diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index ee04e5c824..89a1b3bafb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -34,6 +34,7 @@ ### [Sideload Win32 apps on S mode](sideloading-win32-apps-on-windows-10-s-mode-devices.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md) +### [Windows Defender Application Control improvements in Windows 10 version 1903](windows-defender-application-control-improvements-in-windows-10-version-1903.md) ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 9dca57a76c..85b9f016f2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -103,47 +103,3 @@ As part of normal operations, they will eventually install software updates, or They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required). -## Path-based rules - -Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules. - -- New-CIPolicy parameters - - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) - ```console - New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u - ``` - Optionally, add -UserWriteablePaths to ignore user writeability - - - FilePathRule: create a rule where filepath string is directly set to value of \ - ```console - New-CIPolicyRule -FilePathRule - ``` - Useful for wildcards like C:\foo\\* - -- Usage: same flow as per-app rules - ```xml - $rules = New-CIPolicyRule … - $rules += New-CIPolicyRule … - … - ``` - - ```console - New-CIPolicyRule -f .\mypolicy.xml -u - ``` - -- Wildcards supported: - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - - One or the other, not both at the same time - - Does not support wildcard in the middle (ex. C:\\*\foo.exe) - - Examples: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... - -- Disable default FilePath rule protection of enforcing user-writeability - For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: - ```console - Set-RuleOption -o 18 .\policy.xml - ``` - - diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md new file mode 100644 index 0000000000..69413bcaca --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md @@ -0,0 +1,67 @@ +--- +title: Windows Defender Application Control improvements in Windows 10 version 1903 (Windows 10) +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: jsuther1974 +ms.date: 05/06/2018 +--- + +# Windows Defender Application Control improvements in Windows 10 version 1903 + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +## Path-based rules + +Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules. + +- New-CIPolicy parameters + - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) + ```console + New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u + ``` + Optionally, add -UserWriteablePaths to ignore user writeability + + - FilePathRule: create a rule where filepath string is directly set to value of \ + ```console + New-CIPolicyRule -FilePathRule + ``` + Useful for wildcards like C:\foo\\* + +- Usage: same flow as per-app rules + ```xml + $rules = New-CIPolicyRule … + $rules += New-CIPolicyRule … + … + ``` + + ```console + New-CIPolicyRule -f .\mypolicy.xml -u + ``` + +- Wildcards supported: + Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) + - One or the other, not both at the same time + - Does not support wildcard in the middle (ex. C:\\*\foo.exe) + - Examples: + - %WINDIR%\\... + - %SYSTEM32%\\... + - %OSDRIVE%\\... + +- Disable default FilePath rule protection of enforcing user-writeability + For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: + ```console + Set-RuleOption -o 18 .\policy.xml + ``` + +## Multiple Policies + +Beginning with Windows 10 vesion 1903, WDAC supportd multiple code integrity policies for one device. + +