-Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. -If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +> [!TIP] +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. + +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -315,20 +342,30 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. > [!TIP] -> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. -If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: -This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID. +- Prevent installation of devices for these device classes +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. + +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. - > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -394,6 +431,133 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
+ +## DeviceInstallation/EnableInstallationPolicyLayering + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + 5 |
+
| Business | +5 |
+
| Enterprise | +5 |
+
| Education | +5 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +Added in Windows 10, Version 2106 +
+ + + +This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: + +Device instance IDs > Device IDs > Device setup class > Removable devices + +**Device instance IDs** +- Prevent installation of devices using drivers that match these device instance IDs. +- Allow installation of devices using drivers that match these device instance IDs. + +**Device IDs** +- Prevent installation of devices using drivers that match these device IDs. +- Allow installation of devices using drivers that match these device IDs. + +**Device setup class** +- Prevent installation of devices using drivers that match these device setup classes. +- Allow installation of devices using drivers that match these device setup classes. + +**Removable devices** +- Prevent installation of removable devices. + +> [!NOTE] +> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. + +If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria* +- GP name: *DeviceInstall_Allow_Deny_Layered* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + +```xml +
+ ## DeviceInstallation/PreventDeviceMetadataFromNetwork @@ -519,9 +683,12 @@ ADMX Info: This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. -If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting. +> [!NOTE] +> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. -If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. +If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. + +If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. > [!TIP] @@ -629,7 +796,10 @@ You can also block installation by using a custom profile in Intune. -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. + +> [!NOTE] +> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -873,9 +1043,12 @@ with -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +> [!NOTE] +> To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. + +If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..61558a2ca2 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -736,13 +736,24 @@ The following list shows the supported values for Windows 8.1: --> -In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10: -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. +In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. + +The following list shows the supported values for Windows 10 version 1809 and older: + +- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. - 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. - 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +Most restricted value is 0. + +The following list shows the supported values for Windows 10 version 19H1 and later: + +- **Diagnostic data off** - No Windows diagnostic data sent. +- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. +- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. + - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - ADMX Info: @@ -1607,10 +1611,12 @@ This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior, you must complete two steps: -
-
-
- Enable this policy setting -
- Set Allow Telemetry to level 2 (Enhanced) -
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file +[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 475d3b84c6..72bcfc72c9 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -36,7 +36,7 @@ The features described below are no longer being actively developed, and might b | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | -| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 | +| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | | Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | @@ -70,4 +70,4 @@ The features described below are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | -|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| \ No newline at end of file +|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 71af1da585..1454fe92ed 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -26,9 +26,13 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. -Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. +> [!NOTE] +> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +> [!TIP] +> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.  (X) = not supported  (green checkmark) = supported, reboot required @@ -39,7 +43,7 @@ X = unsupported
✔ (green) = supported; reboot required
✔ (blue) = supported; no reboot required -|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise | +|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile | |-------|-----------|-----------------|----------------|-----------------|----------------|--------| | Using mobile device management (MDM) | | | | | | | | Using a provisioning package | | | | | | | @@ -63,7 +67,6 @@ X = unsupported
| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  | | **Pro Education > Education** |  |  |  | 
(MSfB) |  |  | | **Enterprise > Education** |  |  |  | 
(MSfB) |  |  | -| **Mobile > Mobile Enterprise** |  | |  |  |  |  | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) @@ -84,7 +87,7 @@ Use Windows Configuration Designer to create a provisioning package to upgrade a - To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) - [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) @@ -122,7 +125,8 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th 3. Follow the on-screen instructions. - **Note**
If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). + > [!NOTE] + > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). ## License expiration @@ -130,7 +134,8 @@ Volume license customers whose license has expired will need to change the editi Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. -Note: If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. +> [!NOTE] +> If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. ### Scenario example @@ -150,21 +155,21 @@ You can move directly from Enterprise to any valid destination edition. In this
| Destination edition | +Destination edition | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| - | - | Home | -Pro | -Pro for Workstations | -Pro Education | -Education | -Enterprise LTSC | -Enterprise | ++ | + | Home | +Pro | +Pro for Workstations | +Pro Education | +Education | +Enterprise LTSC | +Enterprise | |||||||||||||||||||||
| Starting edition | +Starting edition | |||||||||||||||||||||||||||||||||||||
| Home | diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 57994ce79b..b0a3dcf6d5 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -43,17 +43,17 @@ D = Edition downgrade; personal data is maintained, applications and settings ar||||||||||||||||||||||||||||||||||||||
