/11/2017
+---
+
+# Threat Protection
+
+Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
+|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
+|[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
+|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
+|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
+|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
+|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |

windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -0,0 +1,824 @@
+---
+title: Control the health of Windows 10-based devices (Windows 10)
+description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873
+keywords: security, BYOD, malware, device health attestation, mobile
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security, devices
+author: arnaudjumelet
+
+ms.date: 10/13/2017
+---
+
+# Control the health of Windows 10-based devices
+
+**Applies to**
+
+-   Windows 10
+
+This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+
+## Introduction
+
+In Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization’s applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT.
+
+Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they will not tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices.
+
+With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps.
+
+Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets.
+
+As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities.
+
+Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
+
+## Description of a robust end-to-end security solution
+
+Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries.
+
+During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary.
+
+With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy way to breach the security network perimeter, gain access to, and then steal high-value assets.
+
+The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats.
+
+### A different approach
+
+Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response.
+
+Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices.
+
+Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
+
+![figure 1](images/hva-fig1-endtoend1.png)
+
+A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
+
+The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
+
+![figure 2](images/hva-fig2-assessfromcloud2.png)
+
+Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
+
+Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems.
+
+A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel.
+
+Remote health attestation service performs a series of checks on the measurements. It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health encrypted blob back to the device.
+
+An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the security baseline and knows the level of compliance of the device with regular checks to see what software is installed and what configuration is enforced, as well as determining the health status of the device.
+
+An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
+
+An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization’s access control policy can be invoked to grant access.
+
+Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate.
+
+Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted.
+
+### <a href="" id="microsoft-s-security-investments-in-windows-10"></a>Microsoft’s security investments in Windows 10
+
+In Windows 10, there are three pillars of investments:
+
+-   **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources.
+-   **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
+-   **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
+
+### Protect, control, and report on the security status of Windows 10-based devices
+
+This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
+
+![figure 3](images/hva-fig3-endtoendoverview3.png)
+
+| Number | Part of the solution | Description |
+| - | - | - |
+| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
+| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
+| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
+| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
+| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
+ 
+The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
+
+## Protect devices and enterprise credentials against threats
+
+This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to.
+
+### Windows 10 hardware-based security defenses
+
+The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+
+![figure 4](images/hva-fig4-hardware.png)
+
+Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
+
+-   **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+
+    Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+
+    A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
+
+    -   The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+    -   The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+
+    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+
+    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
+
+    TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+
+    -   Update crypto strength to meet modern security needs
+
+        -   Support for SHA-256 for PCRs
+        -   Support for HMAC command
+
+    -   Cryptographic algorithms flexibility to support government needs
+
+        -   TPM 1.2 is severely restricted in terms of what algorithms it can support
+        -   TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+
+    -   Consistency across implementations
+
+        -   The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+        -   TPM 2.0 standardizes much of this behavior
+
+-   **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot does not require a TPM.
+
+    The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
+
+    Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE).
+    Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
+
+    >**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
+     
+-   **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+
+    Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
+    Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
+
+    The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
+
+    The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
+
+-   **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+
+    Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
+
+    ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
+
+    >**Note:**  Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.
+     
+    The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
+
+    The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
+-   **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10.
+
+    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section.
+
+-   **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+
+    When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
+
+    HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
+
+    >**Note:**  Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
+     
+    The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
+    Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
+
+-   **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
+
+    In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
+
+    This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
+
+-   **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.
+
+    Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset.
+
+    For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](https://go.microsoft.com/fwlink/p/?LinkId=733950).
+
+    During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
+
+    Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
+
+### <a href="" id="virtual"></a>Virtualization-based security
+
+Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
+
+Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
+
+The following Windows 10 services are protected with virtualization-based security:
+
+-   **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
+-   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+-   **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+
+>**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
+ 
+
+The schema below is a high-level view of Windows 10 with virtualization-based security.
+
+![figure 5](images/hva-fig5-virtualbasedsecurity.png)
+
+### Credential Guard
+
+In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on 
+remote machines, which mitigates many PtH-style attacks.
+
+Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
+
+-   **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
+-   **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
+Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that 
+credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
+
+### Device Guard
+
+Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization.
+
+The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows.
+
+Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
+
+>**Note:**  Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](https://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
+ 
+With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
+
+Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
+
+-   **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
+-   **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
+
+At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
+
+Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible.
