deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add topic and fix link capitalization error

Browse Source
This commit is contained in:
isbrahm 2019-11-21 16:07:28 -08:00 committed by GitHub
parent 6c67e7fd3d
commit c7d77bc9d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
View File

@ -2,6 +2,7 @@
title: Create a WDAC policy for fully-managed devices (Windows 10) title: Create a WDAC policy for fully-managed devices (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
keywords: whitelisting, security, malware keywords: whitelisting, security, malware
ms.topic: allow-listing
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -61,7 +62,7 @@ Based on the above, Alice defines the pseudo-rules for the policy:
2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function 2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
- Removal of the Intelligent Security Graph (ISG) option; and - Removal of the Intelligent Security Graph (ISG) option; and
- Removal of filepath rules. - Removal of filepath rules.
@ -147,7 +148,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
Possible mitigations: Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- **Managed installer**<br> - **Managed installer**<br>
See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
Existing mitigations applied: Existing mitigations applied:
- Limit who can elevate to administrator on the device. - Limit who can elevate to administrator on the device.