mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 22:37:22 +00:00
Task ID 33324832 continued
These are the other files that were updated for this task.
This commit is contained in:
Kim Klein
parent
092c6bfb6c
commit
a85b27f4bf
@ -21,9 +21,9 @@
|
||||
href: select-types-of-rules-to-create.md
|
||||
items:
|
||||
- name: Allow apps installed by a managed installer
|
||||
href: use-windows-defender-application-control-with-managed-installer.md
|
||||
href: configure-authorized-apps-deployed-with-a-managed-installer.md
|
||||
- name: Configure managed installer rules
|
||||
href: configure-wdac-managed-installer.md
|
||||
href: configure-authorized-apps-deployed-with-a-managed-installer.md
|
||||
- name: Allow reputable apps with Intelligent Security Graph (ISG)
|
||||
href: use-windows-defender-application-control-with-intelligent-security-graph.md
|
||||
- name: Allow COM object registration
|
||||
|
||||
@ -149,7 +149,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
|
||||
Possible mitigations:
|
||||
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
|
||||
- **Managed installer**<br>
|
||||
See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
|
||||
See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
|
||||
|
||||
Existing mitigations applied:
|
||||
- Limit who can elevate to administrator on the device.
|
||||
|
||||
@ -155,7 +155,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
|
||||
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
|
||||
- Limit who can elevate to administrator on the device.
|
||||
- **Managed installer**<br>
|
||||
See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
|
||||
See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
|
||||
|
||||
Possible mitigations:
|
||||
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
|
||||
|
||||
@ -34,7 +34,7 @@ ms.technology: mde
|
||||
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
|
||||
| Kernel mode policies | Available on all Windows 10 versions | Not available |
|
||||
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
|
||||
| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available |
|
||||
| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
|
||||
| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
|
||||
| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
|
||||
| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
|
||||
|
||||
@ -59,7 +59,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
|
||||
|
||||
### Policy rule updates
|
||||
|
||||
As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
|
||||
As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
|
||||
|
||||
## WDAC event management
|
||||
|
||||
|
||||
@ -63,7 +63,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
|
||||
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
|
||||
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. |
|
||||
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
|
||||
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) |
|
||||
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) |
|
||||
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
|
||||
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
|
||||
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
|
||||
|
||||
@ -58,7 +58,7 @@ Organizations with well-defined, centrally-managed app management and deployment
|
||||
|
||||
| Possible answers | Design considerations|
|
||||
| - | - |
|
||||
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
|
||||
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
|
||||
| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
|
||||
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
|
||||
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
|
||||
|
||||
@ -37,7 +37,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
|
||||
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
|
||||
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
|
||||
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
|
||||
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
|
||||
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md))
|
||||
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
|
||||
- The process that launched the app or binary
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user