+
+There are three different parts that make up the Device Guard solution in Windows 10:
+
+-   The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
+-   After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
+-   The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
+
+For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
+
+### Device Guard scenarios
+
+As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios.
+
+Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. 
+It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis.
+
+SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security.
+
+To protect high-value assets, SAWs are used to make secure connections to those assets.
+
+Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+
+It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
+
+Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
+
+>**Note:**  Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
+ 
+Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard.
+
+When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the 
+Device Guard policy into the UpdateSigner section.
+
+### The importance of signing applications
+
+On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
+
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal 
+Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed.
+
+In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed.
+
+Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications.
+
+### Why are antimalware and device management solutions still necessary?
+
+Although allow-list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities.
+
+Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge.
+
+It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them.
+
+To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense.
+
+Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
+
+MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
+
+### Device health attestation
+
+Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
+
+For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
+
+For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+
+### <a href="" id="hardware-req"></a>Hardware requirements
+
+The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](https://go.microsoft.com/fwlink/p/?LinkId=733951).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Hardware</th>
+<th align="left">Motivation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>UEFI 2.3.1 or later firmware with Secure Boot enabled</p></td>
+<td align="left"><p>Required to support UEFI Secure Boot.</p>
+<p>UEFI Secure Boot ensures that the device boots only authorized code.</p>
+<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled</p></td>
+<td align="left"><p>Required to support virtualization-based security.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Device Guard can be enabled without using virtualization-based security.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>X64 processor</p></td>
+<td align="left"><p>Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).</p>
+<p>Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IOMMU, such as Intel VT-d, AMD-Vi</p></td>
+<td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Trusted Platform Module (TPM) </p></td>
+<td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
+
+## <a href="" id="detect-unhealthy"></a>Detect an unhealthy Windows 10-based device
+
+As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
+
+The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
+
+As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+
+By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
+
+### What is the concept of device health?
+
+To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution.
+
+However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s resources.
+
+The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy.
+
+The health of the device is not binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM.
+
+But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision.
+
+### Remote device health attestation
+
+In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft.
+
+This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device.
+
+A relying party like an MDM can inspect the report generated by the remote health attestation service.
+
+>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
+ 
+Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
+
+Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system.
+
+In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence.
+
+The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component.
+
+Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
+
+![figure 6](images/hva-fig6-logs.png)
+
+When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+
+![figure 7](images/hva-fig7-measurement.png)
+
+The health attestation process works as follows:
+
+1.  Hardware boot components are measured.
+2.  Operating system boot components are measured.
+3.  If Device Guard is enabled, current Device Guard policy is measured.
+4.  Windows kernel is measured.
+5.  Antivirus software is started as the first kernel mode driver.
+6.  Boot start drivers are measured.
+7.  MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP.
+8.  Boot measurements are validated by the Health Attestation Service
+
+>**Note:**  By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
+The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.
+ 
+The following process describes how health boot measurements are sent to the health attestation service:
+
+1.  The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2.  The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3.  The remote device heath attestation service then:
+
+    1.  Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+    2.  Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+    3.  Parses the properties in the TCG log.
+    4.  Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+
+4.  The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+
+![figure 8](images/hva-fig8a-healthattest8a.png)
+
+### Device health attestation components
+
+The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
+
+### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
+
+This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+
+In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
+
+A TPM incorporates in a single component:
+
+-   A RSA 2048-bit key generator
+-   A random number generator
+-   Nonvolatile memory for storing EK, SRK, and AIK keys
+-   A cryptographic engine to encrypt, decrypt, and sign
+-   Volatile memory for storing the PCRs and RSA keys
+
+### Endorsement key
+
+The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
+The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
+The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952).
+
+The endorsement key is often accompanied by one or two digital certificates:
+
+-   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+-   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+
+>**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
+
+-   For Intel firmware TPM: **https://ekop.intel.com/ekcertservice**
+-   For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**
+ 
+### Attestation Identity Keys
+
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+>**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+ 
+The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
+
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft 
+Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
+
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
+
+### Storage root key
+
+The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
+### Platform Configuration Registers
+
+The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
+
+The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware.
+
+PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured.
+
+The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log.
+
+### TPM provisioning
+
+For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry.
+
+When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement**
+
+During the provisioning process, the device may need to be restarted.
+
+Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM.
