diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md index 4dc0da5aba..c43cf2dd90 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md @@ -1,23 +1,22 @@ --- -title: Designing, creating, managing, and troubleshooting Windows Defender Application Control AppId Tagging policies -description: How to design, create, manage, and troubleshoot your WDAC AppId Tagging policies +title: Designing, creating, managing, and troubleshooting App Control for Business AppId Tagging policies +description: How to design, create, manage, and troubleshoot your App Control AppId Tagging policies ms.localizationpriority: medium ms.date: 04/27/2022 ms.topic: conceptual --- -# WDAC Application ID (AppId) Tagging guide +# App Control Application ID (AppId) Tagging guide -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] ## AppId Tagging Feature Overview -The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't. +The Application ID (AppId) Tagging Policy feature, while based off App Control for Business, doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't. ## AppId Tagging Feature Availability -The WDAC AppId Tagging feature is available on the following versions of the Windows platform: +The App Control AppId Tagging feature is available on the following versions of the Windows platform: Client: - Windows 10 20H1, 20H2, and 21H1 versions only diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md index 1507fc348c..454998fcc3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md @@ -8,14 +8,13 @@ ms.topic: troubleshooting # Testing and Debugging AppId Tagging Policies -> [!NOTE] -> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. +After deployment of the App Control AppId Tagging policy, App Control will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. ## Verifying Tags on Running Processes -After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed. +After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since App Control for Business can only tag processes created after the policy has been deployed. 1. Download and Install the Windows Debugger diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md index df92759921..0c63966c1e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md @@ -1,17 +1,16 @@ --- -title: Deploying Windows Defender Application Control AppId tagging policies -description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment. +title: Deploying App Control for Business AppId tagging policies +description: How to deploy your App Control AppId tagging policies locally and globally within your managed environment. ms.localizationpriority: medium ms.date: 04/29/2022 ms.topic: conceptual --- -# Deploying Windows Defender Application Control AppId tagging policies +# Deploying App Control for Business AppId tagging policies -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy: +Similar to App Control for Business policies, App Control AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy: 1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm) 1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager) @@ -20,23 +19,23 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg ## Deploy AppId tagging policies with MDM -Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). +Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-app-control-policies-with-custom-oma-uri). ## Deploy AppId tagging policies with Configuration Manager -Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-appcontrol-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. +Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-appcontrol-policies-with-memcm.md#deploy-custom-app-control-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. ### Deploy AppId tagging Policies via Scripting -Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see [Deploy WDAC policies using script](../deployment/deploy-appcontrol-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later. +Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy App Control AppId tagging policies via scripting, see [Deploy App Control policies using script](../deployment/deploy-appcontrol-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later. ### Deploying policies via the ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. +Multiple App Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability. > [!NOTE] -> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies. +> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format App Control for Business policies. diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md index ea51fb388c..6de85994c9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md @@ -1,85 +1,83 @@ --- -title: Create your Windows Defender Application Control AppId Tagging Policies -description: Create your Windows Defender Application Control AppId tagging policies for Windows devices. +title: Create your App Control for Business AppId Tagging Policies +description: Create your App Control for Business AppId tagging policies for Windows devices. ms.localizationpriority: medium ms.date: 04/29/2022 ms.topic: conceptual --- -# Creating your WDAC AppId Tagging Policies +# Creating your App Control AppId Tagging Policies -> [!NOTE] -> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -## Create the policy using the WDAC Wizard +## Create the policy using the App Control Wizard -You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). +You can use the App Control for Business Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The App Control Wizard is available for download at the [App Control Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). 1. Create a new base policy using the templates: - Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/appcontrol-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules. + Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/appcontrol-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules. - ![Configuring the policy base and template.](../images/appid-appcontrol-wizard-1.png) + ![Configuring the policy base and template.](../images/appid-appcontrol-wizard-1.png) - > [!NOTE] - > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. - For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies). + > [!NOTE] + > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies). -2. Set the following rule-options using the Wizard toggles: +2. Set the following rule-options using the Wizard toggles: - ![Configuring the policy rule-options.](../images/appid-appcontrol-wizard-2.png) + ![Configuring the policy rule-options.](../images/appid-appcontrol-wizard-2.png) 3. Create custom rules: - Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules: + Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules: - - Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security. - - Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards. - - File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name. - - Package app name rules: Create a rule based off the package family name of an appx/msix. - - Hash rules: Create a rule based off the PE Authenticode hash of a file. + - Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security. + - Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards. + - File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name. + - Package app name rules: Create a rule based off the package family name of an appx/msix. + - Hash rules: Create a rule based off the PE Authenticode hash of a file. - For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/appcontrol-wizard-create-base-policy.md#creating-custom-file-rules). + For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/appcontrol-wizard-create-base-policy.md#creating-custom-file-rules). 4. Convert to AppId Tagging Policy: - After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario: + After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario: - ```powershell - Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue" - ``` - The policyID GUID is returned by the PowerShell command if successful. + ```powershell + Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue" + ``` + The policyID GUID is returned by the PowerShell command if successful. ## Create the policy using PowerShell -Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). In an elevate PowerShell instance: +Using this method, you create an AppId Tagging policy directly using the App Control PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). In an elevate PowerShell instance: -1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules: +1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [App Control File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-app-control-for-business-policy---file-rule-levels) can be used in AppId rules: - ```powershell - $rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath - ``` + ```powershell + $rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath + ``` 2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario: - ```powershell - New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue" - ``` + ```powershell + New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue" + ``` 3. Set the rule-options for the policy: - ```powershell - Set-RuleOption -Option 0 .\AppIdPolicy.xml # Usermode Code Integrity (UMCI) - Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot - Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection - ``` + ```powershell + Set-RuleOption -Option 0 .\AppIdPolicy.xml # Usermode Code Integrity (UMCI) + Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot + Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection + ``` - If you're using filepath rules, you may want to set option 18. Otherwise, there's no need. + If you're using filepath rules, you may want to set option 18. Otherwise, there's no need. 4. Set the name and ID on the policy, which is helpful for future debugging: - ```powershell - Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml" - ``` - The policyID GUID is returned by the PowerShell command if successful. + ```powershell + Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml" + ``` + The policyID GUID is returned by the PowerShell command if successful. ## Deploy for Local Testing @@ -87,18 +85,18 @@ After creating your AppId Tagging policy in the above steps, you can deploy the 1. Depending on your deployment method, convert the xml to binary: - ```powershell - Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip" - ``` + ```powershell + Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip" + ``` 2. Optionally, deploy it for local testing: - ```powershell - copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\ - ./RefreshPolicy.exe - ``` + ```powershell + copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\ + ./RefreshPolicy.exe + ``` - RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925). + RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925). ## Next Steps For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md). diff --git a/windows/security/application-security/application-control/app-control-for-business/TOC.yml b/windows/security/application-security/application-control/app-control-for-business/TOC.yml index c24abf5f4e..d7bad29ee6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/TOC.yml +++ b/windows/security/application-security/application-control/app-control-for-business/TOC.yml @@ -4,22 +4,22 @@ href: appcontrol.md expanded: true items: - - name: WDAC and AppLocker Overview + - name: App Control and AppLocker Overview href: appcontrol-and-applocker-overview.md - - name: WDAC and AppLocker Feature Availability + - name: App Control and AppLocker Feature Availability href: feature-availability.md - name: Virtualization-based protection of code integrity - href: ../introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md -- name: WDAC design guide + href: ../introduction-to-virtualization-based-security-and-appcontrol.md +- name: App Control design guide href: design/appcontrol-design-guide.md items: - - name: Plan for WDAC policy lifecycle management + - name: Plan for App Control policy lifecycle management href: design/plan-appcontrol-management.md - - name: Design your WDAC policy + - name: Design your App Control policy items: - - name: Understand WDAC policy design decisions + - name: Understand App Control policy design decisions href: design/understand-appcontrol-policy-design-decisions.md - - name: Understand WDAC policy rules and file rules + - name: Understand App Control policy rules and file rules href: design/select-types-of-rules-to-create.md items: - name: Allow apps installed by a managed installer @@ -28,88 +28,88 @@ href: design/use-appcontrol-with-intelligent-security-graph.md - name: Allow COM object registration href: design/allow-com-object-registration-in-appcontrol-policy.md - - name: Use WDAC with .NET hardening + - name: Use App Control with .NET hardening href: design/appcontrol-and-dotnet.md - - name: Script enforcement with Windows Defender Application Control + - name: Script enforcement with App Control for Business href: design/script-enforcement.md - - name: Manage packaged apps with WDAC + - name: Manage packaged apps with App Control href: design/manage-packaged-apps-with-appcontrol.md - - name: Use WDAC to control specific plug-ins, add-ins, and modules + - name: Use App Control to control specific plug-ins, add-ins, and modules href: design/use-appcontrol-policy-to-control-specific-plug-ins-add-ins-and-modules.md - - name: Understand WDAC policy settings + - name: Understand App Control policy settings href: design/understanding-appcontrol-policy-settings.md - - name: Use multiple WDAC policies + - name: Use multiple App Control policies href: design/deploy-multiple-appcontrol-policies.md - - name: Create your WDAC policy + - name: Create your App Control policy items: - - name: Example WDAC base policies + - name: Example App Control base policies href: design/example-appcontrol-base-policies.md - - name: Policy creation for common WDAC usage scenarios + - name: Policy creation for common App Control usage scenarios href: design/common-appcontrol-use-cases.md items: - - name: Create a WDAC policy for lightly managed devices + - name: Create a App Control policy for lightly managed devices href: design/create-appcontrol-policy-for-lightly-managed-devices.md - - name: Create a WDAC policy for fully managed devices + - name: Create a App Control policy for fully managed devices href: design/create-appcontrol-policy-for-fully-managed-devices.md - - name: Create a WDAC policy for fixed-workload devices + - name: Create a App Control policy for fixed-workload devices href: design/create-appcontrol-policy-using-reference-computer.md - - name: Create a WDAC deny list policy + - name: Create a App Control deny list policy href: design/create-appcontrol-deny-policy.md - - name: Applications that can bypass WDAC and how to block them + - name: Applications that can bypass App Control and how to block them href: design/applications-that-can-bypass-appcontrol.md - name: Microsoft recommended driver block rules href: design/microsoft-recommended-driver-block-rules.md - - name: Use the WDAC Wizard tool + - name: Use the App Control Wizard tool href: design/appcontrol-wizard.md items: - - name: Create a base WDAC policy with the Wizard + - name: Create a base App Control policy with the Wizard href: design/appcontrol-wizard-create-base-policy.md - - name: Create a supplemental WDAC policy with the Wizard + - name: Create a supplemental App Control policy with the Wizard href: design/appcontrol-wizard-create-supplemental-policy.md - - name: Editing a WDAC policy with the Wizard + - name: Editing a App Control policy with the Wizard href: design/appcontrol-wizard-editing-policy.md - - name: Creating WDAC Policy Rules from WDAC Events + - name: Creating App Control Policy Rules from App Control Events href: design/appcontrol-wizard-parsing-event-logs.md - - name: Merging multiple WDAC policies with the Wizard + - name: Merging multiple App Control policies with the Wizard href: design/appcontrol-wizard-merging-policies.md -- name: WDAC deployment guide +- name: App Control deployment guide href: deployment/appcontrol-deployment-guide.md items: - - name: Deploy WDAC policies with MDM + - name: Deploy App Control policies with MDM href: deployment/deploy-appcontrol-policies-using-intune.md - - name: Deploy WDAC policies with Configuration Manager + - name: Deploy App Control policies with Configuration Manager href: deployment/deploy-appcontrol-policies-with-memcm.md - - name: Deploy WDAC policies with script + - name: Deploy App Control policies with script href: deployment/deploy-appcontrol-policies-with-script.md - - name: Deploy WDAC policies with group policy + - name: Deploy App Control policies with group policy href: deployment/deploy-appcontrol-policies-using-group-policy.md - - name: Audit WDAC policies + - name: Audit App Control policies href: deployment/audit-appcontrol-policies.md - - name: Merge WDAC policies + - name: Merge App Control policies href: deployment/merge-appcontrol-policies.md - - name: Enforce WDAC policies + - name: Enforce App Control policies href: deployment/enforce-appcontrol-policies.md - - name: Use code signing for added control and protection with WDAC + - name: Use code signing for added control and protection with App Control href: deployment/use-code-signing-for-better-control-and-protection.md items: - - name: Deploy catalog files to support WDAC + - name: Deploy catalog files to support App Control href: deployment/deploy-catalog-files-to-support-appcontrol.md - - name: Use signed policies to protect Windows Defender Application Control against tampering + - name: Use signed policies to protect App Control for Business against tampering href: deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md - - name: "Optional: Create a code signing cert for WDAC" + - name: "Optional: Create a code signing cert for App Control" href: deployment/create-code-signing-cert-for-appcontrol.md - - name: Disable WDAC policies + - name: Disable App Control policies href: deployment/disable-appcontrol-policies.md -- name: WDAC operational guide +- name: App Control operational guide href: operations/appcontrol-operational-guide.md items: - - name: WDAC debugging and troubleshooting + - name: App Control debugging and troubleshooting href: operations/appcontrol-debugging-and-troubleshooting.md - name: Understanding Application Control event IDs href: operations/event-id-explanations.md - name: Understanding Application Control event tags href: operations/event-tag-explanations.md - - name: Query WDAC events with Advanced hunting + - name: Query App Control events with Advanced hunting href: operations/querying-application-control-events-centrally-using-advanced-hunting.md - name: Known Issues href: operations/known-issues.md @@ -117,9 +117,9 @@ href: operations/configure-appcontrol-managed-installer.md - name: CITool.exe technical reference href: operations/citool-commands.md - - name: Inbox WDAC policies + - name: Inbox App Control policies href: operations/inbox-appcontrol-policies.md -- name: WDAC AppId Tagging guide +- name: App Control AppId Tagging guide href: AppIdTagging/appcontrol-appid-tagging-guide.md items: - name: Creating AppId Tagging Policies diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index 1e2654111c..b73b5fd915 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -1,23 +1,22 @@ --- -title: WDAC and AppLocker Overview +title: App Control and AppLocker Overview description: Compare Windows application control technologies. ms.localizationpriority: medium ms.date: 01/03/2024 ms.topic: conceptual --- -# Windows Defender Application Control and AppLocker Overview +# App Control for Business and AppLocker Overview -> [!NOTE] -> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md). +[!INCLUDE [Feature availability note](includes/feature-availability-note.md)] -Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. +Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: App Control for Business and AppLocker. -## Windows Defender Application Control +## App Control for Business -WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC). +App Control was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC). -WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: +App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file @@ -27,13 +26,13 @@ WDAC policies apply to the managed computer as a whole and affects all users of - The process that launched the app or binary > [!NOTE] -> WDAC was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy WDAC policy via Group Policy. +> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy. -### WDAC System Requirements +### App Control System Requirements -WDAC policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. WDAC policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019. +App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019. -For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). +For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md). ## AppLocker @@ -45,16 +44,16 @@ AppLocker policies can apply to all users on a computer, or to individual users - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file. - The path from which the app or file is launched. -AppLocker is also used by some features of WDAC, including [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) and the [Intelligent Security Graph](/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph). +AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md). ### AppLocker System Requirements AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). AppLocker policies can be deployed using Group Policy or MDM. -## Choose when to use WDAC or AppLocker +## Choose when to use App Control or AppLocker -Generally, customers who are able to implement application control using WDAC, rather than AppLocker, should do so. WDAC is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements. +Generally, customers who are able to implement application control using App Control, rather than AppLocker, should do so. App Control is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements. However, in some cases, AppLocker might be the more appropriate technology for your organization. AppLocker is best when: @@ -62,4 +61,4 @@ However, in some cases, AppLocker might be the more appropriate technology for y - You need to apply different policies for different users or groups on shared computers. - You don't want to enforce application control on application files such as DLLs or drivers. -AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. +AppLocker can also be deployed as a complement to App Control to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce App Control at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md index 88c99842d1..0a3335af15 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md @@ -10,8 +10,7 @@ ms.topic: overview # Application Control for Windows -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +[!INCLUDE [Feature availability note](includes/feature-availability-note.md)] With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks. @@ -26,14 +25,14 @@ Application control is a crucial line of defense for protecting enterprises give Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements: -- **Windows Defender Application Control (WDAC)**; and +- **App Control for Business**; and - **AppLocker** -## WDAC and Smart App Control +## App Control and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy). -Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. +Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------| @@ -57,7 +56,7 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](design ## Related articles -- [WDAC design guide](design/appcontrol-design-guide.md) -- [WDAC deployment guide](deployment/appcontrol-deployment-guide.md) -- [WDAC operational guide](operations/appcontrol-operational-guide.md) +- [App Control design guide](design/appcontrol-design-guide.md) +- [App Control deployment guide](deployment/appcontrol-deployment-guide.md) +- [App Control operational guide](operations/appcontrol-operational-guide.md) - [AppLocker overview](applocker/applocker-overview.md) diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md index 654b172dca..045b43bc8e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md @@ -11,13 +11,13 @@ ms.date: 01/03/2024 # AppLocker -This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control. +This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of App Control for Business. > [!NOTE] -> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. +> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [App Control for Business](../appcontrol-and-applocker-overview.md) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. > [!NOTE] -> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement). +> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](rule-collection-extensions.md#services-enforcement). AppLocker can help you: diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md index a948419849..50971f323d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md @@ -12,7 +12,7 @@ This article for the IT professional introduces the design and planning steps re This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group. -To understand if AppLocker is the correct application control solution for your organization, see [Windows Defender Application Control and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). +To understand if AppLocker is the correct application control solution for your organization, see [App Control for Business and AppLocker overview](../appcontrol-and-applocker-overview.md). ## In this section diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md index 81e26f0be3..15208b7d2a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md @@ -8,8 +8,7 @@ ms.date: 12/23/2023 # AppLocker processes and interactions -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 2489e8b738..5dcf968359 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -10,7 +10,7 @@ ms.date: 12/22/2023 This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. -The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy. +The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](working-with-applocker-rules.md#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy. For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy). diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md index a17f0dbc2f..36686c2fea 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md @@ -12,7 +12,7 @@ This article for IT professionals describes the steps to manually merge AppLocke If you need to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. For info about merging policies by using Windows PowerShell, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). -The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules). +The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](working-with-applocker-rules.md). Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md index f8756d82ac..ca9f4ae325 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md @@ -29,7 +29,7 @@ This article describes the rule collection extensions added in Windows 10 and la ## Services enforcement -By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with Windows Defender Application Control's (WDAC) [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) feature. +By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with App Control for Business's [managed installer](../design/configure-authorized-apps-deployed-with-a-managed-installer.md) feature. To apply AppLocker policy to nonuser processes, set ```` in the ```` section as shown in the preceding XML fragment. diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index e2740a5bf6..86556f815e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -10,7 +10,7 @@ ms.date: 12/22/2023 This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. -Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#rule-collections). +Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](working-with-applocker-rules.md#rule-collections). Group Policy merges AppLocker policy in two ways: diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md index 256c416dbf..24f7f1e8c2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md @@ -10,7 +10,7 @@ ms.date: 12/23/2023 This article for the IT professional describes what AppLocker is. -Windows includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. For information to help you choose when to use WDAC or AppLocker, see [WDAC and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). +Windows includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: App Control for Business and AppLocker. For information to help you choose when to use App Control or AppLocker, see [App Control and AppLocker overview](../appcontrol-and-applocker-overview.md). AppLocker helps you create rules to allow or deny apps from running based on information about the apps' files. You can also use AppLocker to control which users or groups can run those apps. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md index 688747f887..a893114a66 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md @@ -1,29 +1,28 @@ --- -title: Deploying Windows Defender Application Control (WDAC) policies -description: Learn how to plan and implement a WDAC deployment. +title: Deploying App Control for Business policies +description: Learn how to plan and implement a App Control deployment. ms.localizationpriority: medium ms.date: 01/23/2023 ms.topic: overview --- -# Deploying Windows Defender Application Control (WDAC) policies +# Deploying App Control for Business policies -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](../design/appcontrol-design-guide.md), do so now before proceeding. +You should now have one or more App Control for Business policies ready to deploy. If you haven't yet completed the steps described in the [App Control Design Guide](../design/appcontrol-design-guide.md), do so now before proceeding. -## Convert your WDAC policy XML to binary +## Convert your App Control policy XML to binary -Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $WDACPolicyXMLFile variable to point to your WDAC policy XML file. +Before you deploy your App Control policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $AppControlPolicyXMLFile variable to point to your App Control policy XML file. ```powershell - ## Update the path to your WDAC policy XML - $WDACPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyWDACPolicy.xml" - [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile - if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) + ## Update the path to your App Control policy XML + $AppControlPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyAppControlPolicy.xml" + [xml]$AppControlPolicy = Get-Content -Path $AppControlPolicyXMLFile + if (($AppControlPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) { - $PolicyID = $WDACPolicy.SiPolicy.PolicyID + $PolicyID = $AppControlPolicy.SiPolicy.PolicyID $PolicyBinary = $PolicyID+".cip" } else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC) @@ -32,23 +31,23 @@ Before you deploy your WDAC policies, you must first convert the XML to its bina } ## Binary file will be written to your desktop - ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary + ConvertFrom-CIPolicy -XmlFilePath $AppControlPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary ``` ## Plan your deployment -As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with WDAC and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. +As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with App Control and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. -All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints. +All App Control for Business policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor App Control-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints. -## Choose how to deploy WDAC policies +## Choose