deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'release-win11-24h2' of https://github.com/MicrosoftDocs/windows-docs-pr into 24h2-wn-8631988

Browse Source
This commit is contained in:
Meghan Stewart
2024-09-26 09:24:00 -07:00
parent d01caf201f b35275cc2f
commit c82910b9cb
266 changed files with 5572 additions and 4850 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -11,9 +11,9 @@ ms.date: 01/31/2024
<!-- ApplicationControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
<!-- ApplicationControl-Editable-End -->
<!-- ApplicationControl-Tree-Begin -->
@ -861,7 +861,7 @@ The following table provides the result of this policy based on different values
## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy App Control for Business policies by using Microsoft Intune](/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune).
## Generic MDM Server Usage Guidance
@ -1014,7 +1014,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64.
1. Convert your App Control policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:

2
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -14,7 +14,7 @@ ms.date: 08/06/2024
<!-- ADMX_DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> Group Policy-based deployment of App Control for Business policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
<!-- ADMX_DeviceGuard-Editable-End -->
<!-- ConfigCIPolicy-Begin -->

28
windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md Normal file
View File

@ -0,0 +1,28 @@
---
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.service: windows-client
ms.subservice: autopatch
ms.topic: include
ms.date: 09/24/2024
ms.localizationpriority: medium
---
<!--This file is shared by windows-autopatch-driver-and-firmware-programmatic-controls.md, windows-autopatch-windows-quality-update-programmatic-controls.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
You must have access to the following endpoints:
[Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update)
- *.prod.do.dsp.mp.microsoft.com
- *.windowsupdate.com
- *.dl.delivery.mp.microsoft.com
- *.update.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com
Graph API endpoints:
- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net

7
windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/16/2024
ms.date: 09/24/2024
---
# Programmatic controls for drivers and firmware updates
@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-fix-is
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Autopath permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
### Required endpoints
<!--Using include for required Graph API endpoints-->
[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
## Open Graph Explorer
<!--Using include for Graph Explorer sign in-->

7
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/16/2024
ms.date: 09/24/2024
---
# Programmatic controls for Windows feature updates
@ -48,6 +48,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
### Required endpoints
<!--Using include for required Graph API endpoints-->
[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
## Open Graph Explorer
<!--Using include for Graph Explorer sign in-->

7
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/16/2024
ms.date: 09/24/2024
---
# Programmatic controls for expedited Windows quality updates
@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
### Required endpoints
<!--Using include for required Graph API endpoints-->
[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
## Open Graph Explorer
<!--Using include for Graph Explorer sign in-->

6
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/16/2024
ms.date: 09/24/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -33,7 +33,7 @@ There are URLs from several Microsoft products that must be in the allowed list
| Microsoft service | URLs required on Allowlist |
| ----- | ----- |
| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
| Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |
#### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints)
@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li></ul>|
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>payloadprod*.blob.core.windows.net</li></ul>|
## Delivery Optimization

24
windows/deployment/windows-enterprise-e3-overview.md
View File

@ -66,7 +66,6 @@ Windows Enterprise edition has many features that are unavailable in Windows Pro
|Feature|Description|
|--- |--- |
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/microsoft-desktop-optimization-pack/app-v/appv-for-windows).|
|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).|
@ -106,29 +105,6 @@ For more information about implementing Credential Guard, see the following reso
- [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
### Device Guard
Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:
1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.
2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.
3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.
4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.
5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.
6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.
7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
For more information about implementing Device Guard, see:
- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
### AppLocker management
AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.

8
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -137,11 +137,11 @@ This approach is the most complex because it requires the following configuratio
### Data access
The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://www.microsoft.com/privacy/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as its needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as its needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement).
## Diagnostic data settings
@ -190,7 +190,7 @@ Required diagnostic data includes:
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- Quality metrics that helps provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
- Quality metrics that help provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
- Quality-related information that helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and app state change details, such as how much processor time and memory were used, and the total uptime for an app.
@ -316,7 +316,7 @@ The Windows diagnostic data processor configuration enables you to be the contro
- The device must be joined to Azure Active Directory (can be a hybrid Azure AD join).
> [!NOTE]
> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. For release information, see [Windows 10 Enterprise and Education](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11 Enterprise and Education](/lifecycle/products/windows-11-enterprise-and-education) on the Microsoft Lifecycle Policy site.

4
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1616,7 +1616,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
### <a href="" id="bkmk-wifisense"></a>23. Wi-Fi Sense
> [!IMPORTANT]
> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://support.microsoft.com/windows/bcec4e8b-00e7-4930-d3ff-5349a3e70037) for more details.
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the persons contacts have shared with them.
@ -1737,7 +1737,7 @@ In Group Policy, configure:
### <a href="" id="bkmk-spotlight"></a>25. Personalized Experiences
Personalized experiences provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy.
Personalized experiences provide features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy.
> [!NOTE]
> This excludes how individual experiences (e.g., Windows Spotlight) can be controlled by users in Windows Settings.

18
windows/privacy/windows-privacy-compliance-guide.md
View File

@ -35,7 +35,7 @@ Transparency is an important part of the data collection process in Windows. Com
### 1.1 Device set up experience and support for layered transparency
When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the setup experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
The following table provides an overview of the Windows 10 and Windows 11 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
@ -44,11 +44,11 @@ The following table provides an overview of the Windows 10 and Windows 11 privac
| Feature/Setting | Description | Supporting content | Privacy statement |
| --- | --- | --- | --- |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Find my device | Use your devices location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) |
| Find my device | Use your devices location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) |
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
@ -201,7 +201,7 @@ If a user signs in to a Windows experience or app on their device with their Mic
Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders.
Microsofts [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
The [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
## 5. Related Windows product considerations
@ -243,7 +243,7 @@ Microsoft Intune is a cloud-based endpoint management solution. It manages user
* [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview)
* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
* [Windows IT Pro Docs](/windows/#pivot=it-pro)
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
* [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement)
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
* [Privacy at Microsoft](https://www.microsoft.com/privacy)
* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

15
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md
View File

@ -1,23 +1,22 @@
---
title: Designing, creating, managing, and troubleshooting Windows Defender Application Control AppId Tagging policies
description: How to design, create, manage, and troubleshoot your WDAC AppId Tagging policies
title: Designing, creating, managing, and troubleshooting App Control for Business AppId Tagging policies
description: How to design, create, manage, and troubleshoot your App Control AppId Tagging policies
ms.localizationpriority: medium
ms.date: 04/27/2022
ms.date: 09/11/2024
ms.topic: conceptual
---
# WDAC Application ID (AppId) Tagging guide
# App Control Application ID (AppId) Tagging guide
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## AppId Tagging Feature Overview
The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
The Application ID (AppId) Tagging Policy feature, while based off App Control for Business, doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
## AppId Tagging Feature Availability
The WDAC AppId Tagging feature is available on the following versions of the Windows platform:
The App Control AppId Tagging feature is available on the following versions of the Windows platform:
Client:
- Windows 10 20H1, 20H2, and 21H1 versions only

9
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
View File

@ -2,20 +2,19 @@
title: Testing and Debugging AppId Tagging Policies
description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
ms.localizationpriority: medium
ms.date: 04/29/2022
ms.date: 09/11/2024
ms.topic: troubleshooting
---
# Testing and Debugging AppId Tagging Policies
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
After deployment of the App Control AppId Tagging policy, App Control will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed.
After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since App Control for Business can only tag processes created after the policy has been deployed.
1. Download and Install the Windows Debugger

23
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md
View File

@ -1,17 +1,16 @@
---
title: Deploying Windows Defender Application Control AppId tagging policies
description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
title: Deploying App Control for Business AppId tagging policies
description: How to deploy your App Control AppId tagging policies locally and globally within your managed environment.
ms.localizationpriority: medium
ms.date: 04/29/2022
ms.date: 09/11/2024
ms.topic: conceptual
---
# Deploying Windows Defender Application Control AppId tagging policies
# Deploying App Control for Business AppId tagging policies
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:
Similar to App Control for Business policies, App Control AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:
1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm)
1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager)
@ -20,23 +19,23 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg
## Deploy AppId tagging policies with MDM
Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-app-control-policies-with-custom-oma-uri).
## Deploy AppId tagging policies with Configuration Manager
Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-wdac-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-appcontrol-policies-with-memcm.md#deploy-custom-app-control-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
### Deploy AppId tagging Policies via Scripting
Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see [Deploy WDAC policies using script](../deployment/deploy-wdac-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later.
Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy App Control AppId tagging policies via scripting, see [Deploy App Control policies using script](../deployment/deploy-appcontrol-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later.
### Deploying policies via the ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
Multiple App Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies.
> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format App Control for Business policies.

102
windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Create your App Control for Business AppId Tagging Policies
description: Create your App Control for Business AppId tagging policies for Windows devices.
ms.localizationpriority: medium
ms.date: 09/23/2024
ms.topic: conceptual
---
# Creating your App Control AppId Tagging Policies
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## Create the policy using the App Control Wizard
You can use the App Control for Business Wizard and the PowerShell commands to create an App Control policy and convert it to an AppIdTagging policy. The App Control Wizard is available for download at the [App Control Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md).
1. Create a new base policy using the templates:
Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/appcontrol-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
:::image type="content" alt-text="Configuring the policy base and template." source="../images/appid-appcontrol-wizard-1.png" lightbox="../images/appid-appcontrol-wizard-1.png":::
> [!NOTE]
> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
2. Set the following rule-options using the Wizard toggles:
:::image type="content" alt-text="Configuring the policy rule-options." source="../images/appid-appcontrol-wizard-2.png":::
3. Create custom rules:
Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
- Package app name rules: Create a rule based off the package family name of an appx/msix.
- Hash rules: Create a rule based off the PE Authenticode hash of a file.
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/appcontrol-wizard-create-base-policy.md#creating-custom-file-rules).
4. Convert to AppId Tagging Policy:
After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
The policyID GUID is returned by the PowerShell command if successful.
## Create the policy using PowerShell
Using this method, you create an AppId Tagging policy directly using the App Control PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). In an elevate PowerShell instance:
1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [App Control File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-app-control-for-business-policy---file-rule-levels) can be used in AppId rules:
```powershell
$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application>
```
2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
3. Set the rule-options for the policy:
```powershell
Set-RuleOption -Option 0 .\AppIdPolicy.xml # Usermode Code Integrity (UMCI)
Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot
Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
```
If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
4. Set the name and ID on the policy, which is helpful for future debugging:
```powershell
Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
```
The policyID GUID is returned by the PowerShell command if successful.
## Deploy for Local Testing
After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
1. Depending on your deployment method, convert the xml to binary:
```powershell
Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
```
2. Optionally, deploy it for local testing:
```powershell
copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
./RefreshPolicy.exe
```
RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
## Next Steps
For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md).

180
windows/security/application-security/application-control/windows-defender-application-control/TOC.yml → windows/security/application-security/application-control/app-control-for-business/TOC.yml
View File

