From 32f020e28a57e39f7182bebf2e21f2bf647cbca5 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 9 Aug 2022 13:54:15 -0700 Subject: [PATCH] Fixed language on Note regarding PowerShell scripts --- .../applocker/script-rules-in-applocker.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index aee609a7fd..e30b2c517a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -1,6 +1,6 @@ --- title: Script rules in AppLocker (Windows) -description: This topic describes the file formats and available default rules for the script rule collection. +description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: ms.author: macapara @@ -26,10 +26,6 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - - This article describes the file formats and available default rules for the script rule collection. AppLocker defines script rules to include only the following file formats: @@ -44,11 +40,11 @@ The following table lists the default rules that are available for the script ru | Purpose | Name | User | Rule condition type | | - | - | - | - | | Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` | -| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | -| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| - +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| + > [!NOTE] -> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs. +> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. ## Related articles