how to deploy App Control policies > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case. +> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. -There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: +There are several options to deploy App Control for Business policies to managed endpoints, including: - [Deploy using a Mobile Device Management (MDM) solution](deploy-appcontrol-policies-using-intune.md), such as Microsoft Intune - [Deploy using Microsoft Configuration Manager](deploy-appcontrol-policies-with-memcm.md) diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md index 8e08b9a353..6c94229e73 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md @@ -1,35 +1,34 @@ --- -title: Use audit events to create WDAC policy rules -description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy. +title: Use audit events to create App Control policy rules +description: Audits allow admins to discover apps, binaries, and scripts that should be added to the App Control policy. ms.localizationpriority: medium ms.date: 05/03/2018 ms.topic: conceptual --- -# Use audit events to create WDAC policy rules +# Use audit events to create App Control policy rules ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. +Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your App Control policy but should be included. -While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. +While a App Control policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new App Control policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. -## Overview of the process to create WDAC policy to allow apps using audit events +## Overview of the process to create App Control policy to allow apps using audit events > [!Note] -> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](appcontrol-deployment-guide.md). +> You must have already deployed a App Control audit mode policy to use this process. If you have not already done so, see [Deploying App Control for Business policies](appcontrol-deployment-guide.md). -To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. +To familiarize yourself with creating App Control rules from audit events, follow these steps on a device with a App Control audit mode policy. -1. Install and run an application not allowed by the WDAC policy but that you want to allow. +1. Install and run an application not allowed by the App Control policy but that you want to allow. 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](../operations/event-id-explanations.md). - **Figure 1. Exceptions to the deployed WDAC policy** - ![Event showing exception to WDAC policy.](../images/dg-fig23-exceptionstocode.png) + **Figure 1. Exceptions to the deployed App Control policy** + ![Event showing exception to App Control policy.](../images/dg-fig23-exceptionstocode.png) -3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. +3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a App Control policy for fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. ```powershell $PolicyName= "Lamna_FullyManagedClients_Audit" @@ -38,24 +37,24 @@ To familiarize yourself with creating WDAC rules from audit events, follow these $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt" ``` -4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. +4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new App Control policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. ```powershell New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash -UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings ``` > [!NOTE] - > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](../design/select-types-of-rules-to-create.md). + > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about App Control rule levels, see [Understand App Control policy rules and file rules](../design/select-types-of-rules-to-create.md). -5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](../design/appcontrol-wizard-editing-policy.md)). +5. Find and review the App Control policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the App Control Policy Wizard tool (see [Editing existing base and supplemental App Control policies with the Wizard](../design/appcontrol-wizard-editing-policy.md)). -6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. +6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that App Control couldn't create a rule for at either the specified rule level or fallback rule level. > [!NOTE] - > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. + > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the App Control policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. 7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. - For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-appcontrol-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](../design/deploy-multiple-appcontrol-policies.md). + For information on merging policies, refer to [Merge App Control for Business policies](merge-appcontrol-policies.md) and for information on supplemental policies see [Use multiple App Control for Business Policies](../design/deploy-multiple-appcontrol-policies.md). 8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md index aa98aebabb..e69da9c3d9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md @@ -1,22 +1,21 @@ --- -title: Create a code signing cert for Windows Defender Application Control -description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally. +title: Create a code signing cert for App Control for Business +description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or App Control policies internally. ms.localizationpriority: medium ms.topic: conceptual ms.date: 12/01/2022 --- -# Optional: Create a code signing cert for Windows Defender Application Control +# Optional: Create a code signing cert for App Control for Business ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](appcontrol-deployment-guide.md). +As you deploy App Control for Business, you might need to sign catalog files or App Control policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [App Control for Business Deployment Guide](appcontrol-deployment-guide.md). If you have an internal CA, complete these steps to create a code signing certificate. > [!WARNING] -> When creating signing certificates for WDAC policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> When creating signing certificates for App Control policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules: > > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). > - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported. @@ -34,7 +33,7 @@ If you have an internal CA, complete these steps to create a code signing certif 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list. -5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**. +5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **App Control Catalog Signing Certificate**. 6. On the **Request Handling** tab, select the **Allow private key to be exported** check box. @@ -64,7 +63,7 @@ When this certificate template has been created, you must publish it to the CA p A list of available templates to issue appears, including the template you created. -2. Select the WDAC Catalog signing certificate, and then select **OK**. +2. Select the App Control Catalog signing certificate, and then select **OK**. Now that the template is available to be issued, you must request one from the computer running Windows 10 or Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: @@ -95,6 +94,6 @@ This certificate must be installed in the user's personal store on the computer 3. Choose the default settings, and then select **Export all extended properties**. -4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name. +4. Set a password, select an export path, and then select **AppControlCatSigningCert.pfx** as the file name. When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy.md index 8b6c9f2da9..a0fcfe492a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy.md @@ -1,38 +1,37 @@ --- -title: Deploy WDAC policies via Group Policy -description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide. +title: Deploy App Control policies via Group Policy +description: App Control for Business policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide. ms.localizationpriority: medium ms.date: 01/23/2023 ms.topic: how-to --- -# Deploy Windows Defender Application Control policies by using Group Policy +# Deploy App Control for Business policies by using Group Policy -> [!NOTE] -> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** App Control Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed App Control Base policies [via script](deploy-appcontrol-policies-with-script.md#deploying-signed-policies) and activate the policy with a system restart. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. -Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. +Single-policy format App Control for Business policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. > [!IMPORTANT] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. +> Group Policy-based deployment of App Control for Business policies only supports single-policy format App Control policies. To use App Control on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. -You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +You should now have a App Control policy converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md). -The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. +The following procedure walks you through how to deploy a App Control policy called **SiPolicy.p7b** to a test OU called *App Control Enabled PCs* by using a GPO called **Contoso GPO Test**. -To deploy and manage a Windows Defender Application Control policy with Group Policy: +To deploy and manage a App Control for Business policy with Group Policy: 1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** 2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**. > [!NOTE] - > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../design/plan-appcontrol-management.md). + > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining App Control policies (or keeping them separate), as discussed in [Plan for App Control for Business lifecycle policy management](../design/plan-appcontrol-management.md). ![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png) @@ -40,20 +39,20 @@ To deploy and manage a Windows Defender Application Control policy with Group Po 4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**. -5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**. +5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy App Control for Business** and then select **Edit**. - ![Edit the Group Policy for Windows Defender Application Control.](../images/appcontrol-edit-gp.png) + ![Edit the Group Policy for App Control for Business.](../images/appcontrol-edit-gp.png) -6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. +6. In the **Deploy App Control for Business** dialog box, select the **Enabled** option, and then specify the App Control policy deployment path. - In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b. + In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md) would be %USERPROFILE%\Desktop\SiPolicy.p7b. > [!NOTE] - > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. + > This policy file does not need to be copied to every computer. You can instead copy the App Control policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. - ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png) + ![Group Policy called Deploy App Control for Business.](../images/dg-fig26-enablecode.png) > [!NOTE] - > You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + > You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different App Control policies to different sets of devices, you may want to give each of your App Control policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. -7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy. +7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the App Control policy. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune.md index df6ad5fdc8..033199a9d7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune.md @@ -1,26 +1,25 @@ --- -title: Deploy WDAC policies using Mobile Device Management (MDM) -description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. +title: Deploy App Control policies using Mobile Device Management (MDM) +description: You can use an MDM like Microsoft Intune to configure App Control for Business. Learn how with this step-by-step guide. ms.localizationpriority: medium ms.date: 08/30/2023 ms.topic: how-to --- -# Deploy WDAC policies using Mobile Device Management (MDM) +# Deploy App Control policies using Mobile Device Management (MDM) -> [!NOTE] -> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. +You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure App Control for Business on client machines. Intune includes native support for App Control, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for App Control policy deployment steps. > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-appcontrol-policies-with-script.md) and activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** App Control Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed App Control Base policies [via script](deploy-appcontrol-policies-with-script.md) and activate the policy with a system restart. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. ## Use Intune's built-in policies -Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run: +Intune's built-in App Control for Business support allows you to configure Windows client computers to only run: - Windows components - Third-party hardware and software kernel drivers @@ -28,21 +27,21 @@ Intune's built-in Windows Defender Application Control support allows you to con - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) > [!NOTE] -> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic. +> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune App Control experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format App Control policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic. > [!NOTE] -> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP. +> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies App Control policies. Use the [improved Intune App Control experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own App Control policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP. -To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json). +To use Intune's built-in App Control policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json). -## Deploy WDAC policies with custom OMA-URI +## Deploy App Control policies with custom OMA-URI > [!NOTE] -> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../design/deploy-multiple-appcontrol-policies.md) which allow more granular policy. +> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create App Control for Business policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../design/deploy-multiple-appcontrol-policies.md) which allow more granular policy. -You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md). -### Deploy custom WDAC policies on Windows 10 1903+ +### Deploy custom App Control policies on Windows 10 1903+ Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. @@ -58,20 +57,20 @@ The steps to use Intune's custom OMA-URI functionality are: - **Data type**: Base64 (file) - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf. - :::image type="content" alt-text="Configure custom WDAC." source="../images/appcontrol-intune-custom-oma-uri.png" lightbox="../images/appcontrol-intune-custom-oma-uri.png"::: + :::image type="content" alt-text="Configure custom App Control." source="../images/appcontrol-intune-custom-oma-uri.png" lightbox="../images/appcontrol-intune-custom-oma-uri.png"::: > [!NOTE] > For the _Policy GUID_ value, do not include the curly brackets. -### Remove WDAC policies on Windows 10 1903+ +### Remove App Control policies on Windows 10 1903+ -Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the WDAC policy on the next reboot. +Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable App Control for Business enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the App Control policy on the next reboot. ### For pre-1903 systems #### Deploying policies -The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: +The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom App Control policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -87,4 +86,4 @@ The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker C #### Removing policies -Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy. +Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable App Control for Business policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm.md index 1d1038cbee..99b78a8bdc 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm.md @@ -1,21 +1,20 @@ --- -title: Deploy Windows Defender Application Control policies with Configuration Manager -description: You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. +title: Deploy App Control for Business policies with Configuration Manager +description: You can use Microsoft Configuration Manager to configure App Control for Business. Learn how with this step-by-step guide. ms.date: 06/27/2022 ms.topic: how-to ms.localizationpriority: medium --- -# Deploy WDAC policies by using Microsoft Configuration Manager +# Deploy App Control policies by using Microsoft Configuration Manager -> [!NOTE] -> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines. +You can use Microsoft Configuration Manager to configure App Control for Business on client machines. ## Use Configuration Manager's built-in policies -Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: +Configuration Manager includes native support for App Control, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: - Windows components - Microsoft Store apps @@ -23,24 +22,24 @@ Configuration Manager includes native support for WDAC, which allows you to conf - (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG) - (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints. -Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. +Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable App Control for Business altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. -### Create a WDAC Policy in Configuration Manager +### Create a App Control Policy in Configuration Manager -1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy** +1. Select **Asset and Compliance** > **Endpoint Protection** > **App Control for Business** > **Create Application Control Policy** - ![Create a WDAC policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy.jpg) + ![Create a App Control policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy.jpg) 2. Enter the name of the policy > **Next** 3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes** 4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only) 5. Select **Next** - ![Create an enforced WDAC policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy-2.jpg) + ![Create an enforced App Control policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy-2.jpg) 6. Select **Add** to begin creating rules for trusted software - ![Create a WDAC path rule in Configuration Manager.](../images/memcm/memcm-create-appcontrol-rule.jpg) + ![Create a App Control path rule in Configuration Manager.](../images/memcm/memcm-create-appcontrol-rule.jpg) 7. Select **File** or **Folder** to create a path rule > **Browse** @@ -53,13 +52,13 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement 9. Select **OK** to add the rule to the table of trusted files or folder 10. Select **Next** to navigate to the summary page > **Close** - ![Confirm the WDAC path rule in Configuration Manager.](../images/memcm/memcm-confirm-appcontrol-rule.jpg) + ![Confirm the App Control path rule in Configuration Manager.](../images/memcm/memcm-confirm-appcontrol-rule.jpg) -### Deploy the WDAC policy in Configuration Manager +### Deploy the App Control policy in Configuration Manager 1. Right-click the newly created policy > **Deploy Application Control Policy** - ![Deploy WDAC via Configuration Manager.](../images/memcm/memcm-deploy-appcontrol.jpg) + ![Deploy App Control via Configuration Manager.](../images/memcm/memcm-deploy-appcontrol.jpg) 2. Select **Browse** @@ -71,12 +70,12 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement 4. Change the schedule > **OK** - ![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-appcontrol-4.jpg) + ![Change the App Control deployment schedule.](../images/memcm/memcm-deploy-appcontrol-4.jpg) -For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). +For more information on using Configuration Manager's native App Control policies, see [App Control for Business management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). -Download the entire [WDAC in Configuration Manager lab paper](https://download.microsoft.com/download/c/f/d/cfd6227c-8ec4-442d-8c50-825550d412f6/WDAC-Deploy-WDAC-using-MEMCM.pdf). +Download the entire [App Control in Configuration Manager lab paper](https://download.microsoft.com/download/c/f/d/cfd6227c-8ec4-442d-8c50-825550d412f6/App Control-Deploy-App Control-using-MEMCM.pdf). -## Deploy custom WDAC policies using Packages/Programs or Task Sequences +## Deploy custom App Control policies using Packages/Programs or Task Sequences -Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-appcontrol-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. +Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom App Control policies using [script-based deployment](deploy-appcontrol-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md index 6910b03b04..af79b9bdae 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md @@ -1,29 +1,28 @@ --- -title: Deploy Windows Defender Application Control (WDAC) policies using script -description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide. +title: Deploy App Control for Business policies using script +description: Use scripts to deploy App Control for Business policies. Learn how with this step-by-step guide. ms.manager: jsuther ms.date: 01/23/2023 ms.topic: how-to ms.localizationpriority: medium --- -# Deploy WDAC policies using script +# Deploy App Control policies using script ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The following instructions use PowerShell but can work with any scripting host. +This article describes how to deploy App Control for Business policies using script. The following instructions use PowerShell but can work with any scripting host. -You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md). > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. ## Deploying policies for Windows 11 22H2 and above -You can use the inbox [CiTool](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your WDAC policy binary file. +You can use the inbox [CiTool](../operations/citool-commands.md) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file. ```powershell # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) @@ -33,7 +32,7 @@ CiTool --update-policy $PolicyBinary [-json] ## Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above -To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. +To use this procedure, download and distribute the [App Control policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your App Control policies allow the App Control policy refresh tool or use a managed installer to distribute the tool. 1. Initialize the variables to be used by the script. @@ -44,14 +43,14 @@ To use this procedure, download and distribute the [WDAC policy refresh tool](ht $RefreshPolicyTool = "" ``` -2. Copy Windows Defender Application Control (WDAC) policy binary to the destination folder. +2. Copy App Control for Business policy binary to the destination folder. ```powershell Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force ``` -3. Repeat steps 1-2 as appropriate to deploy more WDAC policies. -4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint. +3. Repeat steps 1-2 as appropriate to deploy more App Control policies. +4. Run RefreshPolicy.exe to activate and refresh all App Control policies on the managed endpoint. ```powershell & $RefreshPolicyTool @@ -69,13 +68,13 @@ Use WMI to apply policies on all other versions of Windows and Windows Server. $DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b" ``` -2. Copy Windows Defender Application Control (WDAC) policy binary to the destination. +2. Copy App Control for Business policy binary to the destination. ```powershell Copy-Item -Path $PolicyBinary -Destination $DestinationBinary -Force ``` -3. Refresh and activate WDAC policy using WMI +3. Refresh and activate App Control policy using WMI ```powershell Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary} @@ -83,7 +82,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server. ## Deploying signed policies -If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. +If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned App Control policies don't need to be present in the EFI partition. 1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-catalog-files-to-support-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-catalog-files-to-support-appcontrol.md index 056e35ce3f..dc52420573 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-catalog-files-to-support-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-catalog-files-to-support-appcontrol.md @@ -1,21 +1,20 @@ --- -title: Deploy catalog files to support Windows Defender Application Control -description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy. +title: Deploy catalog files to support App Control for Business +description: Catalog files simplify running unsigned applications in the presence of a App Control for Business policy. ms.localizationpriority: medium ms.topic: how-to ms.date: 11/30/2022 --- -# Deploy catalog files to support Windows Defender Application Control +# Deploy catalog files to support App Control for Business -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging. +*Catalog files* can be important in your deployment of App Control for Business if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your App Control-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging. You need to [obtain a code signing certificate for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism. -Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned. +Finally, add a signer rule to your App Control policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a App Control policy that blocks all unsigned code, because most malware is unsigned. ## Create catalog files using Package Inspector @@ -34,7 +33,7 @@ To create a catalog file for an existing app, you can use a tool called **Packag $PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip" ``` - Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deploy-appcontrol-policies-with-script.md). + Then apply the policy as described in [Deploy App Control for Business policies with script](deploy-appcontrol-policies-with-script.md). 2. Start Package Inspector to monitor file creation on a **local drive** where you install the app, for example, drive C: @@ -123,14 +122,14 @@ For testing purposes, you can manually copy signed catalog files to this folder. To simplify the management of catalog files, you can use group policy preferences to deploy catalog files to the appropriate computers in your organization. -The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called **WDAC Enabled PCs** with a GPO called **Contoso Catalog File GPO Test**. +The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called **App Control Enabled PCs** with a GPO called **Contoso Catalog File GPO Test**. 1. From either a domain controller or a client computer that has Remote Server Administration Tools installed, open the Group Policy Management Console by running **GPMC.MSC** or by searching for Group Policy Management. -2. Create a new GPO: right-click an OU, for example, the **WDAC Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2. +2. Create a new GPO: right-click an OU, for example, the **App Control Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2. > [!NOTE] - > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies. + > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining App Control policies. ![Group Policy Management, create a GPO.](../images/dg-fig13-createnewgpo.png) @@ -299,9 +298,9 @@ At the time of the next software inventory cycle, when the targeted clients rece > [!NOTE] > If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan. -## Allow apps signed by your catalog signing certificate in your WDAC policy +## Allow apps signed by your catalog signing certificate in your App Control policy -Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](../design/appcontrol-design-guide.md). +Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a App Control policy, see the [App Control for Business design guide](../design/appcontrol-design-guide.md). On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the following sample: diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md index 839bf11d55..d49e753d03 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md @@ -1,24 +1,23 @@ --- -title: Remove Windows Defender Application Control policies -description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. +title: Remove App Control for Business policies +description: Learn how to disable both signed and unsigned App Control for Business policies, within Windows and within the BIOS. ms.localizationpriority: medium ms.date: 11/04/2022 ms.topic: how-to --- -# Remove Windows Defender Application Control (WDAC) policies +# Remove App Control for Business policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). +[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -## Removing WDAC policies +## Removing App Control policies -There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies. +There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies. > [!IMPORTANT] -> **Signed WDAC policy** +> **Signed App Control policy** > -> If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. +> If the policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. > > The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. > @@ -33,15 +32,15 @@ To make a policy effectively inactive before removing it, you can first replace 1. Replace the policy rules with "Allow *" rules; 2. Set option **3 Enabled:Audit Mode** to change the policy to audit mode only; 3. Set option **11 Disabled:Script Enforcement**; -4. Allow all COM objects. See [Allow COM object registration in a WDAC policy](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy#examples); +4. Allow all COM objects. See [Allow COM object registration in a App Control policy](../design/allow-com-object-registration-in-appcontrol-policy.md#examples); 5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only. > [!IMPORTANT] -> After you remove a policy, restart the computer for it to take effect. You can't remove WDAC policies without restarting the device. +> After you remove a policy, restart the computer for it to take effect. You can't remove App Control policies without restarting the device. -### Remove WDAC policies using CiTool.exe +### Remove App Control policies using CiTool.exe -Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove: +Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove: ```powershell CiTool.exe -rp "{PolicyId GUID}" -json @@ -49,13 +48,13 @@ Beginning with the Windows 11 2022 Update, you can remove WDAC policies using Ci Then restart the computer. -### Remove WDAC policies using MDM solutions like Intune +### Remove App Control policies using MDM solutions like Intune -You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). +You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove App Control policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).