diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 5042ee9974..59a54a27da 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -95,49 +95,41 @@ In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. Th
For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
-
-
- Get Configuration
+- Get Configuration
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/Configuration
-
-
-
-
-
-
-```
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+
+
+
+
+ ```
-
+- Delete Configuration
-
-
- Delete Configuration
-
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/Configuration
-
-
-
-
-
-
-```
-
-
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+
+
+
+
+ ```
@@ -201,101 +193,85 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
**Examples**:
-
-
- Add KioskModeApp
+- Add KioskModeApp
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
-
-
- chr
-
- {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
-
-
-
-
-
-```
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+ chr
+
+ {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
+
+
+
+
+
+ ```
-
+- Delete KioskModeApp
-
-
- Delete KioskModeApp
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+
+
+
+
+ ```
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
-
-
-
-
-
-
-```
+- Get KioskModeApp
-
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+
+
+
+
+ ```
-
-
- Get KioskModeApp
+- Replace KioskModeApp
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
-
-
-
-
-
-
-```
-
-
-
-
-
- Replace KioskModeApp
-
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
-
-
- chr
-
- {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}
-
-
-
-
-
-```
-
-
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+ chr
+
+ {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}
+
+
+
+
+
+ ```
@@ -351,412 +327,387 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
> [!NOTE]
> Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
-
-
- Shell Launcher V1 XSD
+- Shell Launcher V1 XSD
-```xml
-
-
+ ```xml
+
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-```
-
+
+
+
+
+
-
-
- Shell Launcher V2 XSD
+
+
+
+
+
+
+
+
-```xml
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
-
+
+
+
+
+
+
+
+
-
-```
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+- Shell Launcher V2 XSD
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
**Examples**:
-
-
- Add
+- Add
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
- chr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-```
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ ```
-
+- Add AutoLogon
-
-
- Add AutoLogon
+ This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
-This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
+ > [!NOTE]
+ > The auto-logon function is designed to be used after OOBE with provisioning packages.
-> [!NOTE]
-> The auto-logon function is designed to be used after OOBE with provisioning packages.
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ ```
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
- chr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-```
+- V2 Add
-
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ ```
-
-
- V2 Add
+- Get
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
- chr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-
-```
-
-
-
-
-
- Get
-
-```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
-
-
-
-
-```
-
-
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+
+
+
+
+ ```
@@ -814,10 +765,6 @@ Additionally, the Status payload includes the following fields:
**AssignedAccessAlert XSD**:
-
-
- Expand this section to see the schema XML
-
```xml
```
-
-
**Example**:
```xml
@@ -954,10 +899,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
**StatusConfiguration XSD**:
-
-
- Expand this section to see the schema XML
-
```xml
```
-
-
**Examples**:
-
-
- Add StatusConfiguration with StatusEnabled set to OnWithAlerts
+- Add StatusConfiguration with StatusEnabled set to OnWithAlerts
- ```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
- chr
-
-
-
-
- OnWithAlerts
-
- ]]>
-
-
-
-
-
-
- ```
-
-
-
-
-
- Delete StatusConfiguration
-
- ```xml
-
+ ```xml
+
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
-
-
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ OnWithAlerts
+
+ ]]>
+
+
+
+
-
- ```
+
+ ```
-
+- Delete StatusConfiguration
-
-
- Get StatusConfiguration
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+ ```
- ```xml
-
+- Get StatusConfiguration
+
+ ```xml
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+ ```
+
+- Replace StatusEnabled value with On
+
+ ```xml
+
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
-
-
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ On
+
+ ]]>
+
+
+
+
-
- ```
-
-
-
-
-
- Replace StatusEnabled value with On
-
- ```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
- chr
-
-
-
-
- On
-
- ]]>
-
-
-
-
-
-
- ```
-
-
+
+ ```
@@ -1108,322 +1031,306 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
## AssignedAccessConfiguration XSD
-
-
- Schema for AssignedAccessConfiguration.
+- Schema for AssignedAccessConfiguration.
-```xml
-
-
+ ```xml
+
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-);
-```
-
+
+
+
+
-
-
- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
+
+
+
+
-```xml
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-```
-
-
-
-
-
- Schema for new features introduced in Windows 10 1809 release.
-
-```xml
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
-
+
+
+
+
-
+
+
+
-
+
+
+
-
+
+
+
+
+
-
-```
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
-
-
- Schema for Windows 10 prerelease.
+
+
+
+
-```xml
-
-
+
+
+
+
-
-
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
-
-```
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ );
+ ```
+
+- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+- Schema for new features introduced in Windows 10 1809 release.
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+- Schema for Windows 10 prerelease.
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
## AssignedAccessConfiguration examples
@@ -1444,118 +1351,108 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
>
> ```
-
-
- Example XML configuration for a multi-app kiosk for Windows 10.
+- Example XML configuration for a multi-app kiosk for Windows 10.
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
- MultiAppKioskUser
-
-
-
-
-```
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
+ ```
-
+- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
-
-
- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
+ ```xml
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+ ```
-```xml
-
-
-
-
-
-
-
-
-
- EdgeKioskUser
-
-
-
-
-```
+- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
-
+ > [!NOTE]
+ > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
-
-
- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
-
-> [!NOTE]
-> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
-
-```xml
-
-
-
-
-
-
-
-
-
-
- EdgeKioskUser
-
-
-
-
-```
+ ```xml
+
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+ ```
@@ -1563,10 +1460,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning).
-
-
- Expand this section to see the example.
-
```xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index 644f65163a..abd3fc56ae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -40,7 +40,7 @@ There may come a time when you want to remove one or more WDAC policies, or remo
>
> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \.
>
-> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace.
+> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace.
>
> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.***
@@ -107,58 +107,53 @@ For **single policy format WDAC policies**, in addition to the two locations abo
Then restart the computer.
-#### Sample script
-
-
- Expand this section to see a sample script to delete a single WDAC policy
+#### Sample script to delete a single WDAC policy
```powershell
- # Set PolicyId GUID to the PolicyId from your WDAC policy XML
- $PolicyId = "{PolicyId GUID}"
+# Set PolicyId GUID to the PolicyId from your WDAC policy XML
+$PolicyId = "{PolicyId GUID}"
- # Initialize variables
- $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
- $SinglePolicyFormatFileName = "\SiPolicy.p7b"
- $MountPoint = $env:SystemDrive+"\EFIMount"
- $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
- $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
- $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
+# Initialize variables
+$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
+$SinglePolicyFormatFileName = "\SiPolicy.p7b"
+$MountPoint = $env:SystemDrive+"\EFIMount"
+$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
+$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
+$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
- # Mount the EFI partition
- $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
- if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
- mountvol $MountPoint $EFIPartition
+# Mount the EFI partition
+$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
+if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
+mountvol $MountPoint $EFIPartition
- # Check if the PolicyId to be removed is the system reserved GUID for single policy format.
- # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
- # {GUID}.cip in the CiPolicies\Active subdirectory
- if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
-
- $Count = 1
- while ($Count -le $NumFilesToDelete)
+# Check if the PolicyId to be removed is the system reserved GUID for single policy format.
+# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
+# {GUID}.cip in the CiPolicies\Active subdirectory
+if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
+
+$Count = 1
+while ($Count -le $NumFilesToDelete)
+{
+
+ # Set the $PolicyPath to the file to be deleted, if exists
+ Switch ($Count)
{
-
- # Set the $PolicyPath to the file to be deleted, if exists
- Switch ($Count)
- {
- 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
- 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
- 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
- 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
- }
-
- # Delete the policy file from the current $PolicyPath
- Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
- if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}
-
- $Count = $Count + 1
+ 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
+ 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
+ 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
+ 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
}
- # Dismount the EFI partition
- mountvol $MountPoint /D
-```
+ # Delete the policy file from the current $PolicyPath
+ Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
+ if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}
-
+ $Count = $Count + 1
+}
+
+# Dismount the EFI partition
+mountvol $MountPoint /D
+```
> [!NOTE]
> You must run the script as administrator to remove WDAC policies on your computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 68be5afd9a..e8331a7fcf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -113,9 +113,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny
The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below.
-
-
- Expand this section to see the WDAC policy XML
+**WDAC policy XML**:
```xml
@@ -183,7 +181,7 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
-
+
@@ -893,8 +891,8 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
-
-
+
+
@@ -1512,8 +1510,6 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
```
-
-
## More information
- [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 54c82d24ae..161e563a19 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
author: jgeurten
@@ -61,14 +61,39 @@ Customers who always want the most up-to-date driver blocklist can also use Wind
## Blocking vulnerable drivers using WDAC
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
> [!IMPORTANT]
> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading.
-
-
- Expand this section to see the blocklist WDAC policy XML
+## Steps to download and apply the vulnerable driver blocklist binary
+
+If you prefer to apply the [vulnerable driver blocklist](#vulnerable-driver-blocklist-xml) exactly as shown, follow these steps:
+
+1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
+2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
+3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
+4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
+5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
+
+To check that the policy was successfully applied on your computer:
+
+1. Open Event Viewer
+2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
+3. Select **Filter Current Log...**
+4. Replace "<All Event IDs>" with "3099" and select OK.
+5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
+
+> [!NOTE]
+> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
+
+## Vulnerable driver blocklist XML
+
+> [!IMPORTANT]
+> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
+
+> [!NOTE]
+> To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
```xml
@@ -642,11 +667,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
-
+
@@ -1079,7 +1104,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1213,7 +1238,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1228,7 +1253,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1238,7 +1263,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1402,7 +1427,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1811,8 +1836,8 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
+
+
@@ -1837,7 +1862,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1849,7 +1874,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -1894,7 +1919,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -2879,35 +2904,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
```
-
-
-> [!NOTE]
-> The policy listed above contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
-
-> [!NOTE]
-> To use the policy above with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
-
-## Steps to download and apply the vulnerable driver blocklist binary
-
-If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps:
-
-1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
-2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
-3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
-4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
-5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
-
-To check that the policy was successfully applied on your computer:
-
-1. Open Event Viewer
-2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
-3. Select **Filter Current Log...**
-4. Replace "<All Event IDs>" with "3099" and select OK.
-5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
-
-> [!NOTE]
-> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
-
## More information
- [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies)