implement suggested changes

2025-05-16 07:17:24 +00:00 · 2022-08-11 15:38:33 -04:00 · 2022-08-11 15:38:33 -04:00 · c0f09e79fc
commit c0f09e79fc
parent 535ef35919
4 changed files with 114 additions and 82 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@ -54,8 +54,6 @@
                  href: create-initial-default-policy.md
                - name: Create a WDAC deny list policy
                  href: create-wdac-deny-policy.md
                - name: Create a WDAC policy for Smart App Control
                  href: create-wdac-policy-smart-app-control.md
                - name: Microsoft recommended block rules
                  href: microsoft-recommended-block-rules.md
                - name: Microsoft recommended driver block rules
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@ -13,9 +13,9 @@ audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: isbrahm
-ms.author: dansimp
+ms.author: vinpa
-manager: dansimp
+manager: aaroncz
-ms.date: 11/15/2019
+ms.date: 08/10/2022
 ms.technology: windows-sec
 ---
@ -23,9 +23,9 @@ ms.technology: windows-sec
 **Applies to:**
-   Windows 10
+- Windows 10
-   Windows 11
+- Windows 11
-   Windows Server 2016 and above
+- Windows Server 2016 and above
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@ -58,82 +58,87 @@ Based on the above, Alice defines the pseudo-rules for the policy:
   - WHQL (third-party kernel drivers)
   - Windows Store signed apps
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
+1. **"MEMCM works”** rules that include:
-3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
+    - Signer and hash rules for Configuration Manager components to properly function.
-4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+    - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
-5. **Admin-only path rules** for the following locations:
+
 1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
 1. **Admin-only path rules** for the following locations:
   - C:\Program Files\*
   - C:\Program Files (x86)\*
   - %windir%\*
 ## Create a custom base policy using an example WDAC base policy
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
 Alice follows these steps to complete this task:
 > [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
+>
 > - `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy does not allow modifying some settings. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control)
 > - If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in step 1.
 > - If you do not use Configuration Manager, skip step 4.
-1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
+1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
-2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
+    ```powershell
    $PolicyPath = $env:userprofile+"\Desktop\"
    $PolicyName= "Lamna_LightlyManagedClients_Audit"
    $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
    $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
    ```
-      ```powershell
+1. Copy the example policy to the desktop:
      $PolicyName= "Lamna_LightlyManagedClients_Audit"
      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
      ```
-3. Copy the policy created by Configuration Manager to the desktop:
+    ```powershell
    cp $ExamplePolicy $LamnaPolicy
    ```
-      ```powershell
+1. Give the new policy a unique ID, descriptive name, and initial version number:
      cp $MEMCMPolicy $LamnaPolicy
      ```
-4. Give the new policy a unique ID, descriptive name, and initial version number:
+    ```powershell
    Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
    Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
    ```
-      ```powershell
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
      ```
-5. Modify the copied policy to set policy rules:
+    ```powershell
    $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
    Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
    ```
-      ```powershell
+1. Modify the policy to set additional policy rules:
      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
      Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
      ```
-6. Add rules to allow windir and Program Files directories:
+    ```powershell
    Set-RuleOption -FilePath $LamnaPolicy -Option 3  # Audit Mode
    Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
    Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
    ```
-      ```powershell
+1. Add rules to allow windir and Program Files directories:
      $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
      Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
      ```
-7. If appropriate, add more signer or file rules to further customize the policy for your organization.
+    ```powershell
    $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
    $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
    $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
    ```
-8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+1. If appropriate, add more signer or file rules to further customize the policy for your organization.
-    > [!NOTE]
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
-   ```powershell
+    ```powershell
-   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+    [xml]$policyXML = Get-Content $LamnaPolicy
-   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+    $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
-   ```
+    ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
    ```
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
@ -141,41 +146,58 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
 In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
- **Users with administrative access**<br>
+- **Users with administrative access**
-    By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
  By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
  Possible mitigations:
    Possible mitigations:
  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
  - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
 - **Unsigned policies**<br>
    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
-    Possible mitigations:
+- **Unsigned policies**
  Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
  Possible mitigations:
  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
  - Limit who can elevate to administrator on the device.
 - **Managed installer**<br>
    See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
-    Possible mitigations:
+- **Managed installer**
  See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
  Possible mitigations:
  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
  - Limit who can elevate to administrator on the device.
 - **Intelligent Security Graph (ISG)**<br>
    See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
-    Possible mitigations:
+- **Intelligent Security Graph (ISG)**
  See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
  Possible mitigations:
  - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **Supplemental policies**<br>
    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
-    Possible mitigations:
+- **Supplemental policies**
  Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
  Possible mitigations:
  - Use signed WDAC policies that allow authorized signed supplemental policies only.
  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **FilePath rules**<br>
    See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
-    Possible mitigations:
+- **FilePath rules**
  See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
  Possible mitigations:
  - Limit who can elevate to administrator on the device.
  - Migrate from filepath rules to managed installer or signature-based rules.
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@ -43,4 +43,4 @@ When you create policies for use with Windows Defender Application Control (WDAC
 | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
 | **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
-| **SmartAppControl.xml** | This example policy can be used to enable [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy does not allow modifying some settings. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@ -46,15 +46,27 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
 - **Windows Defender Application Control (WDAC)**; and
 - **AppLocker**
-## In this section
+## WDAC and Smart App Control
-| Article | Description |
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided, which can be used as a starting point for [creating your own policy](create-wdac-policy-for-lightly-managed-devices.md).
-| --- | --- |
+
-| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
+> [!NOTE]
-| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+> The example policy includes some settings that aren't supported for WDAC enterprise policies. These settings can be identified by searching for `WindowsLockdownPolicySettings` in `SmartAppControl.xml`.
 Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
 | Value | Description |
 |-------|-------------|
 | 0     | Off         |
 | 1     | Enforce     |
 | 2     | Evaluation  |
 > [!IMPORTANT]
 > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
 ## Related articles
 - [WDAC design guide](windows-defender-application-control-design-guide.md)
 - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
 - [WDAC operational guide](windows-defender-application-control-operational-guide.md)
 - [AppLocker overview](applocker/applocker-overview.md)