deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3434 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Gary Moore 2020-08-03 21:55:10 -07:00 committed by GitHub
commit 9739369476
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
View File

@ -41,7 +41,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
</array> </array>
<key>RunAtLoad</key> <key>RunAtLoad</key>
<true/> <true/>
<key>StartCalendarInterval</key><dict> <key>StartCalendarInterval</key>
<dict>
<key>Day</key> <key>Day</key>
<integer>3</integer> <integer>3</integer>
<key>Hour</key> <key>Hour</key>
@ -68,8 +69,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
4. To load your file into **launchd**, enter the following commands: 4. To load your file into **launchd**, enter the following commands:
```bash ```bash
`$ launchctl load /Library/LaunchDaemons/<your file name.plist>` launchctl load /Library/LaunchDaemons/<your file name.plist>`
`$ launchctl start <your file name>` launchctl start <your file name>`
``` ```
5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week. 5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week.

20
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
View File

@ -22,7 +22,7 @@ ms.date: 06/13/2018
**Applies to:** **Applies to:**
- Windows 10 - Windows 10
- Windows Server 2016 and above - Windows Server 2019
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
This is especially true for enterprises with large, ever changing software catalogs. This is especially true for enterprises with large, ever changing software catalogs.
@ -36,7 +36,7 @@ A managed installer uses a new rule collection in AppLocker to specify one or mo
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executables process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies. Specifying an executable as a managed installer will cause Windows to tag files that are written from the executables process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+ If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
@ -46,9 +46,9 @@ Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExampleP
Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
There are three primary steps to keep in mind: There are three primary steps to keep in mind:
- Specify managed installers using the Managed Installer rule collection in AppLocker policy - Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
- Enable service enforcement in AppLocker policy - Enable service enforcement in AppLocker policy.
- Enable the managed installer option in a WDAC policy - Enable the managed installer option in a WDAC policy.
### Specify managed installers using the Managed Installer rule collection in AppLocker policy ### Specify managed installers using the Managed Installer rule collection in AppLocker policy
@ -60,7 +60,7 @@ For more information about creating an AppLocker policy that includes a managed
As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below. As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below.
```code ```xml
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly"> <RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
<FilePublisherRule Id="6cc9a840-b0fd-4f86-aca7-8424a22b4b93" Name="CMM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <FilePublisherRule Id="6cc9a840-b0fd-4f86-aca7-8424a22b4b93" Name="CMM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions> <Conditions>
@ -82,10 +82,10 @@ As mentioned above, the AppLocker CSP for OMA-URI policies does not currently su
## Enable service enforcement in AppLocker policy ## Enable service enforcement in AppLocker policy
Since many installation processes rely on services, it is typically necessary to enable tracking of services. Since many installation processes rely on services, it is typically necessary to enable tracking of services.
Correct tracking of services requires the presence of at least one rule in the rule collection a simple audit only rule will suffice. Correct tracking of services requires the presence of at least one rule in the rule collection a simple audit only rule will suffice.
For example: For example:
```code ```xml
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" > <RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions> <Conditions>
@ -124,7 +124,7 @@ In order to enable trust for the binaries laid down by managed installers, the E
This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption).
An example of the managed installer option being set in policy is shown below. An example of the managed installer option being set in policy is shown below.
```code ```xml
<Rules> <Rules>
<Rule> <Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option> <Option>Enabled:Unsigned System Integrity Policy</Option>
@ -149,7 +149,7 @@ An example of the managed installer option being set in policy is shown below.
To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it. To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
Run the following command as an Administrator: Run the following command as an Administrator:
```code ```console
appidtel.exe start [-mionly] appidtel.exe start [-mionly]
``` ```