@ -1,126 +1,126 @@
- name: Application Control for Windows
href: index.yml
- name: About application control for Windows
href: wdac.md
href: appcontrol.md
expanded: true
items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
- name: WDAC and AppLocker Feature Availability
- name: App Control and AppLocker Overview
href: appcontrol-and-applocker-overview.md
- name: App Control and AppLocker Feature Availability
href: feature-availability.md
- name: Virtualization-based protection of code integrity
href: ../introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide
href: design/wdac-design-guide.md
href: ../introduction-to-virtualization-based-security-and-appcontrol.md
- name: Design guide
href: design/appcontrol-design-guide.md
items:
- name: Plan for WDAC policy lifecycle management
href: design/plan-wdac-management.md
- name: Design your WDAC policy
- name: Plan for App Control policy lifecycle management
href: design/plan-appcontrol-management.md
- name: Design your App Control policy
items:
- name: Understand WDAC policy design decisions
href: design/understand-wdac-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
- name: Understand App Control policy design decisions
href: design/understand-appcontrol-policy-design-decisions.md
- name: Understand App Control policy rules and file rules
href: design/select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
href: design/configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: design/use-wdac-with-intelligent-security-graph.md
href: design/use-appcontrol-with-intelligent-security-graph.md
- name: Allow COM object registration
href: design/allow-com-object-registration-in-wdac-policy.md
- name: Use WDAC with .NET hardening
href: design/wdac-and-dotnet.md
- name: Script enforcement with Windows Defender Application Control
href: design/allow-com-object-registration-in-appcontrol-policy.md
- name: Use App Control with .NET hardening
href: design/appcontrol-and-dotnet.md
- name: Script enforcement with App Control for Business
href: design/script-enforcement.md
- name: Manage packaged apps with WDAC
href: design/manage-packaged-apps-with-wdac.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
href: design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings
href: design/understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
href: design/deploy-multiple-wdac-policies.md
- name: Create your WDAC policy
- name: Manage packaged apps with App Control
href: design/manage-packaged-apps-with-appcontrol.md
- name: Use App Control to control specific plug-ins, add-ins, and modules
href: design/use-appcontrol-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand App Control policy settings
href: design/understanding-appcontrol-policy-settings.md
- name: Use multiple App Control policies
href: design/deploy-multiple-appcontrol-policies.md
- name: Create your App Control policy
items:
- name: Example WDAC base policies
href: design/example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios
href: design/common-wdac-use-cases.md
- name: Example App Control base policies
href: design/example-appcontrol-base-policies.md
- name: Policy creation for common App Control usage scenarios
href: design/common-appcontrol-use-cases.md
items:
- name: Create a WDAC policy for lightly managed devices
href: design/create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices
href: design/create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices
href: design/create-wdac-policy-using-reference-computer.md
- name: Create a WDAC deny list policy
href: design/create-wdac-deny-policy.md
- name: Applications that can bypass WDAC and how to block them
href: design/applications-that-can-bypass-wdac.md
- name: Create an App Control policy for lightly managed devices
href: design/create-appcontrol-policy-for-lightly-managed-devices.md
- name: Create an App Control policy for fully managed devices
href: design/create-appcontrol-policy-for-fully-managed-devices.md
- name: Create an App Control policy for fixed-workload devices
href: design/create-appcontrol-policy-using-reference-computer.md
- name: Create an App Control deny list policy
href: design/create-appcontrol-deny-policy.md
- name: Applications that can bypass App Control and how to block them
href: design/applications-that-can-bypass-appcontrol.md
- name: Microsoft recommended driver block rules
href: design/microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
href: design/wdac-wizard.md
- name: Use the App Control Wizard tool
href: design/appcontrol-wizard.md
items:
- name: Create a base WDAC policy with the Wizard
href: design/wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard
href: design/wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
href: design/wdac-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events
href: design/wdac-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard
href: design/wdac-wizard-merging-policies.md
- name: WDAC deployment guide
href: deployment/wdac-deployment-guide.md
- name: Create a base App Control policy with the Wizard
href: design/appcontrol-wizard-create-base-policy.md
- name: Create a supplemental App Control policy with the Wizard
href: design/appcontrol-wizard-create-supplemental-policy.md
- name: Editing an App Control policy with the Wizard
href: design/appcontrol-wizard-editing-policy.md
- name: Creating App Control Policy Rules from App Control Events
href: design/appcontrol-wizard-parsing-event-logs.md
- name: Merging multiple App Control policies with the Wizard
href: design/appcontrol-wizard-merging-policies.md
- name: Deployment guide
href: deployment/appcontrol-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
href: deployment/deploy-wdac-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with group policy
href: deployment/deploy-wdac-policies-using-group-policy.md
- name: Audit WDAC policies
href: deployment/audit-wdac-policies.md
- name: Merge WDAC policies
href: deployment/merge-wdac-policies.md
- name: Enforce WDAC policies
href: deployment/enforce-wdac-policies.md
- name: Use code signing for added control and protection with WDAC
- name: Deploy App Control policies with MDM
href: deployment/deploy-appcontrol-policies-using-intune.md
- name: Deploy App Control policies with Configuration Manager
href: deployment/deploy-appcontrol-policies-with-memcm.md
- name: Deploy App Control policies with script
href: deployment/deploy-appcontrol-policies-with-script.md
- name: Deploy App Control policies with group policy
href: deployment/deploy-appcontrol-policies-using-group-policy.md
- name: Audit App Control policies
href: deployment/audit-appcontrol-policies.md
- name: Merge App Control policies
href: deployment/merge-appcontrol-policies.md
- name: Enforce App Control policies
href: deployment/enforce-appcontrol-policies.md
- name: Use code signing for added control and protection with App Control
href: deployment/use-code-signing-for-better-control-and-protection.md
items:
- name: Deploy catalog files to support WDAC
href: deployment/deploy-catalog-files-to-support-wdac.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: deployment/use-signed-policies-to-protect-wdac-against-tampering.md
- name: "Optional: Create a code signing cert for WDAC"
href: deployment/create-code-signing-cert-for-wdac.md
- name: Disable WDAC policies
href: deployment/disable-wdac-policies.md
- name: WDAC operational guide
href: operations/wdac-operational-guide.md
- name: Deploy catalog files to support App Control
href: deployment/deploy-catalog-files-to-support-appcontrol.md
- name: Use signed policies to protect App Control for Business against tampering
href: deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
- name: "Optional: Create a code signing cert for App Control"
href: deployment/create-code-signing-cert-for-appcontrol.md
- name: Disable App Control policies
href: deployment/disable-appcontrol-policies.md
- name: Operational guide
href: operations/appcontrol-operational-guide.md
items:
- name: WDAC debugging and troubleshooting
href: operations/wdac-debugging-and-troubleshooting.md
- name: Understanding Application Control event IDs
- name: App Control debugging and troubleshooting
href: operations/appcontrol-debugging-and-troubleshooting.md
- name: Understanding App Control event IDs
href: operations/event-id-explanations.md
- name: Understanding Application Control event tags
- name: Understanding App Control event tags
href: operations/event-tag-explanations.md
- name: Query WDAC events with Advanced hunting
- name: Query App Control events with Advanced hunting
href: operations/querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
href: operations/configure-wdac-managed-installer.md
href: operations/configure-appcontrol-managed-installer.md
- name: CITool.exe technical reference
href: operations/citool-commands.md
- name: Inbox WDAC policies
href: operations/inbox-wdac-policies.md
- name: WDAC AppId Tagging guide
href: AppIdTagging/wdac-appid-tagging-guide.md
- name: Inbox App Control policies
href: operations/inbox-appcontrol-policies.md
- name: AppId Tagging guide
href: AppIdTagging/appcontrol-appid-tagging-guide.md
items:
- name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md

64
windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md Normal file
View File

@ -0,0 +1,64 @@
---
title: App Control and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.topic: conceptual
---
# App Control for Business and AppLocker Overview
[!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: App Control for Business and AppLocker.
## App Control for Business
App Control was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md)
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
> [!NOTE]
> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy.
### App Control System Requirements
App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md).
## AppLocker
AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but doesn't meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries.
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
- The path from which the app or file is launched.
AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md).
### AppLocker System Requirements
AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use App Control or AppLocker
Generally, customers who are able to implement application control using App Control, rather than AppLocker, should do so. App Control is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
However, in some cases, AppLocker might be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on shared computers.
- You don't want to enforce application control on application files such as DLLs or drivers.
AppLocker can also be deployed as a complement to App Control to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce App Control at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.

