deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

draft for sac and fix issues

Browse Source
This commit is contained in:
Vinay Pamnani 2022-08-10 15:12:31 -04:00
parent 2a63be9f0a
commit b54bddd43f
3 changed files with 167 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -3,26 +3,26 @@
- name: About application control for Windows
href: windows-defender-application-control.md
expanded: true
items:
items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
items:
items:
- name: WDAC and AppLocker Feature Availability
href: feature-availability.md
- name: Virtualization-based protection of code integrity
href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide
href: windows-defender-application-control-design-guide.md
items:
items:
- name: Plan for WDAC policy lifecycle management
href: plan-windows-defender-application-control-management.md
- name: Design your WDAC policy
items:
items:
- name: Understand WDAC policy design decisions
href: understand-windows-defender-application-control-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
href: select-types-of-rules-to-create.md
items:
items:
- name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
@ -40,12 +40,12 @@
- name: Use multiple WDAC policies
href: deploy-multiple-windows-defender-application-control-policies.md
- name: Create your WDAC policy
items:
items:
- name: Example WDAC base policies
href: example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios
href: types-of-devices.md
items:
items:
- name: Create a WDAC policy for lightly managed devices
href: create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices
@ -54,13 +54,15 @@
href: create-initial-default-policy.md
- name: Create a WDAC deny list policy
href: create-wdac-deny-policy.md
- name: Create a Smart App Control policy
href: create-smart-app-control-policy.md
- name: Microsoft recommended block rules
href: microsoft-recommended-block-rules.md
- name: Microsoft recommended driver block rules
href: microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
href: wdac-wizard.md
items:
items:
- name: Create a base WDAC policy with the Wizard
href: wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard
@ -71,7 +73,7 @@
href: wdac-wizard-merging-policies.md
- name: WDAC deployment guide
href: windows-defender-application-control-deployment-guide.md
items:
items:
- name: Deploy WDAC policies with MDM
href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
@ -88,7 +90,7 @@
href: enforce-windows-defender-application-control-policies.md
- name: Use code signing to simplify application control for classic Windows applications
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
items:
items:
- name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- name: "Optional: Create a code signing cert for WDAC"
@ -103,7 +105,7 @@
href: LOB-win32-apps-on-s.md
- name: WDAC operational guide
href: windows-defender-application-control-operational-guide.md
items:
items:
- name: Understanding Application Control event tags
href: event-tag-explanations.md
- name: Understanding Application Control event IDs
@ -125,10 +127,10 @@
href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- name: AppLocker
href: applocker\applocker-overview.md
items:
items:
- name: Administer AppLocker
href: applocker\administer-applocker.md
items:
items:
- name: Maintain AppLocker policies
href: applocker\maintain-applocker-policies.md
- name: Edit an AppLocker policy
@ -149,7 +151,7 @@
href: applocker\manage-packaged-apps-with-applocker.md
- name: Working with AppLocker rules
href: applocker\working-with-applocker-rules.md
items:
items:
- name: Create a rule that uses a file hash condition
href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
- name: Create a rule that uses a path condition
@ -174,7 +176,7 @@
href: applocker\run-the-automatically-generate-rules-wizard.md
- name: Working with AppLocker policies
href: applocker\working-with-applocker-policies.md
items:
items:
- name: Configure the Application Identity service
href: applocker\configure-the-application-identity-service.md
- name: Configure an AppLocker policy for audit only
@ -203,24 +205,24 @@
href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
- name: AppLocker design guide
href: applocker\applocker-policies-design-guide.md
items:
items:
- name: Understand AppLocker policy design decisions
href: applocker\understand-applocker-policy-design-decisions.md
- name: Determine your application control objectives
href: applocker\determine-your-application-control-objectives.md
- name: Create a list of apps deployed to each business group
href: applocker\create-list-of-applications-deployed-to-each-business-group.md
items:
items:
- name: Document your app list
href: applocker\document-your-application-list.md
- name: Select the types of rules to create
href: applocker\select-types-of-rules-to-create.md
items:
items:
- name: Document your AppLocker rules
href: applocker\document-your-applocker-rules.md
- name: Determine the Group Policy structure and rule enforcement
href: applocker\determine-group-policy-structure-and-rule-enforcement.md
items:
items:
- name: Understand AppLocker enforcement settings
href: applocker\understand-applocker-enforcement-settings.md
- name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
@ -231,7 +233,7 @@
href: applocker\plan-for-applocker-policy-management.md
- name: AppLocker deployment guide
href: applocker\applocker-policies-deployment-guide.md
items:
items:
- name: Understand the AppLocker policy deployment process
href: applocker\understand-the-applocker-policy-deployment-process.md
- name: Requirements for Deploying AppLocker Policies
@ -240,22 +242,22 @@
href: applocker\using-software-restriction-policies-and-applocker-policies.md
- name: Create Your AppLocker policies
href: applocker\create-your-applocker-policies.md
items:
items:
- name: Create Your AppLocker rules
href: applocker\create-your-applocker-rules.md
- name: Deploy the AppLocker policy into production
href: applocker\deploy-the-applocker-policy-into-production.md
items:
items:
- name: Use a reference device to create and maintain AppLocker policies
href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
items:
items:
- name: Determine which apps are digitally signed on a reference device
href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- name: Configure the AppLocker reference device
href: applocker\configure-the-appLocker-reference-device.md
- name: AppLocker technical reference
href: applocker\applocker-technical-reference.md
items:
items:
- name: What Is AppLocker?
href: applocker\what-is-applocker.md
- name: Requirements to use AppLocker
@ -264,7 +266,7 @@
href: applocker\applocker-policy-use-scenarios.md
- name: How AppLocker works
href: applocker\how-applocker-works-techref.md
items:
items:
- name: Understanding AppLocker rule behavior
href: applocker\understanding-applocker-rule-behavior.md
- name: Understanding AppLocker rule exceptions
@ -275,7 +277,7 @@
href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- name: Understanding AppLocker rule condition types
href: applocker\understanding-applocker-rule-condition-types.md
items:
items:
- name: Understanding the publisher rule condition in AppLocker
href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
- name: Understanding the path rule condition in AppLocker
@ -284,7 +286,7 @@
href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
- name: Understanding AppLocker default rules
href: applocker\understanding-applocker-default-rules.md
items:
items:
- name: Executable rules in AppLocker
href: applocker\executable-rules-in-applocker.md
- name: Windows Installer rules in AppLocker
@ -305,11 +307,8 @@
href: applocker\security-considerations-for-applocker.md
- name: Tools to Use with AppLocker
href: applocker\tools-to-use-with-applocker.md
items:
items:
- name: Using Event Viewer with AppLocker
href: applocker\using-event-viewer-with-applocker.md
- name: AppLocker Settings
href: applocker\applocker-settings.md
- name: Windows security
href: /windows/security/

96
windows/security/threat-protection/windows-defender-application-control/create-smart-app-control-policy.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Create a WDAC policy for Smart app Control
description: To create a Windows Defender Application Control (WDAC) policy to enforce Smart app Control within your organization, follow this guide.
ms.date: 08/08/2022
ms.technology: windows
ms.topic: article
ms.prod: w10
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.collection: highpri
---
# Create a WDAC policy for Smart App Control
**Applies to:**
- Windows 11, version 22H2 or later.
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. To learn more, see [What is Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003). This section outlines the process to create a Windows Defender Application Control (WDAC) policy for Smart App Control within an organization.
As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md#an-introduction-to-lamna-healthcare-company), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of Smart App Control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
## Create a custom policy using an example WDAC base policy
Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to implement Smart App Control. Alice follows these steps to create an Audit policy:
1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
```powershell
$PolicyPath = $env:userprofile+"\Desktop\"
$PolicyName= "Lamna_SmartAppControl_Audit"
$LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
$ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
```
1. Copy the example policy to the desktop:
```powershell
cp $ExamplePolicy $LamnaPolicy
```
1. Give the new policy a unique ID, descriptive name, and initial version number:
```powershell
Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
```
1. Modify the copied policy to set the Audit Mode rule:
```powershell
Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
```
1. If appropriate, add more signer or file rules to further customize the policy for your organization or use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge this policy with your existing WDC policy.
1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
```powershell
[xml]$policyXML = Get-Content $LamnaPolicy
$WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
```
1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
## Turn off Smart App Control
Smart App Control is only available on clean installs of Windows 11 version 22H2 or later, and starts in evaluation mode. For managed devices, Windows automatically turns off Smart App Control but if you want to enforce this behavior, you can disable Smart App Control by setting **VerifiedAndReputablePolicyState** (DWORD) registry value in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy`, and either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925).
| Value | Description |
|-------|-------------|
| 0 | Off |
| 1 | Enforce |
| 2 | Evaluation |
```powershell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" -Name VerifiedAndReputablePolicyState -Value 0 -Type DWORD -Force
```
> [!IMPORTANT]
> You may choose to turn off Smart App Control feature using the registry or [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) and deploy a Smart App Control WDAC Policy that provides more granular control over the rules, but WDAC Policy does not allow modifying some settings. These settings can be identified in SmartAppControl.xml by searching for `WindowsLockdownPolicySettings`.
## More information
- [Prepare to deploy Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md)
- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)

79
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -73,7 +73,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
@ -130,7 +130,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Deny ID="ID_DENY_BANDAI_SHA256" FriendlyName="bandai.sys Hash Sha256" Hash="7FD788358585E0B863328475898BB4400ED8D478466D1B7F5CC0252671456CC8" />
<Deny ID="ID_DENY_BANDAI_SHA1_PAGE" FriendlyName="bandai.sys Hash Page Sha1" Hash="EA360A9F23BB7CF67F08B88E6A185A699F0C5410" />
<Deny ID="ID_DENY_BANDAI_SHA256_PAGE" FriendlyName="bandai.sys Hash Page Sha256" Hash="BB83738210650E09307CE869ACA9BFA251024D3C47B1006B94FCE2846313F56E" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
<Deny ID="ID_DENY_BS_RCIO64_SHA256" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha256" Hash="0381632CD236CD94FA9E64CCC958516AC50F9437F99092E231A607B1E6BE6CF8" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha1" Hash="C28B640BECA5E2834D2A373F139869CC309F6631" />
<Deny ID="ID_DENY_BS_RCIO64_SHA256_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha256" Hash="9378F7DFF94D9409D38FA1A125C52734D6BAEA90913FC3CEE2659FD36AB0DA29" />
@ -228,9 +228,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Deny ID="ID_DENY_DIRECTIO_34" FriendlyName="PassMark DirectIo.sys Hash Page Sha1" Hash="05E20D0274A4FCC5368F25C62174003A555917E7" />
<Deny ID="ID_DENY_DIRECTIO_35" FriendlyName="PassMark DirectIo.sys Hash Page Sha256" Hash="70344F2494D6B7EE4C5716E886D912447CFFE9695D2286814DC3CE0361727BBA" />
<Deny ID="ID_DENY_DIRECTIO_36" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="706686F2A1EF4738A1856D01AB10EB730FC7B327" />
<Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
<Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
<Deny ID="ID_DENY_DIRECTIO_38" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B423CA58603513B5D3A9669736D5E13C353FD6F9" />
<Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
<Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
<Deny ID="ID_DENY_DIRECTIO_3A" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="AE806CA05E141B71664D9C6F20CC2369EF26F996" />
<Deny ID="ID_DENY_DIRECTIO_3B" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="D0559503988DAA407FCC11E59079560CB456BB84" />
<Deny ID="ID_DENY_MSIO_SHA1_1" FriendlyName="MsIo.sys Hash Sha1" Hash="0CB0FD5BEA730E4EAAEC1426B0C15376CCAC6D83" />
@ -422,7 +422,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_BSMI" FriendlyName="" FileName="BSMI.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.3" />
<FileAttrib ID="ID_FILEATTRIB_BS_HWMIO64" FriendlyName="" FileName="BS_HWMIO64_W10.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.1806.2200" />
<FileAttrib ID="ID_FILEATTRIB_BS_I2CIO" FriendlyName="" FileName="BS_I2cIo.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.1.0.0" />
<FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
<FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
<FileAttrib ID="ID_FILEATTRIB_NTIOLIB" FriendlyName="" FileName="NTIOLib.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
<FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
