deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #8153 from vinaypamnani-msft/vp-collapse

Browse Source 
Remove collapsible sections 😭
This commit is contained in:
Stacyrch140 2023-04-18 13:16:18 -04:00 committed by GitHub
commit d21f739865
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 1140 additions and 1268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

373
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -95,12 +95,10 @@ In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. Th
For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
<br>
<details>
<summary>Get Configuration</summary>
- Get Configuration
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
@ -112,17 +110,13 @@ For more examples, see [AssignedAccessConfiguration examples](#assignedaccesscon
</Get>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
- Delete Configuration
<br>
<details>
<summary>Delete Configuration</summary>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
@ -134,10 +128,8 @@ For more examples, see [AssignedAccessConfiguration examples](#assignedaccesscon
</Delete>
<Final />
</SyncBody>
</SyncML>
```
</details>
</SyncML>
```
<!-- Device-Configuration-Examples-End -->
<!-- Device-Configuration-End -->
@ -201,12 +193,10 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Examples**:
<br>
<details>
<summary>Add KioskModeApp</summary>
- Add KioskModeApp
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
@ -222,17 +212,13 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
</Add>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
- Delete KioskModeApp
<br>
<details>
<summary>Delete KioskModeApp</summary>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
@ -244,17 +230,13 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
</Delete>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
- Get KioskModeApp
<br>
<details>
<summary>Get KioskModeApp</summary>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
@ -266,17 +248,13 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
</Get>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
- Replace KioskModeApp
<br>
<details>
<summary>Replace KioskModeApp</summary>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -292,10 +270,8 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
</Replace>
<Final />
</SyncBody>
</SyncML>
```
</details>
</SyncML>
```
<!-- Device-KioskModeApp-Examples-End -->
<!-- Device-KioskModeApp-End -->
@ -351,13 +327,11 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
> [!NOTE]
> Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
<br>
<details>
<summary>Shell Launcher V1 XSD</summary>
- Shell Launcher V1 XSD
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
@ -507,18 +481,14 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
</xs:schema>
```
</details>
- Shell Launcher V2 XSD
<br>
<details>
<summary>Shell Launcher V2 XSD</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
@ -537,19 +507,15 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
<xs:attribute name="AllAppsFullScreen" type="xs:boolean"/>
</xs:schema>
```
</details><br>
</xs:schema>
```
**Examples**:
<br>
<details>
<summary>Add</summary>
- Add
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
@ -613,22 +579,18 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
</Add>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
- Add AutoLogon
<br>
<details>
<summary>Add AutoLogon</summary>
This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
> [!NOTE]
> The auto-logon function is designed to be used after OOBE with provisioning packages.
> [!NOTE]
> The auto-logon function is designed to be used after OOBE with provisioning packages.
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
@ -671,17 +633,13 @@ This function creates an auto-logon account on your behalf. It's a standard user
</Add>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
- V2 Add
<br>
<details>
<summary>V2 Add</summary>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
@ -697,7 +655,7 @@ This function creates an auto-logon account on your behalf. It's a standard user
<?xml version="1.0" encoding="utf-8"?>
<!--Using the http://schemas.microsoft.com/ShellLauncher/2019/Configuration namespace will opt-in to customshellhost.exe experience which can run win32 and UWP apps-->
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" V2:AppType="UWP" V2:AllAppsFullScreen="true">
@ -730,18 +688,13 @@ xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
</Add>
<Final />
</SyncBody>
</SyncML>
</SyncML>
```
```
- Get
</details>
<br>
<details>
<summary>Get</summary>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
@ -753,10 +706,8 @@ xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
</Get>
<Final />
</SyncBody>
</SyncML>
```
</details>
</SyncML>
```
<!-- Device-ShellLauncher-Examples-End -->
<!-- Device-ShellLauncher-End -->
@ -814,10 +765,6 @@ Additionally, the Status payload includes the following fields:
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**AssignedAccessAlert XSD**:
<br>
<details>
<summary>Expand this section to see the schema XML</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -878,8 +825,6 @@ Additionally, the Status payload includes the following fields:
</xs:schema>
```
</details><br>
**Example**:
```xml
@ -954,10 +899,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**StatusConfiguration XSD**:
<br>
<details>
<summary>Expand this section to see the schema XML</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -987,13 +928,9 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</xs:schema>
```
</details><br>
**Examples**:
<br>
<details>
<summary>Add StatusConfiguration with StatusEnabled set to OnWithAlerts</summary>
- Add StatusConfiguration with StatusEnabled set to OnWithAlerts
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1022,11 +959,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</SyncML>
```
</details>
<br>
<details>
<summary>Delete StatusConfiguration</summary>
- Delete StatusConfiguration
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1044,11 +977,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</SyncML>
```
</details>
<br>
<details>
<summary>Get StatusConfiguration</summary>
- Get StatusConfiguration
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1066,11 +995,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</SyncML>
```
</details>
<br>
<details>
<summary>Replace StatusEnabled value with On</summary>
- Replace StatusEnabled value with On
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1098,8 +1023,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</SyncBody>
</SyncML>
```
</details>
<!-- Device-StatusConfiguration-Examples-End -->
<!-- Device-StatusConfiguration-End -->
@ -1108,13 +1031,11 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## AssignedAccessConfiguration XSD
<br>
<details>
<summary>Schema for AssignedAccessConfiguration.</summary>
- Schema for AssignedAccessConfiguration.
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
@ -1305,18 +1226,14 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>);
```
</xs:schema>);
```
</details>
- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
<br>
<details>
<summary>Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
@ -1335,18 +1252,14 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<xs:attribute name="Key" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
```
</xs:schema>
```
</details>
- Schema for new features introduced in Windows 10 1809 release.
<br>
<details>
<summary>Schema for new features introduced in Windows 10 1809 release.</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/201810/config"
@ -1385,18 +1298,14 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<xs:attribute name="DisplayName" type="xs:string"/>
</xs:schema>
```
</xs:schema>
```
</details>
- Schema for Windows 10 prerelease.
<br>
<details>
<summary>Schema for Windows 10 prerelease.</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2020/config"
@ -1420,10 +1329,8 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<xs:element name="NoRestriction" />
<xs:element name="GlobalProfile" type="globalProfile_t" />
</xs:schema>
```
</details>
</xs:schema>
```
## AssignedAccessConfiguration examples
@ -1444,13 +1351,11 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
> </AssignedAccessConfiguration>
> ```
<br>
<details>
<summary>Example XML configuration for a multi-app kiosk for Windows 10.</summary>
- Example XML configuration for a multi-app kiosk for Windows 10.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
@ -1496,18 +1401,14 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
</AssignedAccessConfiguration>
```
</details>
- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
<br>
<details>
<summary>Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.</summary>
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
@ -1523,21 +1424,17 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
</AssignedAccessConfiguration>
```
</details>
- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
<br>
<details>
<summary>Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.</summary>
> [!NOTE]
> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
> [!NOTE]
> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
@ -1554,8 +1451,8 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
</AssignedAccessConfiguration>
```
</details>
@ -1563,10 +1460,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning).
<br>
<details>
<summary>Expand this section to see the example.</summary>
```xml
<?xml version="1.0" encoding="utf-8" ?>
<!--
@ -1623,8 +1516,6 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C
</AssignedAccessConfiguration>
```
</details>
## Handling XML in Configuration
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
@ -1633,12 +1524,10 @@ Similarly, the StartLayout xml inside the configuration xml is using the same fo
Escape and CDATA are mechanisms used when handling xml in xml. Consider that it's a transportation channel to send the configuration xml as payload from server to client. It's transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
<br>
<details>
<summary>This example shows escaped XML of the Data node.</summary>
- This example shows escaped XML of the Data node.
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
@ -1651,7 +1540,7 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it'
</Meta>
<Data>
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;Profiles&gt;
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
&lt;AllAppsList&gt;
@ -1697,24 +1586,22 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it'
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
&lt;/Config&gt;
&lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
&lt;/AssignedAccessConfiguration&gt;
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
</SyncML>
```
</details>
<br>
<details>
<summary>This example shows CData for the XML.</summary>
- This example shows CData for the XML.
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
@ -1727,7 +1614,7 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it'
</Meta>
<Data>
<![CDATA[<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
@ -1773,17 +1660,15 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it'
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
]]>
</AssignedAccessConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
</details>
</SyncML>
```
<!-- AssignedAccess-CspMoreInfo-End -->
<!-- AssignedAccess-End -->

53
windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
View File

@ -107,36 +107,33 @@ For **single policy format WDAC policies**, in addition to the two locations abo
Then restart the computer.
#### Sample script
<details>
<summary>Expand this section to see a sample script to delete a single WDAC policy</summary>
#### Sample script to delete a single WDAC policy
```powershell
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
$PolicyId = "{PolicyId GUID}"
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
$PolicyId = "{PolicyId GUID}"
# Initialize variables
$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
$SinglePolicyFormatFileName = "\SiPolicy.p7b"
$MountPoint = $env:SystemDrive+"\EFIMount"
$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
# Initialize variables
$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
$SinglePolicyFormatFileName = "\SiPolicy.p7b"
$MountPoint = $env:SystemDrive+"\EFIMount"
$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
# Mount the EFI partition
$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
mountvol $MountPoint $EFIPartition
# Mount the EFI partition
$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
mountvol $MountPoint $EFIPartition
# Check if the PolicyId to be removed is the system reserved GUID for single policy format.
# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
# {GUID}.cip in the CiPolicies\Active subdirectory
if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
# Check if the PolicyId to be removed is the system reserved GUID for single policy format.
# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
# {GUID}.cip in the CiPolicies\Active subdirectory
if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
$Count = 1
while ($Count -le $NumFilesToDelete)
{
$Count = 1
while ($Count -le $NumFilesToDelete)
{
# Set the $PolicyPath to the file to be deleted, if exists
Switch ($Count)
@ -152,14 +149,12 @@ Then restart the computer.
if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}
$Count = $Count + 1
}
}
# Dismount the EFI partition
mountvol $MountPoint /D
# Dismount the EFI partition
mountvol $MountPoint /D
```
</Details>
> [!NOTE]
> You must run the script as administrator to remove WDAC policies on your computer.

6
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -113,9 +113,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny
The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below.
<br>
<details>
<summary>Expand this section to see the WDAC policy XML</summary>
**WDAC policy XML**:
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -1512,8 +1510,6 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
</SiPolicy>
```
</details>
## More information
- [Merge WDAC policies](merge-windows-defender-application-control-policies.md)

62
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -61,14 +61,39 @@ Customers who always want the most up-to-date driver blocklist can also use Wind
## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
> [!IMPORTANT]
> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading.
<br>
<details>
<summary>Expand this section to see the blocklist WDAC policy XML</summary>
## Steps to download and apply the vulnerable driver blocklist binary
If you prefer to apply the [vulnerable driver blocklist](#vulnerable-driver-blocklist-xml) exactly as shown, follow these steps:
1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
To check that the policy was successfully applied on your computer:
1. Open Event Viewer
2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
3. Select **Filter Current Log...**
4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK.
5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
> [!NOTE]
> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
## Vulnerable driver blocklist XML
> [!IMPORTANT]
> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
> [!NOTE]
> To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -2879,35 +2904,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
</SiPolicy>
```
</details>
> [!NOTE]
> The policy listed above contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
> [!NOTE]
> To use the policy above with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
## Steps to download and apply the vulnerable driver blocklist binary
If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps:
1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
To check that the policy was successfully applied on your computer:
1. Open Event Viewer
2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
3. Select **Filter Current Log...**
4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK.
5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
> [!NOTE]
> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
## More information
- [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies)