mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
Split up WDAC Overview
Separate section on feature availability so it is easier to find
This commit is contained in:
brbrahm
@ -1,4 +1,7 @@
|
||||
# [Windows Defender Application Control](windows-defender-application-control.md)
|
||||
# [Application Control for Windows](windows-defender-application-control.md)
|
||||
## [WDAC and AppLocker Overview](plan-windows-defender-application-control-management.md)
|
||||
## [WDAC and AppLocker Feature Availability](understand-windows-defender-application-control-policy-design-decisions.md)
|
||||
|
||||
|
||||
## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md)
|
||||
### [Plan for WDAC policy lifecycle management](plan-windows-defender-application-control-management.md)
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
---
|
||||
title: Feature Availability
|
||||
description: Compare WDAC and AppLocker feature availability.
|
||||
keywords: whitelisting, security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
author: denisebmsft
|
||||
ms.reviewer: isbrahm
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.date: 04/15/2020
|
||||
ms.custom: asr
|
||||
---
|
||||
|
||||
# WDAC and AppLocker feature availability
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
|
||||
| Capability | WDAC | AppLocker |
|
||||
|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Platform support | Available on Windows 10 | Available on Windows 8+ |
|
||||
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
|
||||
| Management solutions | <ul><li>[Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) </li><li>PowerShell</li></ul> | <ul><li>[Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)</li><li>PowerShell</li><ul> |
|
||||
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
|
||||
| Kernel mode policies | Available on all Windows 10 versions | Not available |
|
||||
| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
|
||||
| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
|
||||
| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
|
||||
| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
|
||||
| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
|
||||
| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
|
||||
| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
|
||||
| Enforceable file types | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
|
||||
@ -28,17 +28,17 @@ This topic describes the decisions you need to make to establish the processes f
|
||||
|
||||
## Policy XML lifecycle management
|
||||
|
||||
Before you begin deploying WDAC, consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
|
||||
The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
|
||||
|
||||
<!-- We should insert a diagram to show this visually -->
|
||||
Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
|
||||
|
||||
1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML.
|
||||
2. Deploy the audit mode policy to intended computers.
|
||||
3. Monitor audit block events from the intended computers and add/edit/delete rules as needed to address unexpected/unwanted blocks.
|
||||
1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files are not prevented from executing.
|
||||
2. Deploy the audit mode policy to intended devices.
|
||||
3. Monitor audit block events from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
|
||||
4. Repeat steps 2-3 until the remaining block events meet expectations.
|
||||
5. Generate the enforced mode version of the policy.
|
||||
6. Deploy the enforced mode policy to intended computers. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
|
||||
5. Generate the enforced mode version of the policy. In enforced mode, files that are not allowed by the policy are prevented from executing and corresponding block events are generated.
|
||||
6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
|
||||
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
|
||||
|
||||
### Keep WDAC policies in a source control or document management solution
|
||||
@ -57,7 +57,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](https://docs.microsoft
|
||||
|
||||
### Policy rule updates
|
||||
|
||||
As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
|
||||
As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [Managed Installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your Managed Installer, then you are less likely to need policy updates.
|
||||
|
||||
## WDAC event management
|
||||
|
||||
|
||||
@ -0,0 +1,86 @@
|
||||
---
|
||||
title: WDAC and AppLocker Overview
|
||||
description: Compare Windows application control technologies.
|
||||
keywords: whitelisting, security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
author: denisebmsft
|
||||
ms.reviewer: isbrahm
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.date: 04/15/2020
|
||||
ms.custom: asr
|
||||
---
|
||||
|
||||
# Windows Defender Application Control and AppLocker Overview
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
|
||||
|
||||
## Windows Defender Application Control
|
||||
|
||||
WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
|
||||
|
||||
> [!NOTE]
|
||||
> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
|
||||
|
||||
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
|
||||
|
||||
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
|
||||
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
|
||||
- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
|
||||
- The identity of the process that initiated the installation of the app and its binaries (managed installer);
|
||||
- The path from which the app or file is launched (beginning with Windows 10 version 1903);
|
||||
- The process that launched the app or binary.
|
||||
|
||||
### WDAC System Requirements
|
||||
|
||||
WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
|
||||
WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
|
||||
|
||||
## AppLocker
|
||||
|
||||
AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
|
||||
|
||||
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
|
||||
|
||||
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
|
||||
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
|
||||
- The path from which the app or file is launched (beginning with Windows 10 version 1903).
|
||||
|
||||
### AppLocker System Requirements
|
||||
|
||||
AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
|
||||
AppLocker policies can be deployed using Group Policy or MDM.
|
||||
|
||||
## Choose when to use WDAC or AppLocker
|
||||
|
||||
Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
|
||||
|
||||
### WDAC is best when:
|
||||
|
||||
- You are adopting application control primarily for security reasons.
|
||||
- Your application control policy can be applied to all users on the managed computers.
|
||||
- All of the devices you wish to manage are running Windows 10.
|
||||
|
||||
### AppLocker is best when:
|
||||
|
||||
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
|
||||
- You need to apply different policies for different users or groups on a shared computer.
|
||||
- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
|
||||
- You do not wish to enforce application control on application files such as DLLs or drivers.
|
||||
|
||||
## When to use both WDAC and AppLocker together
|
||||
|
||||
AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
|
||||
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
|
||||
@ -20,8 +20,9 @@ ms.date: 03/16/2020
|
||||
# Windows Defender Application Control operational guide
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2016 and above
|
||||
|
||||
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
|
||||
|
||||
|
||||
@ -14,17 +14,16 @@ author: denisebmsft
|
||||
ms.reviewer: isbrahm
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.date: 01/31/2020
|
||||
ms.date: 04/15/2020
|
||||
ms.custom: asr
|
||||
---
|
||||
|
||||
# Application Control
|
||||
# Application Control for Windows
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2019
|
||||
- Windows Server 2016 and above
|
||||
|
||||
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
|
||||
|
||||
@ -37,82 +36,17 @@ Application control is a crucial line of defense for protecting enterprises give
|
||||
> [!NOTE]
|
||||
> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
|
||||
|
||||
Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:<br>
|
||||
Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
|
||||
|
||||
- **Windows Defender Application Control**; and
|
||||
- **AppLocker**
|
||||
|
||||
## Windows Defender Application Control
|
||||
## In this section
|
||||
|
||||
Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
|
||||
|
||||
> [!NOTE]
|
||||
> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
|
||||
|
||||
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
|
||||
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
|
||||
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
|
||||
- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
|
||||
- The identity of the process that initiated the installation of the app and its binaries (managed installer);
|
||||
- The path from which the app or file is launched (beginning with Windows 10 version 1903);
|
||||
- The process that launched the app or binary.
|
||||
|
||||
### WDAC System Requirements
|
||||
|
||||
WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
|
||||
WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
|
||||
|
||||
## AppLocker
|
||||
|
||||
AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
|
||||
|
||||
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
|
||||
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
|
||||
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
|
||||
- The path from which the app or file is launched (beginning with Windows 10 version 1903).
|
||||
|
||||
### AppLocker System Requirements
|
||||
|
||||
AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
|
||||
AppLocker policies can be deployed using Group Policy or MDM.
|
||||
|
||||
## Choose when to use WDAC or AppLocker
|
||||
|
||||
Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
|
||||
|
||||
### WDAC is best when:
|
||||
|
||||
- You are adopting application control primarily for security reasons.
|
||||
- Your application control policy can be applied to all users on the managed computers.
|
||||
- All of the devices you wish to manage are running Windows 10.
|
||||
|
||||
### AppLocker is best when:
|
||||
|
||||
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
|
||||
- You need to apply different policies for different users or groups on a shared computer.
|
||||
- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
|
||||
- You do not wish to enforce application control on application files such as DLLs or drivers.
|
||||
|
||||
## When to use both WDAC and AppLocker together
|
||||
|
||||
AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
|
||||
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
|
||||
|
||||
## WDAC and AppLocker Feature Availability
|
||||
| Capability | WDAC | AppLocker |
|
||||
|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Platform support | Available on Windows 10 | Available on Windows 8+ |
|
||||
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
|
||||
| Management solutions | <ul><li>[Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) </li><li>PowerShell</li></ul> | <ul><li>[Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)</li><li>PowerShell</li><ul> |
|
||||
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
|
||||
| Kernel mode policies | Available on all Windows 10 versions | Not available |
|
||||
| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
|
||||
| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
|
||||
| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
|
||||
| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
|
||||
| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
|
||||
| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
|
||||
| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
|
||||
| Enforceable file types | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [WDAC and AppLocker Overview](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
|
||||
| [WDAC and AppLocker Feature Availability](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
|
||||
|
||||
## See also
|
||||
|
||||
|
||||
Reference in New Issue
Block a user