21
windows/security/application-security/application-control/windows-defender-application-control/wdac.md → windows/security/application-security/application-control/app-control-for-business/appcontrol.md
View File

@ -4,14 +4,13 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium
ms.collection:
- tier3
ms.date: 08/30/2023
ms.date: 09/11/2024
ms.topic: overview
---
# Application Control for Windows
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
[!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks.
@ -26,14 +25,14 @@ Application control is a crucial line of defense for protecting enterprises give
Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
- **Windows Defender Application Control (WDAC)**; and
- **App Control for Business**; and
- **AppLocker**
## WDAC and Smart App Control
## App Control and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@ -46,7 +45,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-appcontrol.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
@ -57,7 +56,7 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](design
## Related articles
- [WDAC design guide](design/wdac-design-guide.md)
- [WDAC deployment guide](deployment/wdac-deployment-guide.md)
- [WDAC operational guide](operations/wdac-operational-guide.md)
- [App Control design guide](design/appcontrol-design-guide.md)
- [App Control deployment guide](deployment/appcontrol-deployment-guide.md)
- [App Control operational guide](operations/appcontrol-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md → windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
View File

@ -3,7 +3,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set
description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Add rules for packaged apps to existing AppLocker rule-set

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md
View File

@ -3,7 +3,7 @@ title: Administer AppLocker
description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Administer AppLocker
@ -27,11 +27,11 @@ AppLocker helps administrators control how users can access and use files, such
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. |
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. |
| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker policies. |
| [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. |
| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your policies. |
| [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. |
## Using the MMC snap-ins to administer AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md
View File

@ -3,7 +3,7 @@ title: AppLocker architecture and components
description: This article for IT professional describes AppLockers basic architecture and its major components.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker architecture and components

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md
View File

@ -3,7 +3,7 @@ title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker functions

10
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md
View File

@ -1,23 +1,23 @@
---
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies.
ms.collection:
- tier3
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# AppLocker
This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control.
This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of App Control for Business.
> [!NOTE]
> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [App Control for Business](../appcontrol-and-applocker-overview.md) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
> [!NOTE]
> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement).
> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](rule-collection-extensions.md#services-enforcement).
AppLocker can help you:

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md
View File

@ -3,7 +3,7 @@ title: AppLocker deployment guide
description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# AppLocker deployment guide

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md
View File

@ -3,7 +3,7 @@ title: AppLocker design guide
description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# AppLocker design guide
@ -12,14 +12,14 @@ This article for the IT professional introduces the design and planning steps re
This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group.
To understand if AppLocker is the correct application control solution for your organization, see [Windows Defender Application Control and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview).
To understand if AppLocker is the correct application control solution for your organization, see [App Control for Business and AppLocker overview](../appcontrol-and-applocker-overview.md).
## In this section
| Article | Description |
| --- | --- |
| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. |
| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. |
| [Determine your application control objectives](../appcontrol-and-applocker-overview.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. |
| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. |
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. |

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md
View File

@ -3,7 +3,7 @@ title: AppLocker policy use scenarios
description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker policy use scenarios

7
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md
View File

@ -3,13 +3,12 @@ title: AppLocker processes and interactions
description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker processes and interactions
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
@ -77,7 +76,7 @@ There are three different types of conditions that can be applied to rules:
An AppLocker policy is a set of rule collections and their corresponding configured enforcement mode settings applied to one or more computers.
- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
- [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes)
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md
View File

@ -3,7 +3,7 @@ title: AppLocker technical reference
description: This overview article for IT professionals provides links to the articles in the technical reference.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker technical reference

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md
View File

@ -3,7 +3,7 @@ title: Configure an AppLocker policy for audit only
description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Configure an AppLocker policy for audit only

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md
View File

@ -3,7 +3,7 @@ title: Configure an AppLocker policy for enforce rules
description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Configure an AppLocker policy for enforce rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md
View File

@ -3,7 +3,7 @@ title: Add exceptions for an AppLocker rule
description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Add exceptions for an AppLocker rule

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md
View File

@ -3,7 +3,7 @@ title: Configure the AppLocker reference device
description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Configure the AppLocker reference device

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md → windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md
View File

@ -3,7 +3,7 @@ title: Configure the Application Identity service
description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Configure the Application Identity service

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md
View File

@ -3,7 +3,7 @@ title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Create a rule for packaged apps

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md
View File

@ -3,7 +3,7 @@ title: Create a rule that uses a file hash condition
description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Create a rule that uses a file hash condition

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md
View File

@ -3,7 +3,7 @@ title: Create a rule that uses a path condition
description: This article for IT professionals shows how to create an AppLocker rule with a path condition.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Create a rule that uses a path condition

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md
View File

@ -3,7 +3,7 @@ title: Create a rule that uses a publisher condition
description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Create a rule that uses a publisher condition

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md
View File

@ -3,7 +3,7 @@ title: Create AppLocker default rules
description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Create AppLocker default rules

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md
View File

@ -3,7 +3,7 @@ title: Create a list of apps deployed to each business group
description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Gathering app usage requirements
@ -30,7 +30,7 @@ Using the Automatically Generate Rules wizard quickly creates rules for the appl
Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can evaluate the possible effects of enforcement on computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
> [!TIP]
> If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.
> If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.
You can create an inventory of Packaged apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.
@ -44,7 +44,7 @@ The following articles describe how to perform each method:
Identify the business group and each organizational unit (OU) within that group for application control policies. In addition, you should identify whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following articles:
- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
- [Determine your application control objectives](determine-your-application-control-objectives.md)
- [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
## Next steps

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Create Your AppLocker policies
description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Create Your AppLocker policies
@ -18,7 +18,7 @@ You can develop an application control policy plan to guide you in making succes
1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
3. [Determine your application control objectives](determine-your-application-control-objectives.md)
3. [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
5. [Select the types of rules to create](select-types-of-rules-to-create.md)
6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Create Your AppLocker rules
description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Create Your AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md → windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md
View File

@ -3,7 +3,7 @@ title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Delete an AppLocker rule

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md → windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
View File

@ -3,7 +3,7 @@ title: Deploy AppLocker policies by using the enforce rules setting
description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Deploy AppLocker policies by using the enforce rules setting
@ -14,7 +14,7 @@ This article for IT professionals describes the steps to deploy AppLocker polici
These procedures assume that your AppLocker policies are deployed with the enforcement mode set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes).
For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
@ -24,7 +24,7 @@ Updating an AppLocker policy that is currently enforced in your production envir
## Step 2: Alter the enforcement setting
Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](working-with-applocker-rules.md#enforcement-modes). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
## Step 3: Update the policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md → windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md
View File

@ -3,7 +3,7 @@ title: Deploy the AppLocker policy into production
description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Deploy the AppLocker policy into production

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md → windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md
View File

@ -3,7 +3,7 @@ title: Determine the Group Policy structure and rule enforcement
description: This overview article describes the process to follow when you're planning to deploy AppLocker rules.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Determine the Group Policy structure and rule enforcement
@ -14,7 +14,7 @@ This overview article describes the process to follow when you're planning to de
| Article | Description |
| --- | --- |
| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This article describes the AppLocker enforcement settings for rule collections. |
| [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes) | This article describes the AppLocker enforcement settings for rule collections. |
| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.|
| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning article describes what you need to investigate, determine, and document for your policy plan when you use AppLocker. |

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md → windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
View File

@ -3,7 +3,7 @@ title: Find digitally signed apps on a reference device
description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Determine which apps are digitally signed on a reference device

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md → windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
View File

@ -3,7 +3,7 @@ title: Display a custom URL message when users try to run a blocked app
description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Display a custom URL message when users try to run a blocked app

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: DLL rules in AppLocker
description: This article describes the file formats and available default rules for the DLL rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# DLL rules in AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md → windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
View File

@ -3,7 +3,7 @@ title: Document Group Policy structure & AppLocker rule enforcement
description: This planning article describes what you need to include in your plan when you use AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Document the Group Policy structure and AppLocker rule enforcement
@ -14,7 +14,7 @@ This planning article describes what you should include in your plan when you us
To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md)
1. [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md → windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md
View File

@ -3,7 +3,7 @@ title: Document your app list
description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Document your app list
@ -14,7 +14,7 @@ This planning article describes the app information that you should document whe
### Apps
Record the name of the app, its publisher information (if digitally signed), and its importance to the business.
Record the name of the app, its publisher information (if digitally signed), and its importance to the business.
### Installation path

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Document your AppLocker rules
description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Document your AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md
View File

@ -3,7 +3,7 @@ title: Edit an AppLocker policy
description: This article for IT professionals describes the steps required to modify an AppLocker policy.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Edit an AppLocker policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Edit AppLocker rules
description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Edit AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md → windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md
View File

@ -3,7 +3,7 @@ title: Enable the DLL rule collection
description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Enable the DLL rule collection

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md
View File

@ -3,7 +3,7 @@ title: Enforce AppLocker rules
description: This article for IT professionals describes how to enforce application control rules by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Enforce AppLocker rules

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Executable rules in AppLocker
description: This article describes the file formats and available default rules for the executable rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Executable rules in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md → windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md
View File

@ -3,7 +3,7 @@ title: Export an AppLocker policy from a GPO
description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Export an AppLocker policy from a GPO

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md → windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md
View File

@ -3,7 +3,7 @@ title: Export an AppLocker policy to an XML file
description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Export an AppLocker policy to an XML file

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md → windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md
View File

@ -3,7 +3,7 @@ title: How AppLocker works
description: This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# How AppLocker works

0
windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif → windows/security/application-security/application-control/app-control-for-business/applocker/images/applocker-plan-inheritance.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 22 KiB

0
windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif → windows/security/application-security/application-control/app-control-for-business/applocker/images/applocker-plandeploy-quickreference.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
windows/security/application-security/application-control/windows-defender-application-control/applocker/images/blockedappmsg.gif → windows/security/application-security/application-control/app-control-for-business/applocker/images/blockedappmsg.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md → windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md
View File

@ -3,7 +3,7 @@ title: Import an AppLocker policy from another computer
description: This article for IT professionals describes how to import an AppLocker policy.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Import an AppLocker policy from another computer

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md → windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md
View File

@ -3,7 +3,7 @@ title: Import an AppLocker policy into a GPO
description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Import an AppLocker policy into a GPO

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Maintain AppLocker policies

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Manage packaged apps with AppLocker
description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/20/2023
ms.date: 09/11/2024
---
# Manage packaged apps with AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md → windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
View File

@ -3,14 +3,14 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy
description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Merge AppLocker policies by using Set-ApplockerPolicy
This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy.
The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](working-with-applocker-rules.md#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy.
For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy).

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md → windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md
View File

@ -3,7 +3,7 @@ title: Merge AppLocker policies manually
description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Merge AppLocker policies manually
@ -12,7 +12,7 @@ This article for IT professionals describes the steps to manually merge AppLocke
If you need to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. For info about merging policies by using Windows PowerShell, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules).
The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](working-with-applocker-rules.md).
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Monitor app usage with AppLocker
description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/19/2023
ms.date: 09/11/2024
---
# Monitor app usage with AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md → windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md
View File

@ -3,7 +3,7 @@ title: Optimize AppLocker performance
description: This article for IT professionals describes how to optimize AppLocker policy enforcement.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Optimize AppLocker performance

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Packaged apps and packaged app installer rules in AppLocker
description: This article explains the AppLocker rule collection for packaged app installers and packaged apps.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Packaged apps and packaged app installer rules in AppLocker

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md → windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md
View File

@ -3,7 +3,7 @@ title: Plan for AppLocker policy management
description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Plan for AppLocker policy management
@ -58,7 +58,7 @@ AppLocker event log is located in the following path: **Applications and Service
2. **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js).
3. **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx).
Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems.
Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems.
### Policy maintenance
@ -101,7 +101,7 @@ Before editing the rule collection, first determine what rule is preventing the
To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md)
1. [Determine your application control objectives](../appcontrol-and-applocker-overview.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md
View File

@ -3,7 +3,7 @@ title: Refresh an AppLocker policy
description: This article for IT professionals describes the steps to force an update for an AppLocker policy.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Refresh an AppLocker policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Requirements for deploying AppLocker policies
description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Requirements for deploying AppLocker policies

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md
View File

@ -3,7 +3,7 @@ title: Requirements to use AppLocker
description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Requirements to use AppLocker

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md → windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md
View File

@ -6,7 +6,7 @@ ms.collection:
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 06/07/2024
ms.date: 09/11/2024
---
# AppLocker rule collection extensions
@ -29,7 +29,7 @@ This article describes the rule collection extensions added in Windows 10 and la
## Services enforcement
By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with Windows Defender Application Control's (WDAC) [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) feature.
By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with App Control for Business's [managed installer](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) feature.
To apply AppLocker policy to nonuser processes, set ``<Services EnforcementMode="Enabled"/>`` in the ``<ThresholdExtensions>`` section as shown in the preceding XML fragment.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md → windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md
View File

@ -3,7 +3,7 @@ title: Run the Automatically Generate Rules wizard
description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/21/2023
ms.date: 09/11/2024
---
# Run the Automatically Generate Rules wizard

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Script rules in AppLocker
description: This article describes the file formats and available default rules for the script rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Script rules in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md
View File

@ -3,7 +3,7 @@ title: Security considerations for AppLocker
description: This article for the IT professional describes the security considerations you need to address when implementing AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Security considerations for AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md → windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md
View File

@ -3,7 +3,7 @@ title: Select the types of rules to create
description: This article lists resources you can use when selecting your application control policy rules by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Select the types of rules to create

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md → windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
View File

@ -3,7 +3,7 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy
description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Test an AppLocker policy by using Test-AppLockerPolicy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md
View File

@ -3,7 +3,7 @@ title: Test and update an AppLocker policy
description: This article discusses the steps required to test an AppLocker policy prior to deployment.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Test and update an AppLocker policy

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Tools to use with AppLocker
description: This article for the IT professional describes the tools available to create and administer AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Tools to use with AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md → windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md
View File

@ -3,7 +3,7 @@ title: Understand AppLocker policy design decisions
description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Understand AppLocker policy design decisions

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md → windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
View File

@ -3,14 +3,14 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group P
description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#rule-collections).
Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](working-with-applocker-rules.md#rule-collections).
Group Policy merges AppLocker policy in two ways:

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md → windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md
View File

@ -3,7 +3,7 @@ title: Understand the AppLocker policy deployment process
description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Understand the AppLocker policy deployment process

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker allow and deny actions on rules
description: This article explains the differences between allow and deny actions on AppLocker rules.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding AppLocker allow and deny actions on rules

8
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker default rules
description: This article for IT professional describes the set of rules that can be used to ensure that required Windows system files continue to run when the policy is applied.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding AppLocker default rules
@ -29,9 +29,9 @@ These permissions settings are applied to this folder for app compatibility. How
| --- | --- |
| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This article describes the file formats and available default rules for the executable rule collection. |
| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This article describes the file formats and available default rules for the Windows Installer rule collection.|
| [Script rules in AppLocker](script-rules-in-applocker.md) | This article describes the file formats and available default rules for the script rule collection.|
| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This article describes the file formats and available default rules for the DLL rule collection.|
| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This article explains the AppLocker rule collection for packaged app installers and packaged apps.|
| [Script rules in AppLocker](script-rules-in-applocker.md) | This article describes the file formats and available default rules for the script rule collection.|
| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This article describes the file formats and available default rules for the DLL rule collection.|
| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This article explains the AppLocker rule collection for packaged app installers and packaged apps.|
## Related articles

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker rule behavior
description: This article describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding AppLocker rule behavior

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker rule collections
description: This article explains the five different types of AppLocker rule collections used to enforce AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding AppLocker rule collections

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker rule condition types
description: This article for the IT professional describes the three types of AppLocker rule conditions.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding AppLocker rule condition types

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md
View File

@ -3,7 +3,7 @@ title: Understanding AppLocker rule exceptions
description: This article describes the result of applying AppLocker rule exceptions to rule collections.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding AppLocker rule exceptions
@ -14,8 +14,8 @@ This article describes the result of applying AppLocker rule exceptions to rule
You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset.
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but doesn't allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception for the rule).
The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks.
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but doesn't allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception for the rule).
The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks.
To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that blocks Registry Editor for all users, the deny rule overrides the second rule that allows the Helpdesk user group to run Registry Editor.
## Related articles

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Understanding the file hash rule condition in AppLocker
description: This article explains how to use the AppLocker file hash rule condition and its advantages and disadvantages.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding the file hash rule condition in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Understanding the path rule condition in AppLocker
description: This article explains how to apply the AppLocker path rule condition and its advantages and disadvantages.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding the path rule condition in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Understanding the publisher rule condition in AppLocker
description: This article explains how to apply the AppLocker publisher rule condition and what controls are available.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# Understanding the publisher rule condition in AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md → windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
View File

@ -3,7 +3,7 @@ title: Use a reference device to create and maintain AppLocker policies
description: This article for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Use a reference device to create and maintain AppLocker policies

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md → windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md
View File

@ -3,7 +3,7 @@ title: Use the AppLocker Windows PowerShell cmdlets
description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Use the AppLocker Windows PowerShell cmdlets

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md
View File

@ -3,7 +3,7 @@ title: Using Event Viewer with AppLocker
description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
<!-- NOTE to reviewers. This article might fail Acrolinx checks because the Events documented are poorly worded... -->

4
windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md
View File

@ -3,14 +3,14 @@ title: What Is AppLocker
description: This article for the IT professional describes what AppLocker is.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# What Is AppLocker?
This article for the IT professional describes what AppLocker is.
Windows includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. For information to help you choose when to use WDAC or AppLocker, see [WDAC and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview).
Windows includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: App Control for Business and AppLocker. For information to help you choose when to use App Control or AppLocker, see [App Control and AppLocker overview](../appcontrol-and-applocker-overview.md).
AppLocker helps you create rules to allow or deny apps from running based on information about the apps' files. You can also use AppLocker to control which users or groups can run those apps.

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md
View File

@ -3,7 +3,7 @@ title: Windows Installer rules in AppLocker
description: This article describes the file formats and available default rules for the Windows Installer rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/24/2023
ms.date: 09/11/2024
---
# Windows Installer rules in AppLocker

Some files were not shown because too many files have changed in this diff Show More