@ -433,7 +433,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_LIBNICM_DRIVER" FriendlyName="" FileName="libnicm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_MTCBSV64" FriendlyName="mtcBSv64.sys FileAttribute" FileName="mtcBSv64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.2.0.0" />
<FileAttrib ID="ID_FILEATTRIB_NCHGBIOS2X64" FriendlyName="" FileName="NCHGBIOS2x64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.2.4.0" />
<FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NICM_DRIVER" FriendlyName="" FileName="NICM.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NSCM_DRIVER" FriendlyName="" FileName="nscm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_PHYSMEM" FriendlyName="Physmem.sys FileAttribute" FileName="physmem.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@ -442,13 +442,13 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_RTKIOW8X64_DRIVER" FriendlyName="" FileName="rtkiow8x64.sys" MinimumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_RTKIOW10X64_DRIVER" FriendlyName="" FileName="rtkiow10x64.sys" MinimumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_RWDRV_DRIVER" FriendlyName="" FileName="RwDrv.sys" MinimumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_1" FriendlyName="Agnitum sandbox FileAttribute" FileName="sandbox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_2" FriendlyName="Agnitum SandBox FileAttribute" FileName="SandBox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_1" FriendlyName="Agnitum sandbox FileAttribute" FileName="sandbox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_2" FriendlyName="Agnitum SandBox FileAttribute" FileName="SandBox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDRA" FriendlyName="" FileName="SANDRA" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
<FileAttrib ID="ID_FILEATTRIB_SANDRA_DRIVER" FriendlyName="" FileName="sandra.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
<FileAttrib ID="ID_FILEATTRIB_SEGWINDRVX64" FriendlyName="segwindrvx64.sys FileAttribute" FileName="segwindrvx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="100.0.7.2" />
<FileAttrib ID="ID_FILEATTRIB_TREND_MICRO" FriendlyName="TmComm.sys" FileName="TmComm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT" FriendlyName="viragt.sys 32-bit" FileName="viragt.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.80.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT64" FriendlyName="viragt64.sys" FileName="viragt64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.11" />
<FileAttrib ID="ID_FILEATTRIB_VMDRV" FriendlyName="vmdrv.sys FileAttribute" FileName="vmdrv.sys" MinimumFileVersion="10.0.10011.16384" />
@ -504,7 +504,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttribRef RuleID="ID_FILEATTRIB_ATSZIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
@ -546,7 +546,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertRoot Type="TBS" Value="041750993D7C9E063F02DFE74699598640911AAB" />
<CertPublisher Value="innotek GmbH" />
</Signer>
<Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
<Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<CertPublisher Value="Oracle Corporation" />
<FileAttribRef RuleID="ID_FILEATTRIB_VBOX" />
@ -586,11 +586,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2014" Name="Microsoft Windows Third Party Component CA 2014">
<CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
<CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_LHA" />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_RTKIO_DRIVER" />
@ -600,7 +600,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttribRef RuleID="ID_FILEATTRIB_VIRAGT64" />
<FileAttribRef RuleID="ID_FILEATTRIB_VMDRV" />
</Signer>
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2010" Name="Microsoft Third Party Component Windows PCA 2010">
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2010" Name="Microsoft Third Party Component Windows PCA 2010">
<CertRoot Type="TBS" Value="90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212" />
<CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_HPPORTIOX64" />
@ -644,7 +644,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<CertPublisher Value="Novell, Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
</Signer>
@ -723,12 +723,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertPublisher Value="Advanced Micro Devices Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
</Signer>
<Signer ID="ID_SIGNER_AGNITUM_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
<Signer ID="ID_SIGNER_AGNITUM_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
<CertRoot Type="TBS" Value="C7FC1727F5B75A6421A1F95C73BBDB23580C48E5" />
<CertPublisher Value="Agnitum Ltd." />
<FileAttribRef RuleID="ID_FILEATTRIB_SANDBOX_2" />
</Signer>
<Signer ID="ID_SIGNER_AGNITUM_2009" Name="VeriSign Class 3 Code Signing 2009-2 CA">
<Signer ID="ID_SIGNER_AGNITUM_2009" Name="VeriSign Class 3 Code Signing 2009-2 CA">
<CertRoot Type="TBS" Value="4CDC38C800761463749C3CBD94A12F32E49877BF" />
<CertPublisher Value="Agnitum Ltd." />
<FileAttribRef RuleID="ID_FILEATTRIB_SANDBOX_1" />
@ -761,19 +761,19 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Signer ID="ID_SIGNER_JEROMIN_CODY_ERIC" Name="Jeromin Cody Eric">
<CertRoot Type="TBS" Value="dfa6171201b51a2ec174310e8fb9f4c0fde2d365235e589ded0213c5279bea6e" />
</Signer>
<Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
<Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
<CertRoot Type="TBS" Value="A86DE66D8198E4272859881476A6F9936034A482" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2007" Name="Leaked 2007 NVIDIA Corporation Verisign Class 3 Code Signing 2004 CA">
<Signer ID="ID_SIGNER_NVIDIA_2007" Name="Leaked 2007 NVIDIA Corporation Verisign Class 3 Code Signing 2004 CA">
<CertRoot Type="TBS" Value="80854F578E2A3B5552EA839BA4F98DDFE94B2381" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="15C37DBEBE6FCC77108E3D7AD982676D3D5E77F7" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="F049A238763D4A90B148AB10A500F96EBF1DC436" />
</Signer>
<Signer ID="ID_SIGNER_HERMETICWIPER_1" Name="DigiCert Assured ID Code Signing CA-1">
<Signer ID="ID_SIGNER_HERMETICWIPER_1" Name="DigiCert Assured ID Code Signing CA-1">
<CertRoot Type="TBS" Value="47F4B9898631773231B32844EC0D49990AC4EB1E" />
<CertPublisher Value="CHENGDU YIWO Tech Development Co., Ltd." />
</Signer>
@ -795,10 +795,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DENIED_VULN_MAL_SIGNERS" FriendlyName="Signers of known vulnerable or malicious drivers">
<ProductSigners>
<DeniedSigners>
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
<DeniedSigner SignerId="ID_SIGNER_AMDPP" />
<DeniedSigner SignerId="ID_SIGNER_CAPCOM" />
<DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" />
@ -815,10 +815,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<DeniedSigner SignerId="ID_SIGNER_GEOTRUST_SRL_2010" />
<DeniedSigner SignerId="ID_SIGNER_GLOBALSIGN_TG_SOFT" />
<DeniedSigner SignerId="ID_SIGNER_HANDAN" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_1" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_2" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_3" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_4" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_1" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_2" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_3" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_4" />
<DeniedSigner SignerId="ID_SIGNER_HP" />
<DeniedSigner SignerId="ID_SIGNER_INTEL_IQVW" />
<DeniedSigner SignerId="ID_SIGNER_JEROMIN_CODY_ERIC" />
@ -826,21 +826,21 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
<DeniedSigner SignerId="ID_SIGNER_NANJING" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2007" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2007" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
<DeniedSigner SignerId="ID_SIGNER_PHYSMEM" />
<DeniedSigner SignerId="ID_SIGNER_REALTEK" />
<DeniedSigner SignerId="ID_SIGNER_RWEVERY" />
<DeniedSigner SignerId="ID_SIGNER_SAASAME" />
<DeniedSigner SignerId="ID_SIGNER_SAASAME" />
<DeniedSigner SignerId="ID_SIGNER_SANDRA" />
<DeniedSigner SignerId="ID_SIGNER_SANDRA_THAWTE" />
<DeniedSigner SignerId="ID_SIGNER_SPEEDFAN" />
<DeniedSigner SignerId="ID_SIGNER_SYMANTEC_CLASS_3" />
<DeniedSigner SignerId="ID_SIGNER_TRUST_ASIA" />
<DeniedSigner SignerId="ID_SIGNER_VBOX" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004_BIOSTAR" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009" />
@ -905,7 +905,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256_PAGE" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1_PAGE" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256_PAGE" />
@ -1191,7 +1191,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileRuleRef RuleID="ID_DENY_PHYMEMX_64"/>
<FileRuleRef RuleID="ID_DENY_DBK_32"/>
<FileRuleRef RuleID="ID_DENY_DBK_64"/>
</FileRulesRef>
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="">
@ -1222,6 +1222,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
</details>
> [!NOTE]
> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
## More information
- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)