diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json
index ae975b34f1..d68a51ee9f 100644
--- a/.openpublishing.redirection.windows-configuration.json
+++ b/.openpublishing.redirection.windows-configuration.json
@@ -167,7 +167,7 @@
},
{
"source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md",
- "redirect_url": "/windows/configuration/stop-employees-from-using-microsoft-store",
+ "redirect_url": "/windows/configuration/store",
"redirect_document_id": false
},
{
@@ -392,7 +392,7 @@
},
{
"source_path": "windows/configuration/manage-tips-and-suggestions.md",
- "redirect_url": "/windows/configuration/tips/manage-tips-and-suggestions",
+ "redirect_url": "/windows/configuration/",
"redirect_document_id": false
},
{
@@ -432,7 +432,12 @@
},
{
"source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md",
- "redirect_url": "/windows/configuration/store/stop-employees-from-using-microsoft-store",
+ "redirect_url": "/windows/configuration/store",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/store/stop-employees-from-using-microsoft-store.md",
+ "redirect_url": "/windows/configuration/store",
"redirect_document_id": false
},
{
@@ -839,6 +844,11 @@
"source_path": "windows/configuration/taskbar/customize-taskbar-windows-11.md",
"redirect_url": "/windows/configuration/taskbar",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/tips/manage-tips-and-suggestions.md",
+ "redirect_url": "/windows/configuration",
+ "redirect_document_id": false
}
]
}
\ No newline at end of file
diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
index 961d33806c..4f5ce43c2e 100644
--- a/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
+++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
@@ -24,11 +24,6 @@ $assignedAccessConfiguration = @"
"@
-$eventLogFilterHashTable = @{
- ProviderName = "Microsoft-Windows-AssignedAccess";
- StartTime = Get-Date -Millisecond 0
-}
-
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
index 48b5655a82..35a15c446f 100644
--- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
+++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
@@ -62,11 +62,6 @@ $assignedAccessConfiguration = @"
"@
-$eventLogFilterHashTable = @{
- ProviderName = "Microsoft-Windows-AssignedAccess";
- StartTime = Get-Date -Millisecond 0
-}
-
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
@@ -124,11 +119,6 @@ $assignedAccessConfiguration = @"
"@
-$eventLogFilterHashTable = @{
- ProviderName = "Microsoft-Windows-AssignedAccess";
- StartTime = Get-Date -Millisecond 0
-}
-
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 8ca14120c5..b6023eda4e 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -32,14 +32,16 @@ landingContent:
- title: Configure a Windows kiosk
linkLists:
- - linkListType: how-to-guide
+ - linkListType: concept
links:
- - text: Configure kiosks and restricted user experiences
- url: assigned-access/index.md
- text: What is Assigned Access?
url: assigned-access/overview.md
- text: What is Shell Launcher?
url: assigned-access/shell-launcher/index.md
+ - linkListType: how-to-guide
+ links:
+ - text: Configure kiosks and restricted user experiences
+ url: assigned-access/index.md
- linkListType: quickstart
links:
- text: Configure a kiosk with Assigned Access
@@ -48,13 +50,27 @@ landingContent:
url: assigned-access/shell-launcher/quickstart-kiosk.md
- text: Configure a restricted user experience with Assigned Access
url: assigned-access/quickstart-restricted-user-experience.md
+ - linkListType: reference
+ links:
+ - text: Assigned Access XML Schema Definition (XSD)
+ url: assigned-access/xsd.md
+ - text: Shell Launcher XML Schema Definition (XSD)
+ url: assigned-access/shell-launcher/xsd.md
- title: Configure shared devices
linkLists:
+ - linkListType: concept
+ links:
+ - text: Shared devices concepts
+ url: /windows/configuration/shared-pc/shared-devices-concepts
- linkListType: how-to-guide
links:
- - text: Manage multi-user and guest devices
- url: shared-devices-concepts.md
+ - text: Configure a shared or guest Windows device
+ url: /windows/configuration/shared-pc/set-up-shared-or-guest-pc
+ - linkListType: reference
+ links:
+ - text: Shared PC technical reference
+ url: /windows/configuration/shared-pc/shared-pc-technical
- title: Use provisioning packages
linkLists:
diff --git a/windows/configuration/store/images/store-blocked.png b/windows/configuration/store/images/store-blocked.png
new file mode 100644
index 0000000000..c45c074f34
Binary files /dev/null and b/windows/configuration/store/images/store-blocked.png differ
diff --git a/windows/configuration/store/index.md b/windows/configuration/store/index.md
new file mode 100644
index 0000000000..09c92aea0f
--- /dev/null
+++ b/windows/configuration/store/index.md
@@ -0,0 +1,66 @@
+---
+title: Configure access to the Microsoft Store app
+description: Learn how to configure access to the Microsoft Store app.
+ms.topic: how-to
+ms.date: 03/13/2024
+---
+
+# Configure access to the Microsoft Store app
+
+Microsoft Store is a digital distribution platform that provides a way for users to install applications on Windows devices. For some organizations, business policies require blocking access to Microsoft Store.
+
+This article describes how to configure access to the Microsoft Store app in your organization.
+
+## Prevent access to the Microsoft Store app
+
+You can use configuration service provider (CSP) or group policy (GPO) settings to configure access to the Microsoft Store app. The CSP configuration is available to Windows Enterprise and Education editions only.
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > Windows Components > Store** | Turn off the Store application| **Enabled**|
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--|
+|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2`
- **Data type:** string
- **Value:** ``|
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Store** | Turn off the Store application| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+
+---
+
+## User experience
+
+When you turn off the Microsoft Store application, users get the following message when they open it:
+
+:::image type="content" source="images/store-blocked.png" alt-text="Screenshot of the Microsoft Store app blocked access." border="false":::
+
+## Considerations
+
+Here are some considerations when you prevent access to the Microsoft Store app:
+
+- Microsoft Store applications keep updating automatically, by default
+- Users might still be able to install applications using Windows Package Manager (winget), or other methods, if they don't need to acquire the package from Microsoft Store
+- Devices managed by Microsoft Intune can still install applications sourced from Microsoft Store, even if you block access to the Microsoft Store app. To learn more, see [Add Microsoft Store apps to Microsoft Intune][INT-2]
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-admx-windowsstore
+[INT-1]: /mem/intune/configuration/settings-catalog
+[INT-2]: /mem/intune/apps/store-apps-microsoft
diff --git a/windows/configuration/store/stop-employees-from-using-microsoft-store.md b/windows/configuration/store/stop-employees-from-using-microsoft-store.md
deleted file mode 100644
index a70a6b5922..0000000000
--- a/windows/configuration/store/stop-employees-from-using-microsoft-store.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Configure access to Microsoft Store
-description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
-ms.topic: conceptual
-ms.date: 11/29/2022
----
-
-# Configure access to Microsoft Store
-
-IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
-
-> [!IMPORTANT]
-> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date.
-
-## Options to configure access to Microsoft Store
-
-You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition.
-
-## Block Microsoft Store using AppLocker
-
-Applies to: Windows 10 Enterprise, Windows 10 Education
-
-AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
-
-For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
-
-**To block Microsoft Store using AppLocker:**
-
-1. Enter **`secpol`** in the search bar to find and start AppLocker.
-
-1. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
-
-1. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
-
-1. On **Before You Begin**, select **Next**.
-
-1. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
-
-1. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
-
-1. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
-
- [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
-
-1. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
-
-## Block Microsoft Store using configuration service provider
-
-Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
-
-If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs):
-
-- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
-- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
-
-For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
-
-For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
-
-> [!IMPORTANT]
-> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store.
-
-## Block Microsoft Store using Group Policy
-
-Applies to: Windows 10 Enterprise, Windows 10 Education
-
-> [!NOTE]
-> Not supported on Windows 10 Pro, starting with version 151. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
-
-You can also use Group Policy to manage access to Microsoft Store.
-
-**To block Microsoft Store using Group Policy:**
-
-1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
-
-1. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
-
-1. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
-
-1. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
-
-> [!IMPORTANT]
-> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
-
-## Show private store only using Group Policy
-
-Applies to Windows 10 Enterprise, Windows 10 Education
-
-If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
-
-**To show private store only in Microsoft Store app:**
-
-1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
-
-1. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
-
-1. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
-
- The **Only display the private store within the Microsoft Store app** policy settings will open.
-
-1. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
-
-## Related articles
-
-[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
-
-[Manage access to private store](/microsoft-store/manage-access-to-private-store)
diff --git a/windows/configuration/tips/manage-tips-and-suggestions.md b/windows/configuration/tips/manage-tips-and-suggestions.md
deleted file mode 100644
index 41d0fa25af..0000000000
--- a/windows/configuration/tips/manage-tips-and-suggestions.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions
-description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
-ms.topic: how-to
-ms.date: 09/20/2017
----
-
-# Manage Windows 10 and Microsoft Store tips, fun fact and suggestions
-
-Windows includes user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, and app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include:
-
-* **Windows Spotlight on the lock screen**: Daily updated images on the lock screen that can include more facts and tips in "hotspots" that are revealed on hover.
-* **Start menu app suggestions**: App suggestions in Start that recommend productivity tool or utilities from the Microsoft Store.
-* **Additional apps on Start**: More apps preinstalled on the Start screen, which can enhance the user's experience.
-* **Windows tips**: Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario.
-* **Microsoft account notifications**: For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration.
-
->[!TIP]
-> On all Windows desktop editions, users can directly enable and disable Windows tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows.
-
-Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.
-
-## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions
-
-| Windows 10 edition | Disable | Show Microsoft apps only | Show Microsoft and popular third-party apps |
-|--|--|--|--|
-| Windows 10 Pro | No | Yes | Yes (default) |
-| Windows 10 Enterprise | Yes | Yes | Yes (default) |
-| Windows 10 Pro Education | Yes (default) | Yes | No (setting can't be changed) |
-| Windows 10 Education | Yes (default) | Yes | No (setting can't be changed) |
-
-[Learn more about policy settings for Windows Spotlight.](../lock-screen/windows-spotlight.md)
diff --git a/windows/configuration/toc.yml b/windows/configuration/toc.yml
index 60dc6990dc..25256515be 100644
--- a/windows/configuration/toc.yml
+++ b/windows/configuration/toc.yml
@@ -13,12 +13,10 @@ items:
href: lock-screen/windows-spotlight.md
- name: Microsoft Store
items:
- - name: Configure access to the Microsoft Store
- href: store/stop-employees-from-using-microsoft-store.md
+ - name: Configure access to Microsoft Store
+ href: store/index.md
- name: Find the AUMID of an installed app
href: store/find-aumid.md
- - name: Manage Microsoft Store tips, "fun facts", and suggestions
- href: tips/manage-tips-and-suggestions.md
- name: Cellular settings
href: cellular/provisioning-apn.md
- name: Kiosks and restricted user experiences
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
index 1d76e0e5a9..b9655217a3 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
@@ -2,7 +2,7 @@
title: Use multiple Windows Defender Application Control Policies
description: Windows Defender Application Control supports multiple code integrity policies for one device.
ms.localizationpriority: medium
-ms.date: 07/19/2021
+ms.date: 03/13/2024
ms.topic: article
---
@@ -11,17 +11,19 @@ ms.topic: article
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
+Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, March 12, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies and you must not exceed that number.
+
+Here are some common scenarios where multiple side-by-side policies are useful:
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- - If two base policies exist on a device, an application has to be allowed by both to run
+ - If two base policies exist on a device, an application must pass both policies for it to run
3. Supplemental Policies
- Users can deploy one or more supplemental policies to expand a base policy
- A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
- - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
+ - For supplemental policies, applications allowed by either the base policy or its supplemental policy/policies run
> [!NOTE]
> Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies.
@@ -31,11 +33,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a
- Multiple base policies: intersection
- Only applications allowed by both policies run without generating block events
- Base + supplemental policy: union
- - Files that are allowed by either the base policy or the supplemental policy aren't blocked
+ - Files allowed by either the base policy or the supplemental policy run
## Creating WDAC policies in Multiple Policy Format
-In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format.
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique values generated for the policy ID and 2) the policy type set as a Base policy. The below example describes the process of creating a new policy in the multiple policy format.
```powershell
New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash
@@ -55,7 +57,7 @@ Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-K
### Supplemental policy creation
-In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown above. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy.
+In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown earlier. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy.
- "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to
- "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to
@@ -66,11 +68,11 @@ Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicy
### Merging policies
-When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \.
+When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy is a base policy with ID \.
## Deploying multiple policies
-In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature.
+In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP.
### Deploying multiple policies locally
@@ -86,15 +88,9 @@ To deploy policies locally using the new multiple policy format, follow these st
Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+However, when policies are unenrolled from an MDM server, the CSP attempts to remove every policy not actively deployed, not just the policies added by the CSP. This behavior happens because the system doesn't know what deployment methods were used to apply individual policies.
For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
-
-### Known Issues in Multiple Policy Format
-
-* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
-* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
-* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
index 91af264958..fbccba4c71 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@@ -2,7 +2,7 @@
title: WDAC Admin Tips & Known Issues
description: WDAC Known Issues
ms.manager: jsuther
-ms.date: 11/22/2023
+ms.date: 03/13/2024
ms.topic: article
ms.localizationpriority: medium
---
@@ -43,32 +43,28 @@ When the WDAC engine evaluates files against the active set of policies on the d
4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
-5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly.
## Known issues
### Boot stop failure (blue screen) occurs if more than 32 policies are active
-If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+Until you apply the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, March 12, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies.
### Audit mode policies can change the behavior for some apps or cause app crashes
-Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
+Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
- Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors.
- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening).
-### Managed Installer and ISG may cause excessive events
-
-When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
-
### .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window.
### Signatures using elliptical curve cryptography (ECC) aren't supported
-WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
+WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If WDAC blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule
@@ -88,18 +84,19 @@ As a workaround, download the MSI file and run it locally:
```console
msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
```
+
### Slow boot and performance with custom policies
-WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
+WDAC evaluates all processes that run, including inbox Windows processes. You can cause slower boot times, degraded performance, and possibly boot issues if your policies don't build upon the WDAC templates or don't trust the Windows signers. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
#### AppId Tagging policy considerations
-If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes).
+AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes).
-If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance:
+If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance:
:::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
:::image type="content" source="../images/known-issue-appid-dll-rule-xml.png" alt-text="Allow all dll files in the xml policy.":::
-Since AppId Tagging policies evaluate but can't tag dll files, this rule will short circuit dll evaluation and improve evaluation performance.
+Since AppId Tagging policies evaluate but can't tag dll files, this rule short circuits dll evaluation and improve evaluation performance.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 4461530e2b..e07f9e5739 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -169,7 +169,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the
| Setting |
|--|
-|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`
- **Data type:** string
- **Value:** ``
Possible values for `RestrictedRemoteAdministrationDrop` are:
- `0`: Disabled
- `1`: Require Restricted Admin
- `2`: Require Remote Credential Guard
- `3`: Restrict credential delegation |
+|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`
- **Data type:** string
- **Value:** ``
Possible values for `RestrictedRemoteAdministrationDrop` are:
- `0`: Disabled
- `1`: Require Restricted Admin
- `2`: Require Remote Credential Guard
- `3`: Restrict credential delegation |
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)