+
+If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: 
+**HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub**
+
+As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
+
+>**Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**
+ 
+### Windows 10 Health Attestation CSP
+
+Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.
+
+The following is a list of functions performed by the Windows 10 Health Attestation CSP:
+
+-   Collects data that is used to verify a device’s health status
+-   Forwards the data to the Health Attestation Service
+-   Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+-   Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+
+During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
+
+When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it.
+
+### Windows Health Attestation Service
+
+The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.
+
+>**Note:**  Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
+ 
+Checking that a TPM attestation and the associated log are valid takes several steps:
+
+1.  First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2.  After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**.
+3.  Next the logs should be checked to ensure that they match the PCR values reported.
+4.  Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+
+The Health Attestation Service provides the following information to an MDM solution about the health of the device:
+
+-   Secure Boot enablement
+-   Boot and kernel debug enablement
+-   BitLocker enablement
+-   VSM enabled
+-   Signed or unsigned Device Guard Code Integrity policy measurement
+-   ELAM loaded
+-   Safe Mode boot, DEP enablement, test signing enablement
+-   Device TPM has been provisioned with a trusted endorsement certificate
+
+For completeness of the measurements, see [Health Attestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=733949).
+
+The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">OS type</th>
+<th align="left">Key items that can be reported</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10 Mobile</p></td>
+<td align="left"><ul>
+<li><p>PCR0 measurement</p></li>
+<li><p>Secure Boot enabled</p></li>
+<li><p>Secure Boot db is default</p></li>
+<li><p>Secure Boot dbx is up to date</p></li>
+<li><p>Secure Boot policy GUID is default</p></li>
+<li><p>Device Encryption enabled</p></li>
+<li><p>Code Integrity revocation list timestamp/version is up to date</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 10 for desktop editions</p></td>
+<td align="left"><ul>
+<li><p>PCR0 measurement</p></li>
+<li><p>Secure Boot Enabled</p></li>
+<li><p>Secure Boot db matches Expected</p></li>
+<li><p>Secure Boot dbx is up to date</p></li>
+<li><p>Secure Boot policy GUID matches Expected</p></li>
+<li><p>BitLocker enabled</p></li>
+<li><p>Virtualization-based security enabled</p></li>
+<li><p>ELAM was loaded</p></li>
+<li><p>Code Integrity version is up to date</p></li>
+<li><p>Code Integrity policy hash matches Expected</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+ 
+### Leverage MDM and the Health Attestation Service
+
+To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements.
+
+A solution that leverages MDM and the Health Attestation Service consists of three main parts:
+
+1.  A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2.  After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3.  At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested.
+
+![figure 9](images/hva-fig8-evaldevicehealth8.png)
+
+Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
+
+1.  The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2.  The MDM server specifies a nonce along with the request.
+3.  The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4.  The MDM server:
+
+    1.  Verifies that the nonce is as expected.
+    2.  Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+
+5.  The Health Attestation Service:
+
+    1.  Decrypts the health blob.
+    2.  Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+    3.  Verifies that the nonce matches in the quote and the one that is passed from MDM.
+    4.  Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+    5.  Sends data back to the MDM server including health parameters, freshness, and so on.
+
+>**Note:**  The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
+ 
+Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
+
+Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. 
+That is the purpose of conditional access control, which is detailed in the next section.
+
+## Control the security of a Windows 10-based device before access is granted
+
+Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
+
+The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
+
+>**Note:**  For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](https://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733956).
+ 
+The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
+
+![figure 10](images/hva-fig9-intune.png)
+
+An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the 
+firewall is running, and the devices patch state is compliant.
+
+Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources.
+
+### Built-in support of MDM in Windows 10
+
+Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent.
+
+### Third-party MDM server support
+
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=733954).
+
+>**Note:**  MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=733955).
+ 
+The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
+
+### <a href="" id="management-of-windows-defender-by-third-party-mdm-"></a>Management of Windows Defender by third-party MDM
+
+This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
+
+For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=733953).
+
+### Conditional access control
+
+On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload.
+
+If the device is not registered, the user will get a message with instructions on how to register (also known as enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it.
+
+**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
+
+![figure 11](images/hva-fig10-conditionalaccesscontrol.png)
+
+### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
+
+Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional 
+target groups.
+
+When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
+
+When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
+
+>**Note**  Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
+ 
+When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
+
+The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy is not met at the time of request for renewal.
+
+Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
+
+![figure 12](images/hva-fig11-office365.png)
+
+Clients that attempt to access Office 365 will be evaluated for the following properties:
+
+-   Is the device managed by an MDM?
+-   Is the device registered with Azure AD?
+-   Is the device compliant?
+
+To get to a compliant state, the Windows 10-based device needs to:
+
+-   Enroll with an MDM solution.
+-   Register with Azure AD.
+-   Be compliant with the device policies set by the MDM solution.
+
+>**Note:**  At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
+ 
+### <a href="" id="cloud-and-on-premises-apps-conditional-access-control-"></a>Cloud and on-premises apps conditional access control
+
+Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access.
+
+IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
+
+For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](https://go.microsoft.com/fwlink/p/?LinkId=524807)
+
+>**Note:**  Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+ 
+For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
+
+-   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
+-   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+
+![figure 13](images/hva-fig12-conditionalaccess12.png)
+
+The following process describes how Azure AD conditional access works:
+
+1.  User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD.
+2.  When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3.  Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4.  User logs on and the MDM agent contacts the Intune/MDM server.
+5.  MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6.  Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7.  Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8.  Health Attestation Service validates that the device which sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9.  Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+10. Intune/MDM server updates compliance state against device object in Azure AD.
+11. User opens app, attempts to access a corporate managed asset.
+12. Access gated by compliance claim in Azure AD.
+13. If the device is compliant and the user is authorized, an access token is generated.
+14. User can access the corporate managed asset.
+
+For more information about Azure AD join, see the [Azure AD & Windows 10: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619) white paper.
+
+Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment.
+
+## Takeaways and summary
+
+The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices.
+
+-   **Understand that no solution is 100 percent secure**
+
+    If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
+
+-   **Use health attestation with an MDM solution**
+
+    Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
+
+-   **Use Credential Guard**
+
+    Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
+
+-   **Use Device Guard**
+
+    Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
+
+-   **Sign Device Guard policy**
+
+    Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
+
+-   **Use virtualization-based security**
+
+    When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
+
+-   **Start to deploy Device Guard with Audit mode**
+
+    Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
+
+-   **Build an isolated reference machine when deploying Device Guard**
+
+    Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
+
+-   **Use AppLocker when it makes sense**
+
+    Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users.
+
+-   **Lock down firmware and configuration**
+
+    After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
+
+Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
+
+## Related topics
+
+- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
+- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
+- [Trusted Platform Module technology overview](https://go.microsoft.com/fwlink/p/?LinkId=733957)

windows/security/threat-protection/security-compliance-toolkit-10.md

@@ -0,0 +1,62 @@
+---
+title: Microsoft Security Compliance Toolkit 1.0
+description: This article describes how to use the Security Compliance Toolkit in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: brianlic-msft
+ms.date: 10/16/2017
+---
+
+# Microsoft Security Compliance Toolkit 1.0
+
+## What is the Security Compliance Toolkit (SCT)?
+
+The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
+
+The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
+<p></p>
+
+The Security Compliance Toolkit consists of:
+
+-   Windows 10 Security Baselines
+    -   Windows 10 Version 1709 (Fall Creators Update)
+    -    Windows 10 Version 1703 (Creators Update)
+    -   Windows 10 Version 1607 (Anniversary Update)
+    -   Windows 10 Version 1511 (November Update)
+    -   Windows 10 Version 1507
+
+-   Windows Server Security Baselines
+    -   Windows Server 2016
+    -   Windows Server 2012 R2
+
+-   Tools
+    -   Policy Analyzer tool
+    -   Local Group Policy Object (LGPO) tool
+
+
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions.
+
+## What is the Policy Analyzer tool?
+
+The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
+-   Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+-   Highlight the differences between versions or sets of Group Policies
+-   Compare GPOs against current local policy and local registry settings
+-   Export results to a Microsoft Excel spreadsheet
+
+Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 
+
+More information on the Policy Analyzer tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Local Group Policy Object (LGPO) tool?
+
+LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. 
+Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. 
+LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. 
+It can export local policy to a GPO backup. 
+It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
+
+Documentation for the LGPO tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).

