draft for sac and fix issues

2025-07-03 03:03:43 +00:00 · 2022-08-10 15:12:31 -04:00
parent 2a63be9f0a
commit b54bddd43f
3 changed files with 167 additions and 69 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@ -54,6 +54,8 @@
                  href: create-initial-default-policy.md
                - name: Create a WDAC deny list policy
                  href: create-wdac-deny-policy.md
                - name: Create a Smart App Control policy
                  href: create-smart-app-control-policy.md
                - name: Microsoft recommended block rules
                  href: microsoft-recommended-block-rules.md
                - name: Microsoft recommended driver block rules
@ -310,6 +312,3 @@
                  href: applocker\using-event-viewer-with-applocker.md
            - name: AppLocker Settings
              href: applocker\applocker-settings.md
 - name: Windows security
  href: /windows/security/
--- a/windows/security/threat-protection/windows-defender-application-control/create-smart-app-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-smart-app-control-policy.md
@ -0,0 +1,96 @@
 ---
 title: Create a WDAC policy for Smart app Control
 description: To create a Windows Defender Application Control (WDAC) policy to enforce Smart app Control within your organization, follow this guide.
 ms.date: 08/08/2022
 ms.technology: windows
 ms.topic: article
 ms.prod: w10
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.collection: highpri
 ---
 # Create a WDAC policy for Smart App Control
 **Applies to:**
 - Windows 11, version 22H2 or later.
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. To learn more, see [What is Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003). This section outlines the process to create a Windows Defender Application Control (WDAC) policy for Smart App Control within an organization.
 As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md#an-introduction-to-lamna-healthcare-company), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of Smart App Control to prevent unwanted or unauthorized applications from running on their managed devices.
 **Alice Pena** is the IT team lead tasked with the rollout of WDAC.
 ## Create a custom policy using an example WDAC base policy
 Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to implement Smart App Control. Alice follows these steps to create an Audit policy:
 1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
    ```powershell
    $PolicyPath = $env:userprofile+"\Desktop\"
    $PolicyName= "Lamna_SmartAppControl_Audit"
    $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
    $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
    ```
 1. Copy the example policy to the desktop:
    ```powershell
    cp $ExamplePolicy $LamnaPolicy
    ```
 1. Give the new policy a unique ID, descriptive name, and initial version number:
    ```powershell
    Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
    Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
    ```
 1. Modify the copied policy to set the Audit Mode rule:
    ```powershell
    Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
    ```
 1. If appropriate, add more signer or file rules to further customize the policy for your organization or use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge this policy with your existing WDC policy.
 1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
    ```powershell
    [xml]$policyXML = Get-Content $LamnaPolicy
    $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
    ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
    ```
 1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 ## Turn off Smart App Control
 Smart App Control is only available on clean installs of Windows 11 version 22H2 or later, and starts in evaluation mode. For managed devices, Windows automatically turns off Smart App Control but if you want to enforce this behavior, you can disable Smart App Control by setting **VerifiedAndReputablePolicyState** (DWORD) registry value in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy`, and either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925).
 | Value | Description |
 |-------|-------------|
 | 0     | Off         |
 | 1     | Enforce     |
 | 2     | Evaluation  |
 ```powershell
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" -Name VerifiedAndReputablePolicyState -Value 0 -Type DWORD -Force
 ```
 > [!IMPORTANT]
 > You may choose to turn off Smart App Control feature using the registry or [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) and deploy a Smart App Control WDAC Policy that provides more granular control over the rules, but WDAC Policy does not allow modifying some settings. These settings can be identified in SmartAppControl.xml by searching for `WindowsLockdownPolicySettings`.
 ## More information
 - [Prepare to deploy Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md)
 - [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@ -228,9 +228,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
    <Deny ID="ID_DENY_DIRECTIO_34" FriendlyName="PassMark DirectIo.sys Hash Page Sha1" Hash="05E20D0274A4FCC5368F25C62174003A555917E7" />
    <Deny ID="ID_DENY_DIRECTIO_35" FriendlyName="PassMark DirectIo.sys Hash Page Sha256" Hash="70344F2494D6B7EE4C5716E886D912447CFFE9695D2286814DC3CE0361727BBA" />
    <Deny ID="ID_DENY_DIRECTIO_36" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="706686F2A1EF4738A1856D01AB10EB730FC7B327" />
-    <Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
+    <Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
    <Deny ID="ID_DENY_DIRECTIO_38" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B423CA58603513B5D3A9669736D5E13C353FD6F9" />
-    <Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
+    <Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
    <Deny ID="ID_DENY_DIRECTIO_3A" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="AE806CA05E141B71664D9C6F20CC2369EF26F996" />
    <Deny ID="ID_DENY_DIRECTIO_3B" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="D0559503988DAA407FCC11E59079560CB456BB84" />
    <Deny ID="ID_DENY_MSIO_SHA1_1" FriendlyName="MsIo.sys Hash Sha1" Hash="0CB0FD5BEA730E4EAAEC1426B0C15376CCAC6D83" />
@ -1222,6 +1222,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
 </details>
 > [!NOTE]
 > The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
 ## More information
 - [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)