From b9c4cd036cc0009537576dfd86d60f83f7ba42bd Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 9 Sep 2021 17:09:15 +0530 Subject: [PATCH 01/15] Updated as per 5358858 --- .../configure-md-app-guard.md | 3 ++- .../install-md-app-guard.md | 6 ++++-- .../md-app-guard-browser-extension.md | 3 ++- .../md-app-guard-overview.md | 4 +++- .../reqs-md-app-guard.md | 6 ++++-- .../test-scenarios-md-app-guard.md | 3 ++- 6 files changed, 17 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index d2ee8b1f7a..1c874086ab 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/24/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 3b18ab25d3..6c2db12e7d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/21/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Prepare to install Microsoft Defender Application Guard **Applies to:** -- - Windows 10 + +- Windows 10 +- Windows 11 ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index d507e47abf..a3a578cd53 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: martyav ms.author: v-maave -ms.date: 06/12/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4ad66674a9..010f230e70 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 01/27/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Microsoft Defender Application Guard overview **Applies to** + - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index fb162b5632..b429e0e44f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 07/01/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # System requirements for Microsoft Defender Application Guard **Applies to** + - Windows 10 +- Windows 11 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -43,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
Windows 11 | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index d8ff39f397..3e07e70fdc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -10,7 +10,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp -ms.date: 09/14/2020 +ms.date: 09/09/2021 ms.custom: asr ms.technology: mde --- @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. From 6b0c08eb894bb6adc41e3800dc12a48711d40b8d Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 14:22:46 +0530 Subject: [PATCH 02/15] Added Windows 11 to the table as per the comment in the description --- .../configure-md-app-guard.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index a8c72499c0..1bfbbc69ae 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -53,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| |Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| From e0fc4abc99e7c8959f8ee3ed6ac4633fc9c01728 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 14:24:01 +0530 Subject: [PATCH 03/15] updated --- .../configure-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 1bfbbc69ae..593010cfed 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -62,4 +62,4 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| From 030b57d0a4fc7af404973668d0ee84d13280ebd3 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 14:28:59 +0530 Subject: [PATCH 04/15] Added Windows 11 whereever applicable. These were missed out --- .../install-md-app-guard.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 6c2db12e7d..f4f8a176f7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -36,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de Applies to: - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Pro edition, version 1803 +- Windows 11 Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario. @@ -43,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator Applies to: - Windows 10 Enterprise edition, version 1709 or higher +- Windows 11 You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. @@ -68,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. -1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. +1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -122,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick 1. Click **Save**. -After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file +After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. From 5f9f95715d66acba5f6457d3063d1231e4acbbae Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 15:00:13 +0530 Subject: [PATCH 05/15] Updated --- .../md-app-guard-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 010f230e70..640f7eae00 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender Application Guard (Windows 10) +title: Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: m365-security ms.mktglfcycl: manage @@ -56,4 +56,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 54672073b30c07dd4456d012bfb8f9181561bf1e Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 20 Sep 2021 17:55:46 +0530 Subject: [PATCH 06/15] Updated for 5358858 --- .../configure-md-app-guard.md | 4 ++-- .../install-md-app-guard.md | 2 +- .../md-app-guard-browser-extension.md | 3 ++- .../test-scenarios-md-app-guard.md | 11 +++++++---- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 593010cfed..d3480738e7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/16/2021 +ms.date: 09/20/2021 ms.reviewer: manager: dansimp ms.custom: asr diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index f4f8a176f7..c16ce0700e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Enable hardware-based isolation for Microsoft Edge (Windows 10) +title: Enable hardware-based isolation for Microsoft Edge (Windows) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. ms.prod: m365-security ms.mktglfcycl: manage diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index a3a578cd53..90f1d07fca 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -24,7 +24,7 @@ ms.technology: mde [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). -[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. > [!TIP] > Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. @@ -38,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions - Windows 10 Professional - Windows 10 Enterprise - Windows 10 Education +- Windows 11 Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 3e07e70fdc..292813b7c0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: m365-security ms.mktglfcycl: manage @@ -51,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard -Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. +Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings. 1. [Install Application Guard](./install-md-app-guard.md#install-application-guard). @@ -112,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 +- Windows 11 #### Copy and paste options @@ -170,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. > [!NOTE] - > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11. > > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. > @@ -180,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 +- Windows 11 #### Download options @@ -211,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 +- Windows 11 #### File trust options 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting. -2. Click **Enabled**, set **Options** to 2, and click **OK**. +2. Click **Enabled**, set **Options** to **2**, and click **OK**. ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) From ce00ae09a30c7b1c278409058bdd21339b2d7333 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 09:21:35 -0700 Subject: [PATCH 07/15] xml now has parity with the current release of the vulnerable blocklist policy --- ...icrosoft-recommended-driver-block-rules.md | 652 ++++++++++++++---- 1 file changed, 500 insertions(+), 152 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 21119863f7..c749cb9925 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -59,6 +59,46 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -128,40 +168,148 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -174,22 +322,22 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - + + + + + + + - + - - - - - + @@ -225,7 +373,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -247,17 +395,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + @@ -288,6 +445,42 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -304,10 +497,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -315,118 +508,273 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - @@ -441,7 +789,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.19565.0 + 10.0.22417.0 From 8fc109633f3cd9c169ce109940b520df8101632c Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 09:39:22 -0700 Subject: [PATCH 08/15] Microsoft criteria for driver blocks have been updated. WDSI driver submission page is now linked too. --- .../microsoft-recommended-driver-block-rules.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index c749cb9925..f99fbc4154 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -33,10 +33,15 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +The vulnerable driver blocklist is designed to harden systems against 3rd party-developed drivers across the Windows ecosystem with any of the following: -> [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +- Known security vulnerabilities which can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (i.e. malware) or certificates used to sign malware +- Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel + +Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/wdsi/driversubmission). + +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml From 88ae0df07a1411380e2ccbaa3cac9b949b9a790d Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:00:45 -0700 Subject: [PATCH 09/15] Fixed broken link by hardcoding locale --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f99fbc4154..f88525d4c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -39,7 +39,7 @@ The vulnerable driver blocklist is designed to harden systems against 3rd party- - Malicious behaviors (i.e. malware) or certificates used to sign malware - Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/wdsi/driversubmission). +Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. From 230d4b44eb56335887421d9e12b684638e3de12f Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:45:11 -0700 Subject: [PATCH 10/15] Added info about disputing blocks and addressed Acrolinx issues --- .../microsoft-recommended-driver-block-rules.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f88525d4c9..2339453f16 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -28,20 +28,20 @@ ms.date: >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -The vulnerable driver blocklist is designed to harden systems against 3rd party-developed drivers across the Windows ecosystem with any of the following: +The vulnerable driver blocklist is designed to harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: -- Known security vulnerabilities which can be exploited by attackers to elevate privileges in the Windows kernel -- Malicious behaviors (i.e. malware) or certificates used to sign malware -- Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel +- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (malware) or certificates used to sign malware +- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To dispute a block or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml From d8ec34075d74d4890aaa77e848304ba61d9f5c7b Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:50:33 -0700 Subject: [PATCH 11/15] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 2339453f16..886064a829 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -39,7 +39,7 @@ The vulnerable driver blocklist is designed to harden systems against third part - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To dispute a block or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. From e760c0de5198708ca8b71ac48619505e25e41549 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:55:11 -0700 Subject: [PATCH 12/15] removed en-us locale from wdsi link --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 886064a829..3d1e37428f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -39,7 +39,7 @@ The vulnerable driver blocklist is designed to harden systems against third part - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. From fc5a66769dab066abc546662636d99cedc4ba497 Mon Sep 17 00:00:00 2001 From: David Bradette <87823519+DavidBradette@users.noreply.github.com> Date: Thu, 30 Sep 2021 15:33:53 -0600 Subject: [PATCH 13/15] Update windows-11.md Update to document to reflect the October 5th, 2021 release date. --- windows/whats-new/windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 77e2fa58a9..5780f4ac8f 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -37,7 +37,7 @@ Windows 11 is built on the same foundation as Windows 10, so the investments you ## How to get Windows 11 -Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices. +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5th, 2021. Windows 11 will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). From ed5fbc90447f8c980e12e70b50138548d6bd64e3 Mon Sep 17 00:00:00 2001 From: David Bradette <87823519+DavidBradette@users.noreply.github.com> Date: Fri, 1 Oct 2021 06:44:33 -0600 Subject: [PATCH 14/15] Update windows/whats-new/windows-11.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/whats-new/windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 5780f4ac8f..e41a2d7303 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -37,7 +37,7 @@ Windows 11 is built on the same foundation as Windows 10, so the investments you ## How to get Windows 11 -Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5th, 2021. Windows 11 will also be available on eligible new devices. +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5, 2021. Windows 11 will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). From 62161ac658eed9a50b620d38f4ab29922ef73c69 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 1 Oct 2021 10:42:43 -0700 Subject: [PATCH 15/15] Added "help" harden systems --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 3d1e37428f..4e5251d27d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -33,7 +33,7 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -The vulnerable driver blocklist is designed to harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: +The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel - Malicious behaviors (malware) or certificates used to sign malware