windows/security/threat-protection/windows-10-mobile-security-guide.md

@@ -0,0 +1,368 @@
+---
+title: Windows 10 Mobile security guide (Windows 10)
+description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
+ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
+keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security, mobile
+ms.localizationpriority: high
+author: AMeeus
+ms.date: 10/13/2017
+---
+# Windows 10 Mobile security guide
+
+*Applies to Windows 10 Mobile, version 1511 and Windows Mobile, version 1607*
+
+>This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
+
+Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data. 
+Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
+-	**Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. 
+-	**Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
+-	**Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. 
+
+This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware. 
+
+**In this article:**
+-	Windows Hello for Business
+-	Windows Information Protection
+-	Malware resistance
+
+## Windows Hello
+
+Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a user’s identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords – particularly on a mobile device touch screen – that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation. 
+
+Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device. 
+
+Because Windows Hello is supported across all Windows 10 devices, organizations can uniformly implement multifactor authentication across their environment. Deploying Windows Hello on Windows 10 Mobile devices does require Azure AD (sold separately), but you can use Azure AD Connect to synchronize with your on-premises Active Directory services.
+
+Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors. 
+
+>**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+### <a href="" id="secured-credentials"></a>Secured credentials
+
+Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a user’s credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPM’s own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it. 
+
+To compromise Windows Hello credentials, an attacker would need access to the physical device, and then find a way to spoof the user’s biometric identity or guess his or her PIN. All of this would have to be accomplished before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. With TPM-based protection, an attacker’s window of opportunity for compromising a user’s credentials is greatly reduced.
+
+### <a href="" id="support-for-biometrics"></a>Support for biometrics
+
+Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.  
+
+Windows Hello supports three biometric sensor scenarios:
+-	**Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
+-	**Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
+-	**Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
+
+>Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
+
+All three of these biometric factors – face, finger, and iris – are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes or both eyes with and without eyeglasses or contact lenses.
+
+Spoofing biometric data is often a big concern in enterprise environments. Microsoft employs several anti-spoofing techniques in Windows 10 Mobile that verify the trustworthiness of the biometric device, as well as guard against intentional collision with stored biometric measurements. These techniques help improve the false-acceptance rate (the rate at which spoofed biometric data is accepted as authentic) while maintaining the overall usability and manageability of MFA.
+
+The biometric image collected at enrollment is converted into an algorithmic form that cannot be converted back into the original image. Only the algorithmic form is kept; the actual biometric image is removed from the device after conversion. Windows 10 Mobile devices both encrypt the algorithmic form of the biometric data and bind the encrypted data to the device, both of which help prevent someone from removing the data from the phone. As a result, the biometric information that Windows Hello uses is a local gesture and doesn’t roam among the user’s devices.
+
+### <a href="" id="companion-devices"></a>Companion devices
+
+A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail.
+
+In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2).
+
+### <a href="" id="standards-based-approach"></a>Standards-based approach 
+
+The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. 
+
+In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for both enterprises and consumers.
+
+## Windows Information Protection
+
+Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This fluidity increases the potential for sensitive corporate data to be accidentally compromised.
+
+Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. 
+
+Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
+-	Automatically tag personal and corporate data.
+-	Protect data while it’s at rest on local or removable storage.
+-	Control which apps can access corporate data.
+-	Control which apps can access a virtual private network (VPN) connection.
+-	Prevent users from copying corporate data to public locations.
+-	Help ensure business data is inaccessible when the device is in a locked state. 
+
+### <a href="" id="enlightened-apps"></a>Enlightened apps
+
+Third-party data loss protection solutions usually require developers to wrap their apps. However, Windows Information Protection builds this intelligence right into Windows 10 Mobile so most apps require nothing extra to prevent inappropriate corporate data sharing.
+
+Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. 
+
+When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
+-	Don’t use common controls for saving files.
+-	Don’t use common controls for text boxes.
+-	Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
+
+In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
+
+**When is app enlightenment required?** 
+-	**Required** 
+    -	App needs to work with both personal and enterprise data.
+-	**Recommended** 
+    -	App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps.
+    -	App needs to access enterprise data, while protection under lock is activated.
+-	**Not required**
+    -	App handles only corporate data 
+    -	App handles only personal data
+
+### <a href="" id="companion-devices"></a>Data leakage control
+
+To configure Windows Information Protection in a Mobile Device Management (MDM) solution that supports it, simply add authorized apps to the allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, unauthorized apps will not have access to enterprise data.
+
+Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
+
+The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set:
+-	**Block.** Windows Information Protection blocks users from completing the operation.