| - | - | Windows 10 Home | -Windows 10 Pro | -Windows 10 Pro Education | -Windows 10 Education | -Windows 10 Enterprise | -Windows 10 Mobile | -Windows 10 Mobile Enterprise | ++ | Windows 10 Home | +Windows 10 Pro | +Windows 10 Pro Education | +Windows 10 Education | +Windows 10 Enterprise | +Windows 10 Mobile | +Windows 10 Mobile Enterprise |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Windows 7 | +Windows 7 | |||||||||||||||
| Starter | @@ -116,7 +116,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar||||||||||||||||
| Windows 8.1 | +Windows 8.1 | |||||||||||||||
| (Core) | @@ -209,7 +209,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar✔ | |||||||||||||||
| Windows 10 | +Windows 10 | |||||||||||||||
| Home | @@ -261,17 +261,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar✔ | |||||||||||||||
| Mobile Enterprise | -- | - | - | - | - | D | -- |
REG_DWORD: MSCompatibilityMode
Value: **0**| -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies). +### 13.2 Microsoft Edge Enterprise + +> [!Important] +> - The following settings are applicable to Microsoft Edge version 77 or later. +> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). +> - Devices must be domain joined for some of the policies to take effect. + +| Policy | Group Policy Path | Registry Path | +|----------------------------------|--------------------|---------------------------------------------| +| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** | +| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** | +| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** | +| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** | +| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** | +| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** | +| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** | +| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** | +| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** | +| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** | +| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs | +| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** | +| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | +| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** | +| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | +| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** | +| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | +| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** | +||| ### 14. Network Connection Status Indicator diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 6424a91e8b..bab9c21e3e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file. ## Use PCPTool to decode Measured Boot logs +> [!NOTE] +> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool. + PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. @@ -111,4 +114,4 @@ where the variables represent the following values: The content of the XML file resembles the following. - \ No newline at end of file + diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 208da5965e..593984f0dc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/06/2021 +ms.date: 05/24/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -27,7 +27,7 @@ Application Guard uses both network isolation and application-specific settings. ## Network isolation settings -These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. +These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. @@ -48,11 +48,11 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.| ## Application-specific settings -These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard**, can help you to manage your company's implementation of Application Guard. +These settings, located at `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard`, can help you to manage your company's implementation of Application Guard. |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
-Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.
**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
@@ -61,6 +61,3 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.
**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.| -|Allow extensions in the container|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use extensions.|**Enabled.** Favorites are able to sync from the host browser to the container. Note that this doesn’t work the other way around. The favorites sync to the user’s work profile by default.
**Disabled.** Users are not able to access their favorites from within the Application Guard container.| -|Allow favorites sync|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether favorites can be accessible from Application Guard container.|**Enabled.** Favorites are able to sync from the host browser to the container, but it doesn’t work the other way around. The favorites sync to the user’s work profile by default.
**Disabled.** Users are not able to access their favorites from within the Application Guard container.
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 3662667af2..2a578d07ab 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -28,13 +28,13 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- - Windows 10 Version 20H2 (October 2020 Update)
- - Windows 10 Version 2004 (May 2020 Update)
- - Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1809 (October 2018 Update)
- - Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1507
+ - Windows 10, Version 21H1 (May 2021 Update)
+ - Windows 10, Version 20H2 (October 2020 Update)
+ - Windows 10, Version 2004 (May 2020 Update)
+ - Windows 10, Version 1909 (November 2019 Update)
+ - Windows 10, Version 1809 (October 2018 Update)
+ - Windows 10, Version 1607 (Anniversary Update)
+ - Windows 10, Version 1507
- Windows Server security baselines
- Windows Server 2019
@@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Microsoft 365 Apps for enterprise (Sept 2019)
+ - Microsoft 365 Apps for enterprise, Version 2104
- Microsoft Edge security baseline
- Version 88
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index eaf0d1aa66..2a9d13497a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -21,9 +21,7 @@
href: select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
- href: use-windows-defender-application-control-with-managed-installer.md
- - name: Configure managed installer rules
- href: configure-wdac-managed-installer.md
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md
- name: Allow COM object registration
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index b7dcbcddd8..29d54546be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
-> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
@@ -143,4 +143,3 @@ For reference in your security planning, the following table identifies the base
| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..b33cace078
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -0,0 +1,162 @@
+---
+title: Use audit events to create then enforce WDAC policy rules (Windows 10)
+description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.reviewer: v-kikl
+ms.author: dansimp
+manager: dansimp
+ms.date: 05/03/2021
+ms.technology: mde
+---
+
+# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
+
+While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
+
+## Overview of the process to create WDAC policy to allow apps using audit events
+
+> [!NOTE]
+> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
+
+To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
+
+1. Install and run an application not allowed by the WDAC policy but that you want to allow.
+
+2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
+
+ **Figure 1. Exceptions to the deployed WDAC policy**
+
+ 
+
+3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
+
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
+ $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
+ ```
+
+4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
+
+ ```powershell
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ ```
+
+ > [!NOTE]
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+
+5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
+
+6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
+
+ > [!NOTE]
+ > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
+
+7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
+
+ For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
+
+8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
+
+## Convert WDAC **BASE** policy from audit to enforced
+
+As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
+
+Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
+
+1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
+
+ ```powershell
+ $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced"
+ $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml"
+ $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml"
+ cp $AuditPolicyXML $EnforcedPolicyXML
+ ```
+
+2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
+
+ ```powershell
+ $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
+ $EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
+ ```
+
+ > [!NOTE]
+ > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
+
+3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
+
+ ```powershell
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10
+ ```
+
+4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement:
+
+ ```powershell
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
+ ```
+
+5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
+
+ > [!NOTE]
+ > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
+
+ ```powershell
+ $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
+ ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
+ ```
+
+## Make copies of any needed **supplemental** policies to use with the enforced base policy
+
+Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure.
+
+1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used.
+
+ ```powershell
+ $SupplementalPolicyName = "Lamna_Supplemental1"
+ $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml"
+ $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml"
+ ```
+
+2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement.
+
+ ```powershell
+ $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID
+ $SupplementalPolicyID = $SupplementalPolicyID.Substring(11)
+ ```
+
+ > [!NOTE]
+ > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
+
+3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary:
+
+ ```powershell
+ $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
+ ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
+ ```
+
+4. Repeat the steps above if you have other supplemental policies to update.
+
+## Deploy your enforced policy and supplemental policies
+
+Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
new file mode 100644
index 0000000000..6612e9fbf7
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -0,0 +1,194 @@
+---
+title: Configure authorized apps deployed with a WDAC managed installer (Windows 10)
+description: Explains how to configure a custom Manged Installer.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 08/14/2020
+ms.technology: mde
+---
+
+# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2019
+
+Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
+
+## How does a managed installer work?
+
+A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
+
+Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
+
+You should ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
+
+## Security considerations with managed installer
+
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
+It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
+
+Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
+
+If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+
+Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation.
+
+## Known limitations with managed installer
+
+- Application control, based on managed installer, does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information, and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+
+- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
+
+- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+
+- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
+
+## Configuring the managed installer
+
+Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled.
+There are three primary steps to keep in mind:
+
+- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy.
+- Enable service enforcement in AppLocker policy.
+- Enable the managed installer option in a WDAC policy.
+
+## Specify managed installers using the Managed Installer rule collection in AppLocker policy
+
+The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection.
+
+### Create Managed Installer rule collection
+
+Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the simple changes needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
+
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
+
+ ```powershell
+ Get-ChildItem
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Existing mitigations applied:
- Limit who can elevate to administrator on the device.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 08e82cbe13..c4dabcde4c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -155,7 +155,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
- **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Possible mitigations:
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 3aed014401..a0308dfadc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -52,6 +52,20 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool
```
+### Deploying signed policies
+
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically.
+
+1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
+```powershell
+mountvol J: /S
+J:
+mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
+```
+
+2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active
+3. Reboot the system.
+
## Script-based deployment process for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
index 784baf06c2..6c3b04eb5a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -52,8 +52,6 @@ Alice previously created and deployed a policy for the organization's [fully man
$EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
```
- > [!NOTE]
- > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
@@ -74,7 +72,7 @@ Alice previously created and deployed a policy for the organization's [fully man
> If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
```powershell
- $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
+ $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyID+".cip"
ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index b464707f61..e0c8044cf1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -22,33 +22,33 @@ ms.technology: mde
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
- - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
- - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
| Event ID | Explanation |
-|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file |
| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
-|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
@@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
-|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
@@ -75,7 +75,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
-
+
In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
```powershell
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 6ee1d70486..76084853c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -27,13 +27,14 @@ Windows Defender Application Control (WDAC) events include a number of fields wh
Represents the type of signature which verified the image.
| SignatureType Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI which catalog to try first |
-|6 | AppX / MSIX package catalog verified |
+| 6 | AppX / MSIX package catalog verified |
| 7 | File was verified |
## ValidatedSigningLevel
@@ -41,7 +42,7 @@ Represents the type of signature which verified the image.
Represents the signature level at which the code was verified.
| ValidatedSigningLevel Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 0 | Signing level has not yet been checked |
| 1 | File is unsigned |
| 2 | Trusted by WDAC policy |
@@ -60,16 +61,22 @@ Represents the signature level at which the code was verified.
Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 0 | Successfully verified signature |
+| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
+| 3 | File is not signed|
| 4 | Revoked signature |
| 5 | Expired signature |
+| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
+| 10 | The file must be signed using page hashes for this scenario |
+| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
+| 14 | The signature is missing the required ARM EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
@@ -80,5 +87,35 @@ Represents why verification failed, or if it succeeded.
| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 25 | Anti-cheat policy violation |
| 26 | Explicitly denied by WADC policy |
+| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
+
+## Microsoft Root CAs trusted by Windows
+
+The rule means trust anything signed by a certificate that chains to this root CA.
+| Root ID | Root Name |
+|---|----------|
+| 0| None |
+| 1| Unknown |
+| 2 | Self-Signed |
+| 3 | Authenticode |
+| 4 | Microsoft Product Root 1997 |
+| 5 | Microsoft Product Root 2001 |
+| 6 | Microsoft Product Root 2010 |
+| 7 | Microsoft Standard Root 2011 |
+| 8 | Microsoft Code Verification Root 2006 |
+| 9 | Microsoft Test Root 1999 |
+| 10 | Microsoft Test Root 2010 |
+| 11 | Microsoft DMD Test Root 2005 |
+| 12 | Microsoft DMDRoot 2005 |
+| 13 | Microsoft DMD Preview Root 2005 |
+| 14 | Microsoft Flight Root 2014 |
+| 15 | Microsoft Third Party Marketplace Root |
+| 16 | Microsoft ECC Testing Root CA 2017 |
+| 17 | Microsoft ECC Development Root CA 2018 |
+| 18 | Microsoft ECC Product Root CA 2018 |
+| 19 | Microsoft ECC Devices Root CA 2017 |
+
+For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 3f411ffb3e..16dd454c61 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -34,7 +34,7 @@ ms.technology: mde
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
-| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available |
+| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 7924b31d89..a9cd8c8585 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -59,7 +59,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
+As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
## WDAC event management
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 1314fa6e21..add268e0ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -63,7 +63,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
-| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) |
+| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
@@ -126,6 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
+## More information about hashes
+
+### Why does scan create four hash rules per XML file?
+
+The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
+During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+
+### Why does scan create eight hash rules for certain XML files?
+
+Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
+
## Windows Defender Application Control filename rules
File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 9443134723..9bd69f5bee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -58,7 +58,7 @@ Organizations with well-defined, centrally-managed app management and deployment
| Possible answers | Design considerations|
| - | - |
-| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
+| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index a654d57870..498c736696 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options
To sign a WDAC policy with SignTool.exe, you need the following components:
-- SignTool.exe, found in the Windows SDK (Windows 7 or later)
+- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created
@@ -47,26 +47,29 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
1. Initialize the variables that will be used:
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
- `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+ ```powershell
+ $CIPolicyPath=$env:userprofile+"\Desktop\"
+ $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
+ ```
> [!NOTE]
- > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+ > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
-
- `cd $env:USERPROFILE\Desktop`
+
+ ```powershell
+ cd $env:USERPROFILE\Desktop
+ ```
5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
- `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath