| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | - -> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. - -## Additional qualifications for improved security - -The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met. - - -### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
| Business group | +Organizational unit | +Implement AppLocker? | +Apps | +Installation path | +Use default rule or define new rule condition | +Allow or deny | +GPO name | +Support policy | +
|---|---|---|---|---|---|---|---|---|
Bank Tellers |
+Teller-East and Teller-West |
+Yes |
+Teller Software |
+C:\Program Files\Woodgrove\Teller.exe |
+File is signed; create a publisher condition |
+Allow |
+Tellers-AppLockerTellerRules |
+Web help |
+
| + | + | + | Windows files + |
+C:\Windows |
+Create a path exception to the default rule to exclude \Windows\Temp |
+Allow |
++ | Help desk |
+
Human Resources |
+HR-All |
+Yes |
+Check Payout |
+C:\Program Files\Woodgrove\HR\Checkcut.exe |
+File is signed; create a publisher condition |
+Allow |
+HR-AppLockerHRRules |
+Web help |
+
| + | + | + | Time Sheet Organizer |
+C:\Program Files\Woodgrove\HR\Timesheet.exe |
+File is not signed; create a file hash condition |
+Allow |
++ | Web help |
+
| + | + | + | Internet Explorer 7 |
+C:\Program Files\Internet Explorer\ |
+File is signed; create a publisher condition |
+Deny |
++ | Web help + |
+
| + | + | + | Windows files |
+C:\Windows |
+Use the default rule for the Windows path |
+Allow |
++ | Help desk |
+
| Business group | +AppLocker event collection location | +Archival policy | +Analyzed? | +Security policy | +
|---|---|---|---|---|
Bank Tellers |
+Forwarded to: AppLocker Event Repository on srvBT093 |
+Standard |
+None |
+Standard |
+
Human Resources |
+DO NOT FORWARD. srvHR004 |
+60 months |
+Yes, summary reports monthly to managers |
+Standard |
+
| Business group | +Rule update policy | +Application decommission policy | +Application version policy | +Application deployment policy | +
|---|---|---|---|---|
Bank Tellers |
+Planned: Monthly through business office triage +Emergency: Request through help desk |
+Through business office triage +30-day notice required |
+General policy: Keep past versions for 12 months +List policies for each application |
+Coordinated through business office +30-day notice required |
+
Human Resources |
+Planned: Monthly through HR triage +Emergency: Request through help desk |
+Through HR triage +30-day notice required |
+General policy: Keep past versions for 60 months +List policies for each application |
+Coordinated through HR +30-day notice required |
+
C:\Program Files\Woodgrove\Teller.exe
File is signed; create a publisher condition
Allow
Tellers-AppLockerTellerRules
Tellers-WDACTellerRules
Web help
C:\Program Files\Woodgrove\HR\Checkcut.exe
File is signed; create a publisher condition
Allow
HR-AppLockerHRRules
HR-WDACHRRules
Web help
Bank Tellers
Forwarded to: AppLocker Event Repository on srvBT093
Forwarded to: WDAC Event Repository on srvBT093
Standard
None
Standard
| Business group | Organizational unit | -Implement AppLocker? | +Implement WDAC? | Apps | Installation path | Use default rule or define new rule condition | @@ -78,7 +75,7 @@ The following table contains the added sample data that was collected when deterC:\Program Files\Woodgrove\Teller.exe |
File is signed; create a publisher condition |
Allow |
-Tellers-AppLockerTellerRules |
+Tellers-WDACTellerRules |
Web help |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
C:\Program Files\Woodgrove\HR\Checkcut.exe |
File is signed; create a publisher condition |
Allow |
-HR-AppLockerHRRules |
+HR-WDACHRRules |
Web help |
|||||||
Bank Tellers
Forwarded to: AppLocker Event Repository on srvBT093
Forwarded to: CodeIntegrity Event Repository on srvBT093
Standard
None
Standard
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | + +> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. + +## Additional qualifications for improved security + +The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met. + + +### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 + +| Protections for Improved Security | Description | Security benefits | +|---------------------------------------------|----------------------------------------------------|------| +| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.