+-	**Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
+-	**Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
+-	**Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
+
+### <a href="" id="companion-devices"></a>Data separation
+
+Most third-party solutions require an app wrapper that directs enterprise data into a password-protected container and keeps personal data outside the container. Depending on the implementation, this may require two different versions of the same apps to be running on the device: one for personal data and another for enterprise data.
+
+Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless. 
+
+### <a href="" id="companion-devices"></a>Encryption
+
+Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
+
+You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
+-	Cryptography 
+    -	Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
+    -	TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
+-	BitLocker 
+    -	Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
+
+To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
+
+### <a href="" id="companion-devices"></a>Government Certifications
+
+Windows 10 Mobile supports both [FIPS 140 standards](http://csrc.nist.gov/groups/STM/cavp/validation.html) for cryptography and [Common Criteria](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10694) The FIPS 140 certification validates the effectiveness of the cryptographic algorithms used in Windows 10 Mobile. Microsoft has also received Common Criteria certification for Windows 10 Mobile running on Lumia 950, 950 XL, 550, 635, as well as Surface Pro 4, giving customers assurance that securety functionality is implemented properly.
+
+## Malware resistance
+
+The best way to fight malware is prevention. Windows 10 Mobile provides strong malware resistance through secured hardware, startup process defenses, core operating system architecture, and application-level protections.
+The table below outlines how Windows 10 Mobile mitigates specific malware threats.
+
+<table>
+<colgroup>
+<col width="40%" />
+<col width="60%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Threat</th>
+<th align="left">Windows 10 Mobile mitigation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
+<td align="left"><p>All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Bootkits start malware before Windows starts.</p></td>
+<td align="left"><p>UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.</p></td>
+<td align="left"><p>Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>An app infects other apps or the operating system with malware.</p></td>
+<td align="left"><p>All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>An unauthorized app or malware attempts to start on the device.</p></td>
+<td align="left"><p>All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>User-level malware exploits a vulnerability in the system or an application and owns the device.</p></td>
+<td align="left"><p>Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.</p>
+<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Users access a dangerous website without knowledge of the risk.</p></td>
+<td align="left"><p>The SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Malware exploits a vulnerability in a browser add-on.</p></td>
+<td align="left"><p>Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.</p></td>
+<td align="left"><p>Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.</p></td>
+</tr>
+</tbody>
+</table>
+
+>**Note:** The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
+
+### <a href="" id="companion-devices"></a>UEFI with Secure Boot
+
+When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware.
+
+UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also helps to ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone.
+
+UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the mobile phone’s manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and to try and hide its malicious behavior from the operating system. Firmware-based malware of this nature is typically called bootkits.
+
+When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
+
+All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
+
+### <a href="" id="companion-devices"></a>Trusted Platform Module
+
+A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or smartphone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. A TPM is required to receive Windows 10 Mobile device hardware certification.
+
+A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform.
+
+The following list describes key functionality that a TPM provides in Windows 10 Mobile:
+-	**Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
+-	**Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
+-	**Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
+
+Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
+
+Many assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements. Therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile.
+
+>Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](https://technet.microsoft.com/library/dn915086.aspx)
+
+Several Windows 10 Mobile security features require TPM:
+-	Virtual smart cards
+-	Measured Boot
+-	Health attestation (requires TPM 2.0 or later)
+
+Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello.
+
+### <a href="" id="companion-devices"></a>Biometrics
+
+Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience, but not necessarily enterprise-grade authentication.
+
+Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by Windows Hello.
+
+In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue integrating them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system.
+
+### <a href="" id="trusted-boot"></a>Trusted Boot
+
+UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the device, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system.
+
+When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (e.g., signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files.
+
+### <a href="" id="measured-boot"></a>Measured Boot
+
+In earlier versions of Windows, the biggest challenge with rootkits and bootkits was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution – and they had system-level privileges – rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (e.g., if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one).
+
+Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
+
+Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health. 
+
+### <a href="" id="device-health-attestation"></a>Device Health Attestation
+
+Device Health Attestation (DHA) is a new feature in Windows 10 Mobile that helps prevent low-level malware infections. DHA uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties.
+
+You can use DHA with Microsoft Intune (sold separately) or a third-party MDM solution to combine hardware-measured security properties with other device properties and gain an overall view of the device’s health and compliance state. This integration can be useful in a variety of scenarios, including detecting jailbroken devices, monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365.
+
+The example that follows shows how Windows 10 protective measures integrate and work with Intune and third-party MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile can help you monitor and verify compliance and how the security and trust rooted in the device hardware can protect end-to-end corporate resources.
+
+When a user turns a phone on:
+1.	The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
+2.	Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
+3.	In parallel to steps 1 and 2, the phone’s TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
+4.	Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
+5.	HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
+6.	From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organization’s security needs and policies.
+Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a DHA-enabled MDM system like Intune. It can take advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware.
+
+### <a href="" id="device-guard"></a>Device Guard
+
+Device Guard is a feature set that consists of both hardware and software system integrity–hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
+
+All apps on Windows 10 Mobile must be digitally signed and come from Microsoft Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Microsoft Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
+
+Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
+
+### <a href="" id="address-space-layout-randomaization"></a>Address Space Layout Randomization
+
+One of the most common techniques used by attackers to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
+
+Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
+
+![figure 3](images/mobile-security-guide-figure3.png)
+
+Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system.
+
+### <a href="" id="data-execution-prevention"></a>Data Execution Prevention
+
+Malware depends on its ability to insert a malicious payload into memory with the hope that an unsuspecting user will execute it later. While ASLR makes that more difficult, Windows 10 Mobile extends that protection to prevent malware from running if written to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) substantially reduces the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read-only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP.
+
+### <a href="" id="companion-devices"></a>Windows heap
+
+The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use.
+Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows:
+-	Internal data structures that the heap uses are better protected against memory corruption.
+-	Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
+-	Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
+
+### <a href="" id="memeory-reservation"></a>Memory reservations
+
+Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, making it more difficult for malware to overwrite critical system data structures in memory.
+
+### <a href="" id="control-flow-guard"></a>Control Flow Guard
+
+When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known – they are written in the code itself. However, until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run.
+
+Windows 10 Mobile mitigates this kind of threat through Control Flow Guard (CFG). When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesn’t trust the location, it immediately terminates the application as a potential security risk.
+
+You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Because browsers are a key entry point for attacks, Microsoft Edge takes full advantage of CFG.
+
+### <a href="" id="protected-processes"></a>Protected Processes
+
+Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required. 
+If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system.
+
+### <a href="" id="appcontainer"></a>AppContainer
+
+The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer – a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy.
+
+The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer, such as geographical location information, camera, microphone, networking, or sensors.
+
+A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time.
+
+The AppContainer concept is advantageous because it provides:
+-	**Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
+-	**User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
+-	**App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
+
+Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher.
+
+The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
+
+### <a href="" id="microsoft-edge"></a>Microsoft Edge
+
+The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
+
+Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
+-	**Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. 
+-	**Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
+-	**Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
+
+## Summary
+
+Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper – multifactor authentication, data separation, and malware resistance – are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace. 
+
+## Revision History
+
+November 2015 		Updated for Windows 10 Mobile (version 1511)
+
+July 2016		Updated for Windows 10 Mobile Anniversary Update (version 1607)
+

windows/security/threat-protection/windows-security-baselines.md

@@ -0,0 +1,75 @@
+---
+title: Windows Security Baselines
+description: This article, and the articles it links to, describe how to use Windows Security Baselines in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: brianlic-msft
+ms.date: 10/31/2017
+---
+
+# Windows Security Baselines
+
+**Applies to**  
+
+-   Windows 10
+-   Windows Server 2016 
+
+## Using security baselines in your organization 
+
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. 
+
+Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
+
+We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. 
+
+Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/).
+
+## What are security baselines? 
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. 
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. 
+
+## Why are security baselines needed? 
+
+Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. 
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine  the appropriate value for each setting. 
+
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
+
+## How can you use security baselines? 
+
+You can use security baselines to: 
+-   Ensure that user and device configuration settings are compliant with the baseline. 
+-   Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. 
+
+## Where can I get the security baselines? 
+
+You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing  baselines in addition to the security baselines.
+
+The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
+
+[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) 
+
+## Community
+
+[![Microsoft Security Guidance Blog](images/community.png)](https://blogs.technet.microsoft.com/secguide/) 
+
+## Related Videos
+
+You may also be interested in this msdn channel 9 video: 
+-   [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
+
+## See Also
+
+-   [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+-   [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
+-   [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
+-   [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
+-   [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
+-   [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)