deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update App Control for Business redirect links

Browse Source
This commit is contained in:
Vinay Pamnani (from Dev Box)
2024-09-11 13:08:45 -06:00
parent 9fbf7abbcd
commit ce67c73e1f
72 changed files with 1028 additions and 1068 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
View File

@ -1,29 +1,28 @@
---
title: Deploying Windows Defender Application Control (WDAC) policies
description: Learn how to plan and implement a WDAC deployment.
title: Deploying App Control for Business policies
description: Learn how to plan and implement a App Control deployment.
ms.localizationpriority: medium
ms.date: 01/23/2023
ms.topic: overview
---
# Deploying Windows Defender Application Control (WDAC) policies
# Deploying App Control for Business policies
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](../design/appcontrol-design-guide.md), do so now before proceeding.
You should now have one or more App Control for Business policies ready to deploy. If you haven't yet completed the steps described in the [App Control Design Guide](../design/appcontrol-design-guide.md), do so now before proceeding.
## Convert your WDAC policy XML to binary
## Convert your App Control policy XML to binary
Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $WDACPolicyXMLFile variable to point to your WDAC policy XML file.
Before you deploy your App Control policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $AppControlPolicyXMLFile variable to point to your App Control policy XML file.
```powershell
## Update the path to your WDAC policy XML
$WDACPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyWDACPolicy.xml"
[xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile
if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022)
## Update the path to your App Control policy XML
$AppControlPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyAppControlPolicy.xml"
[xml]$AppControlPolicy = Get-Content -Path $AppControlPolicyXMLFile
if (($AppControlPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022)
{
$PolicyID = $WDACPolicy.SiPolicy.PolicyID
$PolicyID = $AppControlPolicy.SiPolicy.PolicyID
$PolicyBinary = $PolicyID+".cip"
}
else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC)
@ -32,23 +31,23 @@ Before you deploy your WDAC policies, you must first convert the XML to its bina
}
## Binary file will be written to your desktop
ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary
ConvertFrom-CIPolicy -XmlFilePath $AppControlPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary
```
## Plan your deployment
As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with WDAC and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with App Control and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.
All App Control for Business policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor App Control-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.
## Choose how to deploy WDAC policies
## Choose how to deploy App Control policies
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
There are several options to deploy App Control for Business policies to managed endpoints, including:
- [Deploy using a Mobile Device Management (MDM) solution](deploy-appcontrol-policies-using-intune.md), such as Microsoft Intune
- [Deploy using Microsoft Configuration Manager](deploy-appcontrol-policies-with-memcm.md)

39
windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md
View File

@ -1,35 +1,34 @@
---
title: Use audit events to create WDAC policy rules
description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
title: Use audit events to create App Control policy rules
description: Audits allow admins to discover apps, binaries, and scripts that should be added to the App Control policy.
ms.localizationpriority: medium
ms.date: 05/03/2018
ms.topic: conceptual
---
# Use audit events to create WDAC policy rules
# Use audit events to create App Control policy rules
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your App Control policy but should be included.
While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
While a App Control policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new App Control policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
## Overview of the process to create WDAC policy to allow apps using audit events
## Overview of the process to create App Control policy to allow apps using audit events
> [!Note]
> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](appcontrol-deployment-guide.md).
> You must have already deployed a App Control audit mode policy to use this process. If you have not already done so, see [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
To familiarize yourself with creating App Control rules from audit events, follow these steps on a device with a App Control audit mode policy.
1. Install and run an application not allowed by the WDAC policy but that you want to allow.
1. Install and run an application not allowed by the App Control policy but that you want to allow.
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](../operations/event-id-explanations.md).
**Figure 1. Exceptions to the deployed WDAC policy**
![Event showing exception to WDAC policy.](../images/dg-fig23-exceptionstocode.png)
**Figure 1. Exceptions to the deployed App Control policy**
![Event showing exception to App Control policy.](../images/dg-fig23-exceptionstocode.png)
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a App Control policy for fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
```powershell
$PolicyName= "Lamna_FullyManagedClients_Audit"
@ -38,24 +37,24 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
$EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
```
4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new App Control policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
```powershell
New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash -UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
```
> [!NOTE]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](../design/select-types-of-rules-to-create.md).
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about App Control rule levels, see [Understand App Control policy rules and file rules](../design/select-types-of-rules-to-create.md).
5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](../design/appcontrol-wizard-editing-policy.md)).
5. Find and review the App Control policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the App Control Policy Wizard tool (see [Editing existing base and supplemental App Control policies with the Wizard](../design/appcontrol-wizard-editing-policy.md)).
6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that App Control couldn't create a rule for at either the specified rule level or fallback rule level.
> [!NOTE]
> New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
> New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the App Control policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-appcontrol-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](../design/deploy-multiple-appcontrol-policies.md).
For information on merging policies, refer to [Merge App Control for Business policies](merge-appcontrol-policies.md) and for information on supplemental policies see [Use multiple App Control for Business Policies](../design/deploy-multiple-appcontrol-policies.md).
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.

19
windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md
View File

@ -1,22 +1,21 @@
---
title: Create a code signing cert for Windows Defender Application Control
description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally.
title: Create a code signing cert for App Control for Business
description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or App Control policies internally.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/01/2022
---
# Optional: Create a code signing cert for Windows Defender Application Control
# Optional: Create a code signing cert for App Control for Business
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](appcontrol-deployment-guide.md).
As you deploy App Control for Business, you might need to sign catalog files or App Control policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [App Control for Business Deployment Guide](appcontrol-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
> [!WARNING]
> When creating signing certificates for WDAC policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
> When creating signing certificates for App Control policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
@ -34,7 +33,7 @@ If you have an internal CA, complete these steps to create a code signing certif
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**.
5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **App Control Catalog Signing Certificate**.
6. On the **Request Handling** tab, select the **Allow private key to be exported** check box.
@ -64,7 +63,7 @@ When this certificate template has been created, you must publish it to the CA p
A list of available templates to issue appears, including the template you created.
2. Select the WDAC Catalog signing certificate, and then select **OK**.
2. Select the App Control Catalog signing certificate, and then select **OK**.
Now that the template is available to be issued, you must request one from the computer running Windows 10 or Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
@ -95,6 +94,6 @@ This certificate must be installed in the user's personal store on the computer
3. Choose the default settings, and then select **Export all extended properties**.
4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name.
4. Set a password, select an export path, and then select **AppControlCatSigningCert.pfx** as the file name.
When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.

39
windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy.md
View File

@ -1,38 +1,37 @@
---
title: Deploy WDAC policies via Group Policy
description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
title: Deploy App Control policies via Group Policy
description: App Control for Business policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
ms.localizationpriority: medium
ms.date: 01/23/2023
ms.topic: how-to
---
# Deploy Windows Defender Application Control policies by using Group Policy
# Deploy App Control for Business policies by using Group Policy
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
> Due to a known issue, you should always activate new **signed** App Control Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed App Control Base policies [via script](deploy-appcontrol-policies-with-script.md#deploying-signed-policies) and activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy.
Single-policy format App Control for Business policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy.
> [!IMPORTANT]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
> Group Policy-based deployment of App Control for Business policies only supports single-policy format App Control policies. To use App Control on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
You should now have a App Control policy converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
The following procedure walks you through how to deploy a App Control policy called **SiPolicy.p7b** to a test OU called *App Control Enabled PCs* by using a GPO called **Contoso GPO Test**.
To deploy and manage a Windows Defender Application Control policy with Group Policy:
To deploy and manage a App Control for Business policy with Group Policy:
1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**.
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../design/plan-appcontrol-management.md).
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining App Control policies (or keeping them separate), as discussed in [Plan for App Control for Business lifecycle policy management](../design/plan-appcontrol-management.md).
![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png)
@ -40,20 +39,20 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**.
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**.
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy App Control for Business** and then select **Edit**.
![Edit the Group Policy for Windows Defender Application Control.](../images/appcontrol-edit-gp.png)
![Edit the Group Policy for App Control for Business.](../images/appcontrol-edit-gp.png)
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
6. In the **Deploy App Control for Business** dialog box, select the **Enabled** option, and then specify the App Control policy deployment path.
In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b.
In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md) would be %USERPROFILE%\Desktop\SiPolicy.p7b.
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
> This policy file does not need to be copied to every computer. You can instead copy the App Control policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png)
![Group Policy called Deploy App Control for Business.](../images/dg-fig26-enablecode.png)
> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
> You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different App Control policies to different sets of devices, you may want to give each of your App Control policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.
7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the App Control policy.

39
windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune.md
View File

@ -1,26 +1,25 @@
---
title: Deploy WDAC policies using Mobile Device Management (MDM)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
title: Deploy App Control policies using Mobile Device Management (MDM)
description: You can use an MDM like Microsoft Intune to configure App Control for Business. Learn how with this step-by-step guide.
ms.localizationpriority: medium
ms.date: 08/30/2023
ms.topic: how-to
---
# Deploy WDAC policies using Mobile Device Management (MDM)
# Deploy App Control policies using Mobile Device Management (MDM)
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure App Control for Business on client machines. Intune includes native support for App Control, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for App Control policy deployment steps.
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-appcontrol-policies-with-script.md) and activate the policy with a system restart.
> Due to a known issue, you should always activate new **signed** App Control Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed App Control Base policies [via script](deploy-appcontrol-policies-with-script.md) and activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
## Use Intune's built-in policies
Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run:
Intune's built-in App Control for Business support allows you to configure Windows client computers to only run:
- Windows components
- Third-party hardware and software kernel drivers
@ -28,21 +27,21 @@ Intune's built-in Windows Defender Application Control support allows you to con
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
> [!NOTE]
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune App Control experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format App Control policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
> [!NOTE]
> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP.
> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies App Control policies. Use the [improved Intune App Control experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own App Control policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP.
To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
To use Intune's built-in App Control policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
## Deploy WDAC policies with custom OMA-URI
## Deploy App Control policies with custom OMA-URI
> [!NOTE]
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../design/deploy-multiple-appcontrol-policies.md) which allow more granular policy.
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create App Control for Business policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../design/deploy-multiple-appcontrol-policies.md) which allow more granular policy.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
### Deploy custom WDAC policies on Windows 10 1903+
### Deploy custom App Control policies on Windows 10 1903+
Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
@ -58,20 +57,20 @@ The steps to use Intune's custom OMA-URI functionality are:
- **Data type**: Base64 (file)
- **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf.
:::image type="content" alt-text="Configure custom WDAC." source="../images/appcontrol-intune-custom-oma-uri.png" lightbox="../images/appcontrol-intune-custom-oma-uri.png":::
:::image type="content" alt-text="Configure custom App Control." source="../images/appcontrol-intune-custom-oma-uri.png" lightbox="../images/appcontrol-intune-custom-oma-uri.png":::
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
### Remove WDAC policies on Windows 10 1903+
### Remove App Control policies on Windows 10 1903+
Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.
Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable App Control for Business enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the App Control policy on the next reboot.
### For pre-1903 systems
#### Deploying policies
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom App Control policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
@ -87,4 +86,4 @@ The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker C
#### Removing policies
Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.
Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable App Control for Business policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.

41
windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm.md
View File

@ -1,21 +1,20 @@
---
title: Deploy Windows Defender Application Control policies with Configuration Manager
description: You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
title: Deploy App Control for Business policies with Configuration Manager
description: You can use Microsoft Configuration Manager to configure App Control for Business. Learn how with this step-by-step guide.
ms.date: 06/27/2022
ms.topic: how-to
ms.localizationpriority: medium
---
# Deploy WDAC policies by using Microsoft Configuration Manager
# Deploy App Control policies by using Microsoft Configuration Manager
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
You can use Microsoft Configuration Manager to configure App Control for Business on client machines.
## Use Configuration Manager's built-in policies
Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
Configuration Manager includes native support for App Control, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
- Windows components
- Microsoft Store apps
@ -23,24 +22,24 @@ Configuration Manager includes native support for WDAC, which allows you to conf
- (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG)
- (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable App Control for Business altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
### Create a WDAC Policy in Configuration Manager
### Create a App Control Policy in Configuration Manager
1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
1. Select **Asset and Compliance** > **Endpoint Protection** > **App Control for Business** > **Create Application Control Policy**
![Create a WDAC policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy.jpg)
![Create a App Control policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy.jpg)
2. Enter the name of the policy > **Next**
3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)
5. Select **Next**
![Create an enforced WDAC policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy-2.jpg)
![Create an enforced App Control policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy-2.jpg)
6. Select **Add** to begin creating rules for trusted software
![Create a WDAC path rule in Configuration Manager.](../images/memcm/memcm-create-appcontrol-rule.jpg)
![Create a App Control path rule in Configuration Manager.](../images/memcm/memcm-create-appcontrol-rule.jpg)
7. Select **File** or **Folder** to create a path rule > **Browse**
@ -53,13 +52,13 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement
9. Select **OK** to add the rule to the table of trusted files or folder
10. Select **Next** to navigate to the summary page > **Close**
![Confirm the WDAC path rule in Configuration Manager.](../images/memcm/memcm-confirm-appcontrol-rule.jpg)
![Confirm the App Control path rule in Configuration Manager.](../images/memcm/memcm-confirm-appcontrol-rule.jpg)
### Deploy the WDAC policy in Configuration Manager
### Deploy the App Control policy in Configuration Manager
1. Right-click the newly created policy > **Deploy Application Control Policy**
![Deploy WDAC via Configuration Manager.](../images/memcm/memcm-deploy-appcontrol.jpg)
![Deploy App Control via Configuration Manager.](../images/memcm/memcm-deploy-appcontrol.jpg)
2. Select **Browse**
@ -71,12 +70,12 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement
4. Change the schedule > **OK**
![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-appcontrol-4.jpg)
![Change the App Control deployment schedule.](../images/memcm/memcm-deploy-appcontrol-4.jpg)
For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
For more information on using Configuration Manager's native App Control policies, see [App Control for Business management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
Download the entire [WDAC in Configuration Manager lab paper](https://download.microsoft.com/download/c/f/d/cfd6227c-8ec4-442d-8c50-825550d412f6/WDAC-Deploy-WDAC-using-MEMCM.pdf).
Download the entire [App Control in Configuration Manager lab paper](https://download.microsoft.com/download/c/f/d/cfd6227c-8ec4-442d-8c50-825550d412f6/App Control-Deploy-App Control-using-MEMCM.pdf).
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
## Deploy custom App Control policies using Packages/Programs or Task Sequences
Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-appcontrol-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom App Control policies using [script-based deployment](deploy-appcontrol-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.

31
windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
View File

@ -1,29 +1,28 @@
---
title: Deploy Windows Defender Application Control (WDAC) policies using script
description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide.
title: Deploy App Control for Business policies using script
description: Use scripts to deploy App Control for Business policies. Learn how with this step-by-step guide.
ms.manager: jsuther
ms.date: 01/23/2023
ms.topic: how-to
ms.localizationpriority: medium
---
# Deploy WDAC policies using script
# Deploy App Control policies using script
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The following instructions use PowerShell but can work with any scripting host.
This article describes how to deploy App Control for Business policies using script. The following instructions use PowerShell but can work with any scripting host.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
## Deploying policies for Windows 11 22H2 and above
You can use the inbox [CiTool](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your WDAC policy binary file.
You can use the inbox [CiTool](../operations/citool-commands.md) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file.
```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
@ -33,7 +32,7 @@ CiTool --update-policy $PolicyBinary [-json]
## Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above
To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
To use this procedure, download and distribute the [App Control policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your App Control policies allow the App Control policy refresh tool or use a managed installer to distribute the tool.
1. Initialize the variables to be used by the script.
@ -44,14 +43,14 @@ To use this procedure, download and distribute the [WDAC policy refresh tool](ht
$RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"
```
2. Copy Windows Defender Application Control (WDAC) policy binary to the destination folder.
2. Copy App Control for Business policy binary to the destination folder.
```powershell
Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
```
3. Repeat steps 1-2 as appropriate to deploy more WDAC policies.
4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.
3. Repeat steps 1-2 as appropriate to deploy more App Control policies.
4. Run RefreshPolicy.exe to activate and refresh all App Control policies on the managed endpoint.
```powershell
& $RefreshPolicyTool
@ -69,13 +68,13 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
$DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"
```
2. Copy Windows Defender Application Control (WDAC) policy binary to the destination.
2. Copy App Control for Business policy binary to the destination.
```powershell
Copy-Item -Path $PolicyBinary -Destination $DestinationBinary -Force
```
3. Refresh and activate WDAC policy using WMI
3. Refresh and activate App Control policy using WMI
```powershell
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
@ -83,7 +82,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
## Deploying signed policies
If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -->
If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned App Control policies don't need to be present in the EFI partition.
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:

25
windows/security/application-security/application-control/app-control-for-business/deployment/deploy-catalog-files-to-support-appcontrol.md
View File

@ -1,21 +1,20 @@
---
title: Deploy catalog files to support Windows Defender Application Control
description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
title: Deploy catalog files to support App Control for Business
description: Catalog files simplify running unsigned applications in the presence of a App Control for Business policy.
ms.localizationpriority: medium
ms.topic: how-to
ms.date: 11/30/2022
---
# Deploy catalog files to support Windows Defender Application Control
# Deploy catalog files to support App Control for Business
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
*Catalog files* can be important in your deployment of App Control for Business if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your App Control-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
You need to [obtain a code signing certificate for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned.
Finally, add a signer rule to your App Control policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a App Control policy that blocks all unsigned code, because most malware is unsigned.
## Create catalog files using Package Inspector
@ -34,7 +33,7 @@ To create a catalog file for an existing app, you can use a tool called **Packag
$PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip"
```
Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deploy-appcontrol-policies-with-script.md).
Then apply the policy as described in [Deploy App Control for Business policies with script](deploy-appcontrol-policies-with-script.md).
2. Start Package Inspector to monitor file creation on a **local drive** where you install the app, for example, drive C:
@ -123,14 +122,14 @@ For testing purposes, you can manually copy signed catalog files to this folder.
To simplify the management of catalog files, you can use group policy preferences to deploy catalog files to the appropriate computers in your organization.
The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called **WDAC Enabled PCs** with a GPO called **Contoso Catalog File GPO Test**.
The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called **App Control Enabled PCs** with a GPO called **Contoso Catalog File GPO Test**.
1. From either a domain controller or a client computer that has Remote Server Administration Tools installed, open the Group Policy Management Console by running **GPMC.MSC** or by searching for Group Policy Management.
2. Create a new GPO: right-click an OU, for example, the **WDAC Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
2. Create a new GPO: right-click an OU, for example, the **App Control Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies.
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining App Control policies.
![Group Policy Management, create a GPO.](../images/dg-fig13-createnewgpo.png)
@ -299,9 +298,9 @@ At the time of the next software inventory cycle, when the targeted clients rece
> [!NOTE]
> If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
## Allow apps signed by your catalog signing certificate in your WDAC policy
## Allow apps signed by your catalog signing certificate in your App Control policy
Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](../design/appcontrol-design-guide.md).
Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a App Control policy, see the [App Control for Business design guide](../design/appcontrol-design-guide.md).
On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the following sample:

55
windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md
View File

@ -1,24 +1,23 @@
---
title: Remove Windows Defender Application Control policies
description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
title: Remove App Control for Business policies
description: Learn how to disable both signed and unsigned App Control for Business policies, within Windows and within the BIOS.
ms.localizationpriority: medium
ms.date: 11/04/2022
ms.topic: how-to
---
# Remove Windows Defender Application Control (WDAC) policies
# Remove App Control for Business policies
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## Removing WDAC policies
## Removing App Control policies
There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies.
There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies.
> [!IMPORTANT]
> **Signed WDAC policy**
> **Signed App Control policy**
>
> If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
> If the policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
>
> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \<UpdatePolicySigners\>.
>
@ -33,15 +32,15 @@ To make a policy effectively inactive before removing it, you can first replace
1. Replace the policy rules with "Allow *" rules;
2. Set option **3 Enabled:Audit Mode** to change the policy to audit mode only;
3. Set option **11 Disabled:Script Enforcement**;
4. Allow all COM objects. See [Allow COM object registration in a WDAC policy](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy#examples);
4. Allow all COM objects. See [Allow COM object registration in a App Control policy](../design/allow-com-object-registration-in-appcontrol-policy.md#examples);
5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only.
> [!IMPORTANT]
> After you remove a policy, restart the computer for it to take effect. You can't remove WDAC policies without restarting the device.
> After you remove a policy, restart the computer for it to take effect. You can't remove App Control policies without restarting the device.
### Remove WDAC policies using CiTool.exe
### Remove App Control policies using CiTool.exe
Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove:
Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove:
```powershell
CiTool.exe -rp "{PolicyId GUID}" -json
@ -49,13 +48,13 @@ Beginning with the Windows 11 2022 Update, you can remove WDAC policies using Ci
Then restart the computer.
### Remove WDAC policies using MDM solutions like Intune
### Remove App Control policies using MDM solutions like Intune
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove App Control policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
<!-- Waiting for information from Intune team on specific steps...
The steps to use Intune's custom OMA-URI functionality to remove a WDAC policy are:
The steps to use Intune's custom OMA-URI functionality to remove a App Control policy are:
1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
@ -65,7 +64,7 @@ The steps to use Intune's custom OMA-URI functionality to remove a WDAC policy a
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC.](../images/appcontrol-intune-custom-oma-uri.png)
> ![Configure custom App Control.](../images/appcontrol-intune-custom-oma-uri.png)
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
@ -75,24 +74,24 @@ Consult your MDM solution provider for specific information on using the Applica
Then restart the computer.
### Remove WDAC policies using script
### Remove App Control policies using script
To remove WDAC policies using script, your script must delete the policy file(s) from the computer. For **multiple policy format (1903+) WDAC policies**, look for the policy files in the following locations. Be sure to replace the *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove.
To remove App Control policies using script, your script must delete the policy file(s) from the computer. For **multiple policy format (1903+) App Control policies**, look for the policy files in the following locations. Be sure to replace the *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove.
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
For **single policy format App Control policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\SiPolicy.p7b
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
Then restart the computer.
#### Sample script to delete a single WDAC policy
#### Sample script to delete a single App Control policy
```powershell
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
# Set PolicyId GUID to the PolicyId from your App Control policy XML
$PolicyId = "{PolicyId GUID}"
# Initialize variables
@ -138,17 +137,17 @@ mountvol $MountPoint /D
```
> [!NOTE]
> You must run the script as administrator to remove WDAC policies on your computer.
> You must run the script as administrator to remove App Control policies on your computer.
## Remove WDAC policies causing boot stop failures
## Remove App Control policies causing boot stop failures
A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur.
A App Control policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed App Control policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed App Control policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed App Control policy will cause a BSOD to occur.
To remove a policy that is causing boot stop failures:
1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM).
2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session.
3. Start Windows normally and sign in. Then, [remove WDAC policies using script](#remove-wdac-policies-using-script).
1. If the policy is a **signed** App Control policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM).
2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including App Control, for a single boot session.
3. Start Windows normally and sign in. Then, [remove App Control policies using script](#remove-app-control-policies-using-script).
4. If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, [suspend BitLocker protection](/troubleshoot/windows-client/windows-security/suspend-bitlocker-protection-non-microsoft-updates) then turn on Secure Boot from your UEFI BIOS menu.
5. Restart the computer.

31
windows/security/application-security/application-control/app-control-for-business/deployment/enforce-appcontrol-policies.md
View File

@ -1,29 +1,28 @@
---
title: Enforce Windows Defender Application Control (WDAC) policies
description: Learn how to switch a WDAC policy from audit to enforced mode.
title: Enforce App Control for Business policies
description: Learn how to switch a App Control policy from audit to enforced mode.
ms.manager: jsuther
ms.date: 04/22/2021
ms.topic: how-to
ms.localizationpriority: medium
---
# Enforce Windows Defender Application Control (WDAC) policies
# Enforce App Control for Business policies
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
You should now have one or more Windows Defender Application Control policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
You should now have one or more App Control for Business policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your App Control policies in enforcement mode.
> [!NOTE]
> Some of the steps described in this article only apply to Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
> Some of the steps described in this article only apply to Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
## Convert WDAC **base** policy from audit to enforced
## Convert App Control **base** policy from audit to enforced
As described in [common Windows Defender Application Control deployment scenarios](../design/common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
As described in [common App Control for Business deployment scenarios](../design/common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
**Alice Pena** is the IT team lead responsible for Lamna's App Control rollout.
Alice previously created and deployed a policy for the organization's [fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-appcontrol-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
Alice previously created and deployed a policy for the organization's [fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create App Control policy rules](audit-appcontrol-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
@ -34,14 +33,14 @@ Alice previously created and deployed a policy for the organization's [fully man
cp $AuditPolicyXML $EnforcedPolicyXML
```
2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your App Control policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
```powershell
$EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
$EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
```
3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 ("Advanced Boot Options Menu") and 10 ("Boot Audit on Failure"). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 ("Advanced Boot Options Menu") and 10 ("Boot Audit on Failure"). Option 9 allows users to disable App Control enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
```powershell
Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
@ -54,7 +53,7 @@ Alice previously created and deployed a policy for the organization's [fully man
Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
```
5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new App Control policy to binary:
> [!NOTE]
> If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
@ -86,7 +85,7 @@ Since the enforced policy was given a unique PolicyID in the previous procedure,
> [!NOTE]
> If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new Windows Defender Application Control supplemental policy to binary:
3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new App Control for Business supplemental policy to binary:
```powershell
$EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
@ -96,4 +95,4 @@ Since the enforced policy was given a unique PolicyID in the previous procedure,
## Deploy your enforced policy and supplemental policies
Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](appcontrol-deployment-guide.md).
Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying App Control for Business policies](appcontrol-deployment-guide.md).

39
windows/security/application-security/application-control/app-control-for-business/deployment/merge-appcontrol-policies.md
View File

@ -1,25 +1,24 @@
---
title: Merge Windows Defender Application Control policies (WDAC)
description: Learn how to merge WDAC policies as part of your policy lifecycle management.
title: Merge App Control for Business policies (App Control)
description: Learn how to merge App Control policies as part of your policy lifecycle management.
ms.manager: jsuther
ms.date: 04/22/2021
ms.topic: how-to
ms.localizationpriority: medium
---
# Merge Windows Defender Application Control (WDAC) policies
# Merge App Control for Business policies
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. Windows Defender Application Control deployments often include a few base policies and optional supplemental policies for specific use cases.
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. App Control for Business deployments often include a few base policies and optional supplemental policies for specific use cases.
> [!NOTE]
> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one Windows Defender Application Control policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.
> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one App Control for Business policy can be active on a system at a time. If you need to use App Control on systems running these earlier versions of Windows, you must merge all policies before deploying.
## Merge multiple WDAC policy XML files together
## Merge multiple App Control policy XML files together
There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create Windows Defender Application Control policy rules](audit-appcontrol-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create App Control for Business policy rules](audit-appcontrol-policies.md), you can merge those rules with your existing App Control base policy. To merge the two App Control policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
1. Initialize the variables that will be used:
@ -30,7 +29,7 @@ There are many scenarios where you may want to merge two or more policy files to
$MergedPolicy=$env:userprofile+"\Desktop\"+$PolicyName+"_Merged.xml"
```
2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new Windows Defender Application Control policy:
2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new App Control for Business policy:
```powershell
Merge-CIPolicy -PolicyPaths $LamnaPolicy,$EventsPolicy -OutputFilePath $MergedPolicy
@ -39,16 +38,16 @@ There are many scenarios where you may want to merge two or more policy files to
> [!NOTE]
> You can merge additional policies with the Merge-CIPolicy step above by adding them to the -PolicyPaths parameter separated by commas. The new policy file specified by -OutputFilePath will have the Policy information from the first policy in the list. For example, in the above example, the $MergedPolicy will inherit the policy type, ID, name, and version information from $LamnaPolicy. To change any of those values, use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) and [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion).
## Merge WDAC rules directly into a policy XML
## Merge App Control rules directly into a policy XML
Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:
Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing App Control policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the App Control Wizard and the App Control RefreshPolicy.exe tool, follow these steps:
1. Install the [WDAC Wizard](../design/appcontrol-wizard.md) packaged MSIX app.
1. Install the [App Control Wizard](../design/appcontrol-wizard.md) packaged MSIX app.
2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe.
3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:
3. From a PowerShell session, run the following commands to create packaged app allow rules for the App Control Wizard:
```powershell
$PackageInfo = Get-AppxPackage -Name Microsoft.WDAC.WDACWizard
$PackageInfo = Get-AppxPackage -Name Microsoft.App Control.WDACWizard
$Rules = New-CIPolicyRule -Package $PackageInfo
```
@ -68,16 +67,16 @@ Besides merging multiple policy XML files, you can also merge rules created with
Now that you have your new, merged policy, you can convert and deploy the policy binary to your managed endpoints.
1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the App Control policy to a binary format:
```powershell
$WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
ConvertFrom-CIPolicy -XMLFilePath $MergedPolicy -BinaryFilePath $WDACPolicyBin
$AppControlPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
ConvertFrom-CIPolicy -XMLFilePath $MergedPolicy -BinaryFilePath $AppControlPolicyBin
```
> [!NOTE]
> In the sample commands above, for policies targeting Windows 10 version 1903+ or Windows 11, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
2. Upload your merged policy XML and the associated binary to the source control solution you are using for your Windows Defender Application Control policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
2. Upload your merged policy XML and the associated binary to the source control solution you are using for your App Control for Business policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](appcontrol-deployment-guide.md)
3. Deploy the merged policy using your preferred deployment solution. See [Deploying App Control for Business policies](appcontrol-deployment-guide.md)

21
windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md
View File

@ -1,19 +1,18 @@
---
title: Use code signing for added control and protection with WDAC
description: Code signing can be used to better control Win32 app authorization and add protection for your Windows Defender Application Control (WDAC) policies.
title: Use code signing for added control and protection with App Control
description: Code signing can be used to better control Win32 app authorization and add protection for your App Control for Business policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 11/29/2022
---
# Use code signing for added control and protection with Windows Defender Application Control
# Use code signing for added control and protection with App Control for Business
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## What is code signing and why is it important?
Code signing provides some important benefits to application security features like Windows Defender Application Control (WDAC). First, it allows the system to cryptographically verify that a file hasn't been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. This identity can make your policy trust decisions easier and allows for real-world consequences when code signing is abused or used maliciously. Although Windows doesn't require software developers to digitally sign their code, most major independent software vendors (ISV) do use code signing for much of their code. And metadata that a developer includes in a file's resource header (.RSRC), such as OriginalFileName or ProductName, can be combined with the file's signing certificate to limit the scope of trust decisions. For example, instead of allowing everything signed by Microsoft, you can choose to allow only files signed by Microsoft where ProductName is "Microsoft Teams". Then use other rules to authorize any other files that need to run.
Code signing provides some important benefits to application security features like App Control for Business. First, it allows the system to cryptographically verify that a file hasn't been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. This identity can make your policy trust decisions easier and allows for real-world consequences when code signing is abused or used maliciously. Although Windows doesn't require software developers to digitally sign their code, most major independent software vendors (ISV) do use code signing for much of their code. And metadata that a developer includes in a file's resource header (.RSRC), such as OriginalFileName or ProductName, can be combined with the file's signing certificate to limit the scope of trust decisions. For example, instead of allowing everything signed by Microsoft, you can choose to allow only files signed by Microsoft where ProductName is "Microsoft Teams". Then use other rules to authorize any other files that need to run.
Wherever possible, you should require all app binaries and scripts are code signed as part of your app acceptance criteria. And, you should ensure that internal line-of-business (LOB) app developers have access to code signing certificates controlled by your organization.
@ -26,13 +25,13 @@ You can use catalog files to easily add a signature to an existing application w
> [!NOTE]
> Since catalogs identify the files they sign by hash, any change to the file may invalidate its signature. You will need to deploy updated catalog signatures any time the application is updated. Integrating code signing with your app development or app deployment processes is generally the best approach. Be aware of self-updating apps, as their app binaries may change without your knowledge.
To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-appcontrol.md).
To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support App Control for Business](deploy-catalog-files-to-support-appcontrol.md).
## Signed WDAC policies
## Signed App Control policies
While a WDAC policy begins as an XML document, it's then converted into a binary-encoded file before deployment. This binary version of your policy can be code signed like any other application binary, offering many of the same benefits as described above for signed code. Additionally, signed policies are treated specially by WDAC and help protect against tampering or removal of a policy even by an admin user.
While a App Control policy begins as an XML document, it's then converted into a binary-encoded file before deployment. This binary version of your policy can be code signed like any other application binary, offering many of the same benefits as described above for signed code. Additionally, signed policies are treated specially by App Control and help protect against tampering or removal of a policy even by an admin user.
For more information on using signed policies, see [Use signed policies to protect Windows Defender Application Control against tampering](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering)
For more information on using signed policies, see [Use signed policies to protect App Control for Business against tampering](use-signed-policies-to-protect-appcontrol-against-tampering.md)
## Obtain code signing certificates for your own use
@ -40,4 +39,4 @@ Some ways to obtain code signing certificates for your own use, include:
- Use Microsoft's [Trusted Signing service](/azure/trusted-signing/).
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-appcontrol.md).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for App Control for Business](create-code-signing-cert-for-appcontrol.md).

33
windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
View File

@ -1,17 +1,16 @@
---
title: Use signed policies to protect Windows Defender Application Control against tampering
description: Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
title: Use signed policies to protect App Control for Business against tampering
description: Signed App Control for Business policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 11/04/2022
---
# Use signed policies to protect Windows Defender Application Control against tampering
# Use signed policies to protect App Control for Business against tampering
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure or blue screen. With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies.
Signed App Control for Business policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure or blue screen. With this goal in mind, it's much more difficult to remove signed App Control policies. SecureBoot must be enabled in order to provide this protection for signed App Control policies.
If you don't currently have a code signing certificate you can use to sign your policies, see [Obtain code signing certificates for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use).
@ -22,12 +21,12 @@ If you don't currently have a code signing certificate you can use to sign your
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](../design/select-types-of-rules-to-create.md).
Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [App Control for Business policy rules](../design/select-types-of-rules-to-create.md).
> [!NOTE]
> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a `<SupplementalPolicySigner>` rule to the Base policy.
## Prepare your WDAC policy for signing
## Prepare your App Control policy for signing
1. Open an elevated Windows PowerShell session and initialize the variables to use:
@ -38,7 +37,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
```
> [!NOTE]
> This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](../design/create-appcontrol-policy-using-reference-computer.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
> This example uses an enforced version of the App Control policy that you created in [Create a App Control for Business policy from a reference computer](../design/create-appcontrol-policy-using-reference-computer.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
2. Navigate to your desktop as the working directory:
@ -46,7 +45,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
cd $PolicyPath
```
3. If your WDAC policy doesn't already include an `<UpdatePolicySigner>` rule for your policy signing certificate, you must add it. At least one `<UpdatePolicySigner>` rule must exist to convert your policy XML with [ConvertFrom-CiPolicy](/powershell/module/configci/convertfrom-cipolicy).
3. If your App Control policy doesn't already include an `<UpdatePolicySigner>` rule for your policy signing certificate, you must add it. At least one `<UpdatePolicySigner>` rule must exist to convert your policy XML with [ConvertFrom-CiPolicy](/powershell/module/configci/convertfrom-cipolicy).
Use [Add-SignerRule](/powershell/module/configci/add-signerrule) and create an `<UpdatePolicySigner>` rule from your certificate file (.cer). If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can export the certificate file.
@ -58,7 +57,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
```
> [!IMPORTANT]
> Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove Windows Defender Application Control policies causing boot stop failures](disable-appcontrol-policies.md#remove-wdac-policies-causing-boot-stop-failures).
> Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove App Control for Business policies causing boot stop failures](disable-appcontrol-policies.md#remove-app-control-policies-causing-boot-stop-failures).
4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
@ -86,11 +85,11 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
### Policy signing with signtool.exe
If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files:
If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your App Control policy files:
1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-appcontrol.md).
1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for App Control for Business](create-code-signing-cert-for-appcontrol.md).
2. Sign the WDAC policy by using SignTool.exe:
2. Sign the App Control policy by using SignTool.exe:
```powershell
<Path to signtool.exe> sign -v -n "ContosoSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
@ -99,7 +98,7 @@ If you purchased a code signing certificate or issued one from your own PKI, you
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoSigningCert** is the subject name of the certificate that will be used to sign the policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
When complete, the commands should output a signed policy file with a `.p7` extension. You must rename the file to `{GUID}.cip` where "{GUID}" is the &lt;PolicyId&gt; from your original WDAC policy XML.
When complete, the commands should output a signed policy file with a `.p7` extension. You must rename the file to `{GUID}.cip` where "{GUID}" is the &lt;PolicyId&gt; from your original App Control policy XML.
## Verify and deploy the signed policy
@ -117,9 +116,9 @@ $SignedCryptoMsgSyntax.Decode([System.IO.File]::ReadAllBytes($CIPolicyBin))
$SignedCryptoMsgSyntax.Certificates | Format-List -Property *
```
Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed WDAC policy to ensure you don't encounter a boot failure.
Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed App Control policy to ensure you don't encounter a boot failure.
Once you've verified the signed policy, deploy it using your preferred deployment method. For more information about deploying policies, see [Deploying Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
Once you've verified the signed policy, deploy it using your preferred deployment method. For more information about deploying policies, see [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
> [!NOTE]
> Anti-tampering protection for signed policies takes effect after the first reboot once the signed policy is applied to a computer. This protection only applies to computers with UEFI Secure Boot enabled.