Initial commit of AppId Tagging docs

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md

@@ -0,0 +1,56 @@
+---
+title: Use multiple Windows Defender Application Control Policies  (Windows)
+description: Windows Defender Application Control supports multiple code integrity policies for one device.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/28/2022
+ms.technology: windows-sec
+---
+
+# Testing and Debugging AppId Tagging Policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+
+After deployment of the WDAC AppId Tagging policy, WDAC will fire a 3099 policy deployed event in the [Event Viewer logs](event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. 
+
+## Verifying Tags on Running Processes
+
+After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have the tag set by the policy, and processes which should not have the tag do not. Note, processes running at the time of policy deployment will need to be restarted since WDAC can only tag processes created after the policy has been deployed. 
+
+1. Download and Install the Windows Debugger 
+
+	[Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes. 
+
+2. Get the Process ID (PID) of the process under validation
+
+	Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, I have located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step. 
+
+	![Using Task Manager to locate the process ID - PID.](images/appid-pid-task-mgr.png)
+
+3. Use WinDbg to inspect the process
+
+	After opening WinDbg select File followed by "Attach to Process" and select the process with the PID identified in the step prior. Finally, select **Attach** to connect to the process. 
+
+	![Attach to the process using WinDbg.](images/appid-pid-windbg.png)
+
+	Lastly, in the textbox, type _!token_ and hit enter to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, as well as its corresponding value in the Value[0] field.
+
+	![Dump the security attributes on the process using WinDbg.](images/appid-pid-windbg-token.png)

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md

@@ -0,0 +1,60 @@
+---
+title: DDeploying Windows Defender Application Control AppId Tagging policies (Windows)
+description: How to deploy your WDAC AppId Tagging policies locally and globally within your managed environment
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/27/2022
+ms.technology: windows-sec
+---
+
+# Use multiple Windows Defender Application Control Policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+
+Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you have created your AppId Tagging policy, use one of the following methods to deploy:
+
+1. [Deploy policies with MDM](#Deploy-AppId-Tagging-Policies-with-MDM)
+1. [Deploy policies with MEMCM](#Deploy-AppId-Tagging-Policies-with-MEMCM)
+1. [Deploy policies using scripting](#Deploy-AppId-Tagging-Policies-via-Scripting)
+1. [ApplicationControl CSP](#Deploying-policies-via-ApplicationControl-CSP)
+
+## Deploy AppId Tagging Policies with MDM
+
+While policies cannot be created in MDM, custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). 
+
+## Deploy AppId Tagging Policies with MEMCM
+
+Similar to MDM, policies can only be deployed via MEMCM not created. Using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. 
+
+### Deploy AppId Tagging Policies via Scripting
+
+Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy WDAC policies using script topic](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Note that only the method for deploying to version 1903 and above is applicable for AppId Tagging policies. 
+
+### Deploying policies via ApplicationControl CSP
+
+Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
+
+However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+
+See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+
+> [!NOTE]
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md

@@ -0,0 +1,126 @@
+---
+title: Use multiple Windows Defender Application Control Policies  (Windows)
+description: Windows Defender Application Control supports multiple code integrity policies for one device.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/27/2022
+ms.technology: windows-sec
+---
+
+# Creating your WDAC AppId Tagging Policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+
+## Create the policy using the WDAC Wizard
+
+Using this method, you will use a hybrid of the WDAC Wizard and the WDAC PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
+
+1. Create a new base policy using the templates:
+
+	Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. Our recommendation is to start with [Default Windows Mode](../wdac-wizard-create-base-policy#template-base-policies) and build ontop of these rules. 
+
+	![Configuring the policy base and template.](images/appid-wdac-wizard-1.png)
+
+2. Set the rule-options on the policy: 
+
+	Set the following rule-options using the Wizard toggles:
+
+	![Configuring the policy rule-options.](images/appid-wdac-wizard-2.png)
+
+3. Create custom rules:
+
+	Selecting the `+ Custom Rules` button will open the Custom Rules panel. The Wizard supports 5 types of file rules: 
+
+	- Publisher rules: Create a rule based off the signing certificate heirarchy. Additionally, the original filename and version can be combined with the signing certificate for additional security. 
+	- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards. 
+	- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
+	- Package app name rules: Create a rule based off the package family name of an appx/msix.
+	- Hash rules: Create a rule based off the PE Authenticode hash of a file. 
+
+
+	For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules).
+
+4. Convert to AppId Tagging Policy:
+
+	After the Wizard builds the policy file, open the file in a text editor and remove the entire SigningScenario block corresponding to "Value=131" (driver section) so that the only remaining signing scenario is "Value=12" or the usermode/application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
+
+	```powershell
+	Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
+	```
+	The policyID GUID will be returned by PowerShell if successful. 
+
+5. Depending on your deployment method, convert the xml to binary: 
+
+	```powershell
+	Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
+	```
+
+6. Optionally, deploy it for local testing:
+
+	```powershell
+		copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
+		./RefreshPolicy.exe
+	```
+
+## Create the policy using PowerShell 
+
+Using this method, you will create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
+
+1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. This is the [SignedVersion Level](../select-types-of-rules-to-create#table-2-windows-defender-application-control-policy---file-rule-levels):
+
+	```powershell
+	$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application>
+	```
+2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario:
+
+	```powershell
+	New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
+	```
+3. Set additional rule-options on the policy:
+
+	```powershell
+	Set-RuleOption -Option 0 .\AppIdPolicy.xml  # Usermode Code Integrity (UMCI)
+	Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot
+	Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
+	```
+
+	If you are using filepath rules, you will likely want to set option 18. Otherwise, there is no need. 
+	
+4. Set the name and ID on the policy which is helpful for future debugging:
+
+	```powershell
+	Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId"" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
+	```
+	The policyID GUID will be returned by PowerShell if successful. 
+
+5. Depending on your deployment method, convert the xml to binary: 
+
+	```powershell
+	Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
+	```
+
+6. Optionally, deploy it for local testing:
+
+	```powershell
+		copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
+		./RefreshPolicy.exe
+	```
+	RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md

@@ -0,0 +1,55 @@
+---
+title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies (Windows)
+description: How to design, create manage and troubleshoot your WDAC AppId Tagging policies
+keywords: security, malware, firewall
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/27/2022
+ms.technology: windows-sec
+---
+
+# WDAC Application Id (AppId) Tagging guide
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+- Windows Server 2022 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+
+After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
+
+## AppId Tagging Feature Overview
+
+The Application ID (AppId) Tagging Policy feature, while based off WDAC, is not application control. AppId Tagging policies can be used to tag the processes of the running application with a tag defined in the policy. Application processes which pass the AppId policy will receive the tag while failing applications will not. 
+
+## AppId Tagging Feature Availability
+
+The WDAC AppId Tagging feature is available on the following versions of the Windows platform: 
+
+Client: 
+- Windows 10 20H1, 20H2 and 21H1 versions only
+- Windows 11
+
+Server: 
+- Windows Server 2022
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Designing and Creating AppId Policies](./design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
+| [Deploying AppId Policies](./deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
+| [Debugging AppId Policies](./debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |

windows/security/threat-protection/windows-defender-application-control/TOC.yml

@@ -101,7 +101,7 @@
           href: disable-windows-defender-application-control-policies.md
         - name: LOB Win32 Apps on S Mode
           href: LOB-win32-apps-on-s.md
-    - name: Windows Defender Application Control operational guide
+    - name: WDAC operational guide
       href: windows-defender-application-control-operational-guide.md
       items: 
         - name: Understanding Application Control event tags
@@ -114,6 +114,11 @@
           href: operations/known-issues.md
         - name: Managed installer and ISG technical reference and troubleshooting guide
           href: configure-wdac-managed-installer.md
+    - name: WDAC AppId Tagging guide
+      href: windows-defender-application-control-appid-tagging-guide.md
+      items:
+        - name: Understanding Application Control event tags
+          href: event-tag-explanations.md
     - name: AppLocker
       href: applocker\applocker-overview.md
       items: 

windows/security/threat-protection/windows-defender-application-control/feature-availability.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: denisebmsft
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
 ms.author: deniseb
 manager: dansimp
 ms.date: 07/29/2021
@@ -45,3 +45,4 @@ ms.technology: windows-sec
 | COM object configurability        | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md)  | Not available |
 | Packaged app rules                | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md)  | Available on Windows 8+   |
 | Enforceable file types       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
+| Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md)  | Not available |