From c0f09e79fc2f50ffde04654db958255aeba7f00b Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 11 Aug 2022 15:38:33 -0400
Subject: [PATCH] implement suggested changes

---
 .../TOC.yml                                   |   2 -
 ...wdac-policy-for-lightly-managed-devices.md | 170 ++++++++++--------
 .../example-wdac-base-policies.md             |   2 +-
 .../windows-defender-application-control.md   |  22 ++-
 4 files changed, 114 insertions(+), 82 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 88623c8aea..52aec39ca6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -54,8 +54,6 @@
                   href: create-initial-default-policy.md
                 - name: Create a WDAC deny list policy
                   href: create-wdac-deny-policy.md
-                - name: Create a WDAC policy for Smart App Control
-                  href: create-wdac-policy-smart-app-control.md
                 - name: Microsoft recommended block rules
                   href: microsoft-recommended-block-rules.md
                 - name: Microsoft recommended driver block rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 9cb8de44f4..58cebd4a92 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -13,9 +13,9 @@ audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 11/15/2019
+ms.author: vinpa
+manager: aaroncz
+ms.date: 08/10/2022
 ms.technology: windows-sec
 ---
 
@@ -23,9 +23,9 @@ ms.technology: windows-sec
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -58,82 +58,87 @@ Based on the above, Alice defines the pseudo-rules for the policy:
    - WHQL (third-party kernel drivers)
    - Windows Store signed apps
 
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
-3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
-4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
-5. **Admin-only path rules** for the following locations:
+1. **"MEMCM works”** rules that include:
+    - Signer and hash rules for Configuration Manager components to properly function.
+    - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
+
+1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+
+1. **Admin-only path rules** for the following locations:
    - C:\Program Files\*
    - C:\Program Files (x86)\*
    - %windir%\*
 
 ## Create a custom base policy using an example WDAC base policy
 
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
 
 Alice follows these steps to complete this task:
 
 > [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
+>
+> - `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy does not allow modifying some settings. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control)
+> - If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in step 1.
+> - If you do not use Configuration Manager, skip step 4.
 
-1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
+1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
 
-2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
+    ```powershell
+    $PolicyPath = $env:userprofile+"\Desktop\"
+    $PolicyName= "Lamna_LightlyManagedClients_Audit"
+    $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
+    $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
+    ```
 
-      ```powershell
-      $PolicyName= "Lamna_LightlyManagedClients_Audit"
-      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
-      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
-      ```
+1. Copy the example policy to the desktop:
 
-3. Copy the policy created by Configuration Manager to the desktop:
+    ```powershell
+    cp $ExamplePolicy $LamnaPolicy
+    ```
 
-      ```powershell
-      cp $MEMCMPolicy $LamnaPolicy
-      ```
+1. Give the new policy a unique ID, descriptive name, and initial version number:
 
-4. Give the new policy a unique ID, descriptive name, and initial version number:
+    ```powershell
+    Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+    Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+    ```
 
-      ```powershell
-      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
-      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
-      ```
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
 
-5. Modify the copied policy to set policy rules:
+    ```powershell
+    $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
+    Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+    ```
 
-      ```powershell
-      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
-      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
-      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
-      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
-      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
-      Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
-      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
-      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
-      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
-      ```
+1. Modify the policy to set additional policy rules:
 
-6. Add rules to allow windir and Program Files directories:
+    ```powershell
+    Set-RuleOption -FilePath $LamnaPolicy -Option 3  # Audit Mode
+    Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+    Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+    ```
 
-      ```powershell
-      $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
-      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
-      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
-      Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
-      ```
+1. Add rules to allow windir and Program Files directories:
 
-7. If appropriate, add more signer or file rules to further customize the policy for your organization.
+    ```powershell
+    $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+    $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+    $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+    ```
 
-8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+1. If appropriate, add more signer or file rules to further customize the policy for your organization.
 
-    > [!NOTE]
-    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
 
-   ```powershell
-   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
-   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
-   ```
+    ```powershell
+    [xml]$policyXML = Get-Content $LamnaPolicy
+    $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
+    ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+    ```
 
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 
@@ -141,41 +146,58 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
 
 In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
 
-- **Users with administrative access**<br>
-    By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+- **Users with administrative access**
+
+  By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+  Possible mitigations:
 
-    Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
   - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
-- **Unsigned policies**<br>
-    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
 
-    Possible mitigations:
+- **Unsigned policies**
+
+  Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+  Possible mitigations:
+
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
   - Limit who can elevate to administrator on the device.
-- **Managed installer**<br>
-    See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
 
-    Possible mitigations:
+- **Managed installer**
+
+  See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
+
+  Possible mitigations:
+
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
   - Limit who can elevate to administrator on the device.
-- **Intelligent Security Graph (ISG)**<br>
-    See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
 
-    Possible mitigations:
+- **Intelligent Security Graph (ISG)**
+
+  See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
+
+  Possible mitigations:
+
   - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **Supplemental policies**<br>
-    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
 
-    Possible mitigations:
+- **Supplemental policies**
+
+  Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+  Possible mitigations:
+
   - Use signed WDAC policies that allow authorized signed supplemental policies only.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **FilePath rules**<br>
-    See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
 
-    Possible mitigations:
+- **FilePath rules**
+
+  See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+  Possible mitigations:
+
   - Limit who can elevate to administrator on the device.
   - Migrate from filepath rules to managed installer or signature-based rules.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 92b8f73515..57d59d8e7d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -43,4 +43,4 @@ When you create policies for use with Windows Defender Application Control (WDAC
 | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
 | **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
-| **SmartAppControl.xml** | This example policy can be used to enable [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy does not allow modifying some settings. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index a552764722..93d5a86698 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -46,15 +46,27 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
 - **Windows Defender Application Control (WDAC)**; and
 - **AppLocker**
 
-## In this section
+## WDAC and Smart App Control
 
-| Article | Description |
-| --- | --- |
-| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
-| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided, which can be used as a starting point for [creating your own policy](create-wdac-policy-for-lightly-managed-devices.md).
+
+> [!NOTE]
+> The example policy includes some settings that aren't supported for WDAC enterprise policies. These settings can be identified by searching for `WindowsLockdownPolicySettings` in `SmartAppControl.xml`.
+
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
+
+| Value | Description |
+|-------|-------------|
+| 0     | Off         |
+| 1     | Enforce     |
+| 2     | Evaluation  |
+
+> [!IMPORTANT]
+> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
 
 ## Related articles
 
 - [WDAC design guide](windows-defender-application-control-design-guide.md)
 - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
+- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
 - [AppLocker overview](applocker/applocker-overview.md)
\ No newline at end of file