From ebc22ff43e6a978d3a3ac2f43b4e546a78fe7b50 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Fri, 29 Sep 2023 15:38:51 -0700 Subject: [PATCH 01/11] Learn Editor: Update best-practices-configuring.md --- .../best-practices-configuring.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index a61bf25eec..6b3171e2a1 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -208,3 +208,34 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound ## Document your changes When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. + +## Configure Windows Firewall rules with WDAG tagging policies + +Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: + +**Step 1: Deploy WDAC AppId Tagging Policies** + +A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.   + +Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications.  + +**Step 2: Configure Firewall Rules using PolicyAppId Tags**  + +- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform. +You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. + +OR + +- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2022-ps) and specify the –PolicyAppId tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  + +> [!NOTE] +> WDAC AppId Tagging Policies are available on the following versions of the Windows platform:  +> +> - Windows 10, versions 20H1 and above  + +> - Windows 11  + +> - Windows Server 2022 and above  + +> + From b5ca81edd4f369cf9295aaf0852e87c9e5236675 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Tue, 3 Oct 2023 14:20:22 -0700 Subject: [PATCH 03/11] Update best-practices-configuring.md removed notes for editions --- .../windows-firewall/best-practices-configuring.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 6b3171e2a1..2f4aaaafc8 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -228,14 +228,4 @@ OR - **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2022-ps) and specify the –PolicyAppId tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  -> [!NOTE] -> WDAC AppId Tagging Policies are available on the following versions of the Windows platform:  -> -> - Windows 10, versions 20H1 and above  - -> - Windows 11  - -> - Windows Server 2022 and above  - -> From 477d5ea2f7769124f0413f46fcbe90fb01a88563 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Tue, 3 Oct 2023 14:29:38 -0700 Subject: [PATCH 04/11] Update best-practices-configuring.md url correction --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 2f4aaaafc8..cc0305632e 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -226,6 +226,6 @@ You can do this through the Intune admin center under Endpoint security > Firewa OR -- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2022-ps) and specify the –PolicyAppId tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  +- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the –PolicyAppId tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  From 090e7ae13bf9aff5fa085c7070f5cf91672bddc6 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Tue, 3 Oct 2023 14:30:15 -0700 Subject: [PATCH 05/11] Update best-practices-configuring.md --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index cc0305632e..0eab04c64d 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -209,7 +209,7 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. -## Configure Windows Firewall rules with WDAG tagging policies +## Configure Windows Firewall rules with WDAC tagging policies Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: From ac951fcbdc940aa4513476e37ae79df953a220ed Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:51:49 -0700 Subject: [PATCH 06/11] Update windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 0eab04c64d..37c7bd40cd 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -213,7 +213,7 @@ When creating an inbound or outbound rule, you should specify details about the Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: -**Step 1: Deploy WDAC AppId Tagging Policies** +### Step 1: Deploy WDAC AppId Tagging Policies A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.   From 3819fb16e3dcd5666c337098380a971a8c8fda46 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:52:06 -0700 Subject: [PATCH 07/11] Update windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 37c7bd40cd..9db1183c80 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -219,7 +219,7 @@ A Windows Defender Application Control (WDAC) policy needs to be deployed which Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications.  -**Step 2: Configure Firewall Rules using PolicyAppId Tags**  +### Step 2: Configure Firewall Rules using PolicyAppId Tags - **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform. You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. From 03f7d28f345d252eba145843d31783c67efa7bfe Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:52:36 -0700 Subject: [PATCH 08/11] Update windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 9db1183c80..45c223f957 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -226,6 +226,6 @@ You can do this through the Intune admin center under Endpoint security > Firewa OR -- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the –PolicyAppId tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  +- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `–PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  From 17c6af725c0f3f3bc0867c9ec62d3b04b7d09940 Mon Sep 17 00:00:00 2001 From: yunakam-msft <63231957+yukinakamori@users.noreply.github.com> Date: Tue, 17 Oct 2023 23:16:28 +0900 Subject: [PATCH 09/11] Update using-event-viewer-with-applocker.md Update to the latest event level and message. --- .../using-event-viewer-with-applocker.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 35cecd0bee..f237a5b23c 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -38,24 +38,24 @@ The following table contains information about the events that you can use to de | Event ID | Level | Event message | Description | | --- | --- | --- | --- | -| 8000 | Error| Application Identity Policy conversion failed. Status * <%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| 8000 | Error| AppID policy conversion failed. Status * <%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was prevented from running.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| -| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| -| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| -| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| -| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| -| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.| -| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| -| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| -| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| -| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy was enforced.| Added in Windows Server 2016 and Windows 10.| -| 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was prevented from running.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| +| 8008| Warning| *<File name> *: AppLocker component not available on this SKU.| Added in Windows Server 2012 and Windows 8.| +| 8020| Information| *<File name> * was allowed to run.| Added in Windows Server 2012 and Windows 8.| +| 8021| Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| +| 8022| Error| *<File name> * was prevented from running.| Added in Windows Server 2012 and Windows 8.| +| 8023 | Information| *<File name> * was allowed to be installed.| Added in Windows Server 2012 and Windows 8.| +| 8024 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| +| 8025 | Error| *<File name> * was prevented from running.| Added in Windows Server 2012 and Windows 8.| +| 8027 | Error| No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.| Added in Windows Server 2012 and Windows 8.| +| 8028 | Warning | *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.| +| 8029 | Error | *<File name> * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| | 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| | 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| @@ -63,9 +63,9 @@ The following table contains information about the events that you can use to de | 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.| -| 8037 | Information | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.| +| 8037 | Information | * passed Config CI policy and was allowed to run.| Added in Windows Server 2016 and Windows 10.| | 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10.| -| 8039 | Warning | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.| +| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10.| | 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.| From af383407f685b2696cd9d9ee0cda7689b0fed290 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 17 Oct 2023 13:58:34 -0700 Subject: [PATCH 10/11] Add image borders to screenshots without visible borders type="content" adds 1-pixel grey borders --- .../windows-firewall/best-practices-configuring.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index a61bf25eec..4c281e49a8 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -105,7 +105,7 @@ To determine why some applications are blocked from communicating in the network Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. -![Windows Firewall prompt.](images/fw04-userquery.png) +:::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png"::: *Figure 4: Dialog box to allow access* @@ -185,7 +185,7 @@ incoming connections, including those in the list of allowed apps** setting foun *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type* -![Firewall cpl.](images/fw07-legacy.png) +:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png"::: *Figure 7: Legacy firewall.cpl* From d81b5b3a59551541a647e1afad0acc322eb86d89 Mon Sep 17 00:00:00 2001 From: Alex Buck Date: Tue, 17 Oct 2023 23:07:08 -0400 Subject: [PATCH 11/11] [BULK] - DocuTune - Rebranding of Azure Active Dir --- .../private-app-repository-mdm-company-portal-windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 93ceaacb2c..cb4377d22d 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -63,7 +63,7 @@ To install the Company Portal app, you have some options: - [What is co-management?](/mem/configmgr/comanage/overview) - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal) -- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use. +- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Microsoft Entra organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use. - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.