deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Rename files, Fix links

Browse Source
This commit is contained in:
Vinay Pamnani 2023-07-17 12:37:16 -04:00
parent dad6503292
commit d755cc90c3
91 changed files with 1040 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

715
.openpublishing.redirection.json
View File

@ -21949,6 +21949,721 @@
"source_path": "windows/security/security-foundations.md", "source_path": "windows/security/security-foundations.md",
"redirect_url": "/windows/security/security-foundations/index", "redirect_url": "/windows/security/security-foundations/index",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-merging-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-fully-managed-devices",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-lightly-managed-devices",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-design-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-create-base-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-create-supplemental-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-editing-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/inbox-wdac-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/feature-availability.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/feature-availability",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/index.yml",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/index",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/types-of-devices.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/LOB-win32-apps-on-s",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md",
"redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/wdac",
"redirect_document_id": false
} }
] ]
} }

2
windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -44,6 +44,6 @@ WDAC has no specific hardware or software requirements.
## Related articles ## Related articles
- [Windows Defender Application Control](../../threat-protection/windows-defender-application-control/windows-defender-application-control.md) - [Windows Defender Application Control](windows-defender-application-control/wdac.md)
- [Memory integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) - [Memory integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) - [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)

4
windows/security/application-security/application-control/toc.yml
View File

@ -10,6 +10,6 @@ items:
- name: Windows Defender Application Control and virtualization-based protection of code integrity - name: Windows Defender Application Control and virtualization-based protection of code integrity
href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control - name: Windows Defender Application Control
href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md href: windows-defender-application-control/wdac.md
- name: Smart App Control - name: Smart App Control
href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md href: windows-defender-application-control/wdac.md

2
windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
View File

@ -41,7 +41,7 @@ The following instructions provide details how to configure your devices. Select
To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**: To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
:::image type="content" source="./images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="./images/uac-settings-catalog.png" border="True"::: :::image type="content" source="images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="images/uac-settings-catalog.png" border="True":::
Assign the policy to a security group that contains as members the devices or users that you want to configure. Assign the policy to a security group that contains as members the devices or users that you want to configure.

2
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
View File

@ -29,7 +29,7 @@ ms.topic: article
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes ## Verifying Tags on Running Processes

2
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
View File

@ -32,7 +32,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg
## Deploy AppId tagging policies with MDM ## Deploy AppId tagging policies with MDM
Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId tagging policies with Configuration Manager ## Deploy AppId tagging policies with Configuration Manager

12
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
View File

@ -31,11 +31,11 @@ ms.topic: article
## Create the policy using the WDAC Wizard ## Create the policy using the WDAC Wizard
You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md).
1. Create a new base policy using the templates: 1. Create a new base policy using the templates:
Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules. Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
![Configuring the policy base and template.](../images/appid-wdac-wizard-1.png) ![Configuring the policy base and template.](../images/appid-wdac-wizard-1.png)
@ -59,7 +59,7 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
- Hash rules: Create a rule based off the PE Authenticode hash of a file. - Hash rules: Create a rule based off the PE Authenticode hash of a file.
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../wdac-wizard-create-base-policy.md#creating-custom-file-rules). For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/wdac-wizard-create-base-policy.md#creating-custom-file-rules).
4. Convert to AppId Tagging Policy: 4. Convert to AppId Tagging Policy:
@ -72,9 +72,9 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
## Create the policy using PowerShell ## Create the policy using PowerShell
Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance: Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md). In an elevate PowerShell instance:
1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules: 1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
```powershell ```powershell
$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application> $rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application>
@ -121,4 +121,4 @@ After creating your AppId Tagging policy in the above steps, you can deploy the
RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925). RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
## Next Steps ## Next Steps
For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](./debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md). For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md).

0
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md → windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
View File

92
windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
View File

@ -1,7 +1,7 @@
- name: Application Control for Windows - name: Application Control for Windows
href: index.yml href: index.yml
- name: About application control for Windows - name: About application control for Windows
href: windows-defender-application-control.md href: wdac.md
expanded: true expanded: true
items: items:
- name: WDAC and AppLocker Overview - name: WDAC and AppLocker Overview
@ -9,120 +9,120 @@
- name: WDAC and AppLocker Feature Availability - name: WDAC and AppLocker Feature Availability
href: feature-availability.md href: feature-availability.md
- name: Virtualization-based protection of code integrity - name: Virtualization-based protection of code integrity
href: ../../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md href: ../introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide - name: WDAC design guide
href: windows-defender-application-control-design-guide.md href: design/wdac-design-guide.md
items: items:
- name: Plan for WDAC policy lifecycle management - name: Plan for WDAC policy lifecycle management
href: plan-windows-defender-application-control-management.md href: design/plan-wdac-management.md
- name: Design your WDAC policy - name: Design your WDAC policy
items: items:
- name: Understand WDAC policy design decisions - name: Understand WDAC policy design decisions
href: understand-windows-defender-application-control-policy-design-decisions.md href: design/understand-wdac-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules - name: Understand WDAC policy rules and file rules
href: select-types-of-rules-to-create.md href: design/select-types-of-rules-to-create.md
items: items:
- name: Allow apps installed by a managed installer - name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md href: design/configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG) - name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md href: design/use-wdac-with-intelligent-security-graph.md
- name: Allow COM object registration - name: Allow COM object registration
href: allow-com-object-registration-in-windows-defender-application-control-policy.md href: design/allow-com-object-registration-in-wdac-policy.md
- name: Use WDAC with .NET hardening - name: Use WDAC with .NET hardening
href: use-windows-defender-application-control-with-dynamic-code-security.md href: design/wdac-and-dotnet.md
- name: Script enforcement with Windows Defender Application Control - name: Script enforcement with Windows Defender Application Control
href: design/script-enforcement.md href: design/script-enforcement.md
- name: Manage packaged apps with WDAC - name: Manage packaged apps with WDAC
href: manage-packaged-apps-with-windows-defender-application-control.md href: design/manage-packaged-apps-with-wdac.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules - name: Use WDAC to control specific plug-ins, add-ins, and modules
href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md href: design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings - name: Understand WDAC policy settings
href: understanding-wdac-policy-settings.md href: design/understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies - name: Use multiple WDAC policies
href: deploy-multiple-windows-defender-application-control-policies.md href: design/deploy-multiple-wdac-policies.md
- name: Create your WDAC policy - name: Create your WDAC policy
items: items:
- name: Example WDAC base policies - name: Example WDAC base policies
href: example-wdac-base-policies.md href: design/example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios - name: Policy creation for common WDAC usage scenarios
href: types-of-devices.md href: design/common-wdac-use-cases.md
items: items:
- name: Create a WDAC policy for lightly managed devices - name: Create a WDAC policy for lightly managed devices
href: create-wdac-policy-for-lightly-managed-devices.md href: design/create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices - name: Create a WDAC policy for fully managed devices
href: create-wdac-policy-for-fully-managed-devices.md href: design/create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices - name: Create a WDAC policy for fixed-workload devices
href: create-initial-default-policy.md href: design/create-wdac-policy-using-reference-computer.md
- name: Create a WDAC deny list policy - name: Create a WDAC deny list policy
href: create-wdac-deny-policy.md href: design/create-wdac-deny-policy.md
- name: Microsoft recommended block rules - name: Microsoft recommended block rules
href: microsoft-recommended-block-rules.md href: design/microsoft-recommended-block-rules.md
- name: Microsoft recommended driver block rules - name: Microsoft recommended driver block rules
href: microsoft-recommended-driver-block-rules.md href: design/microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool - name: Use the WDAC Wizard tool
href: wdac-wizard.md href: design/wdac-wizard.md
items: items:
- name: Create a base WDAC policy with the Wizard - name: Create a base WDAC policy with the Wizard
href: wdac-wizard-create-base-policy.md href: design/wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard - name: Create a supplemental WDAC policy with the Wizard
href: wdac-wizard-create-supplemental-policy.md href: design/wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard - name: Editing a WDAC policy with the Wizard
href: wdac-wizard-editing-policy.md href: design/wdac-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events - name: Creating WDAC Policy Rules from WDAC Events
href: wdac-wizard-parsing-event-logs.md href: design/wdac-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard - name: Merging multiple WDAC policies with the Wizard
href: wdac-wizard-merging-policies.md href: design/wdac-wizard-merging-policies.md
- name: WDAC deployment guide - name: WDAC deployment guide
href: windows-defender-application-control-deployment-guide.md href: deployment/wdac-deployment-guide.md
items: items:
- name: Deploy WDAC policies with MDM - name: Deploy WDAC policies with MDM
href: deployment/deploy-windows-defender-application-control-policies-using-intune.md href: deployment/deploy-wdac-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager - name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script - name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with group policy - name: Deploy WDAC policies with group policy
href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md href: deployment/deploy-wdac-policies-using-group-policy.md
- name: Audit WDAC policies - name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md href: deployment/audit-wdac-policies.md
- name: Merge WDAC policies - name: Merge WDAC policies
href: merge-windows-defender-application-control-policies.md href: deployment/merge-wdac-policies.md
- name: Enforce WDAC policies - name: Enforce WDAC policies
href: enforce-windows-defender-application-control-policies.md href: deployment/enforce-wdac-policies.md
- name: Use code signing for added control and protection with WDAC - name: Use code signing for added control and protection with WDAC
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md href: deployment/use-code-signing-for-better-control-and-protection.md
items: items:
- name: Deploy catalog files to support WDAC - name: Deploy catalog files to support WDAC
href: deploy-catalog-files-to-support-windows-defender-application-control.md href: deployment/deploy-catalog-files-to-support-wdac.md
- name: Use signed policies to protect Windows Defender Application Control against tampering - name: Use signed policies to protect Windows Defender Application Control against tampering
href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md href: deployment/use-signed-policies-to-protect-wdac-against-tampering.md
- name: "Optional: Create a code signing cert for WDAC" - name: "Optional: Create a code signing cert for WDAC"
href: create-code-signing-cert-for-windows-defender-application-control.md href: deployment/create-code-signing-cert-for-wdac.md
- name: Disable WDAC policies - name: Disable WDAC policies
href: disable-windows-defender-application-control-policies.md href: deployment/disable-wdac-policies.md
- name: LOB Win32 Apps on S Mode - name: LOB Win32 Apps on S Mode
href: LOB-win32-apps-on-s.md href: deployment/LOB-win32-apps-on-s.md
- name: WDAC operational guide - name: WDAC operational guide
href: windows-defender-application-control-operational-guide.md href: operations/wdac-operational-guide.md
items: items:
- name: WDAC debugging and troubleshooting - name: WDAC debugging and troubleshooting
href: operations/wdac-debugging-and-troubleshooting.md href: operations/wdac-debugging-and-troubleshooting.md
- name: Understanding Application Control event IDs - name: Understanding Application Control event IDs
href: event-id-explanations.md href: operations/event-id-explanations.md
- name: Understanding Application Control event tags - name: Understanding Application Control event tags
href: event-tag-explanations.md href: operations/event-tag-explanations.md
- name: Query WDAC events with Advanced hunting - name: Query WDAC events with Advanced hunting
href: querying-application-control-events-centrally-using-advanced-hunting.md href: operations/querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues - name: Known Issues
href: operations/known-issues.md href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide - name: Managed installer and ISG technical reference and troubleshooting guide
href: configure-wdac-managed-installer.md href: operations/configure-wdac-managed-installer.md
- name: CITool.exe technical reference - name: CITool.exe technical reference
href: operations/citool-commands.md href: operations/citool-commands.md
- name: Inbox WDAC policies - name: Inbox WDAC policies
href: operations/inbox-wdac-policies.md href: operations/inbox-wdac-policies.md
- name: WDAC AppId Tagging guide - name: WDAC AppId Tagging guide
href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md href: AppIdTagging/wdac-appid-tagging-guide.md
items: items:
- name: Creating AppId Tagging Policies - name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md href: AppIdTagging/design-create-appid-tagging-policies.md

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
View File

@ -70,7 +70,7 @@ Just as there are differences in managing each rule collection, you need to mana
1. Gather information about which Packaged apps are running in your environment. For information about how to gather this information, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). 1. Gather information about which Packaged apps are running in your environment. For information about how to gather this information, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](./understanding-applocker-default-rules.md). 2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](understanding-applocker-default-rules.md).
3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this update, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). 3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this update, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).

14
windows/security/application-security/application-control/windows-defender-application-control/deployment/LOB-win32-apps-on-s.md
View File

@ -19,7 +19,7 @@ ms.topic: how-to
- Windows 10 - Windows 10
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
You can use Microsoft Intune to deploy and run critical Win32 applications, and Windows components that are normally blocked in S mode, on your Intune-managed Windows 10 in S mode devices. For example, PowerShell.exe. You can use Microsoft Intune to deploy and run critical Win32 applications, and Windows components that are normally blocked in S mode, on your Intune-managed Windows 10 in S mode devices. For example, PowerShell.exe.
@ -31,7 +31,7 @@ For an overview and brief demo of this feature, see this video:
## Policy authorization process ## Policy authorization process
![Basic diagram of the policy authorization flow.](images/wdac-intune-policy-authorization.png) ![Basic diagram of the policy authorization flow.](../images/wdac-intune-policy-authorization.png)
The general steps for expanding the S mode base policy on your Intune-managed Windows 10 in S mode devices are to generate a supplemental policy, sign that policy, upload the signed policy to Intune, and assign it to user or device groups. Because you need access to PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, before deploying the policy more broadly, assign it to a single test Windows 10 in S mode device to verify expected functioning. The general steps for expanding the S mode base policy on your Intune-managed Windows 10 in S mode devices are to generate a supplemental policy, sign that policy, upload the signed policy to Intune, and assign it to user or device groups. Because you need access to PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, before deploying the policy more broadly, assign it to a single test Windows 10 in S mode device to verify expected functioning.
@ -39,7 +39,7 @@ The general steps for expanding the S mode base policy on your Intune-managed Wi
This policy expands the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy is allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. This policy expands the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy is allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
For more information on creating supplemental policies, see [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md). For more information on the right type of rules to create for your policy, see [Deploy WDAC policy rules and file rules](select-types-of-rules-to-create.md). For more information on creating supplemental policies, see [Deploy multiple WDAC policies](../design/deploy-multiple-wdac-policies.md). For more information on the right type of rules to create for your policy, see [Deploy WDAC policy rules and file rules](../design/select-types-of-rules-to-create.md).
The following instructions are a basic set for creating an S mode supplemental policy: The following instructions are a basic set for creating an S mode supplemental policy:
@ -81,7 +81,7 @@ The general steps for expanding the S mode base policy on your Intune-managed Wi
2. Sign the policy. 2. Sign the policy.
Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md). Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for WDAC](create-code-signing-cert-for-wdac.md).
> [!TIP] > [!TIP]
> For more information, see [Azure Code Signing, democratizing trust for developers and consumers](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669). > For more information, see [Azure Code Signing, democratizing trust for developers and consumers](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669).
@ -97,19 +97,19 @@ The general steps for expanding the S mode base policy on your Intune-managed Wi
## Standard process for deploying apps through Intune ## Standard process for deploying apps through Intune
![Basic diagram for deploying apps through Intune.](images/wdac-intune-app-deployment.png) ![Basic diagram for deploying apps through Intune.](../images/wdac-intune-app-deployment.png)
For more information on the existing procedure of packaging signed catalogs and app deployment, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). For more information on the existing procedure of packaging signed catalogs and app deployment, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
## Optional: Process for deploying apps using catalogs ## Optional: Process for deploying apps using catalogs
![Basic diagram for deploying Apps using catalogs.](images/wdac-intune-app-catalogs.png) ![Basic diagram for deploying Apps using catalogs.](../images/wdac-intune-app-catalogs.png)
Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that authorizes all apps signed by that certificate, which may include apps you don't want to allow as well. Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that authorizes all apps signed by that certificate, which may include apps you don't want to allow as well.
Instead of authorizing signers external to your organization, Intune has functionality to make it easier to authorize existing applications by using signed catalogs. This feature doesn't require repackaging or access to the source code. It works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. Instead of authorizing signers external to your organization, Intune has functionality to make it easier to authorize existing applications by using signed catalogs. This feature doesn't require repackaging or access to the source code. It works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown earlier in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined earlier. For more information on generating catalogs, see [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md). The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown earlier in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined earlier. For more information on generating catalogs, see [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-wdac.md).
> [!NOTE] > [!NOTE]
> Every time an app updates, you need to deploy an updated catalog. Try to avoid using catalog files for applications that auto-update, and direct users not to update applications on their own. > Every time an app updates, you need to deploy an updated catalog. Try to avoid using catalog files for applications that auto-update, and direct users not to update applications on their own.

16
windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-windows-defender-application-control-policies.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
@ -36,18 +36,18 @@ While a WDAC policy is running in audit mode, any binary that runs but would hav
## Overview of the process to create WDAC policy to allow apps using audit events ## Overview of the process to create WDAC policy to allow apps using audit events
> [!Note] > [!Note]
> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). > You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](wdac-deployment-guide.md).
To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
1. Install and run an application not allowed by the WDAC policy but that you want to allow. 1. Install and run an application not allowed by the WDAC policy but that you want to allow.
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](../operations/event-id-explanations.md).
**Figure 1. Exceptions to the deployed WDAC policy** **Figure 1. Exceptions to the deployed WDAC policy**
![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) ![Event showing exception to WDAC policy.](../images/dg-fig23-exceptionstocode.png)
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](../design/create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
```powershell ```powershell
$PolicyName= "Lamna_FullyManagedClients_Audit" $PolicyName= "Lamna_FullyManagedClients_Audit"
@ -63,9 +63,9 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
``` ```
> [!NOTE] > [!NOTE]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md). > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](../design/select-types-of-rules-to-create.md).
5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)). 5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](../design/wdac-wizard-editing-policy.md)).
6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. 6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
@ -74,6 +74,6 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. 7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md). For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-wdac-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](../design/deploy-multiple-wdac-policies.md).
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. 8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.

12
windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-windows-defender-application-control.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
View File

@ -27,9 +27,9 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate. If you have an internal CA, complete these steps to create a code signing certificate.
@ -45,7 +45,7 @@ If you have an internal CA, complete these steps to create a code signing certif
2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console. 2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console.
![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png) ![CA snap-in showing Certificate Templates.](../images/dg-fig27-managecerttemp.png)
Figure 1. Manage the certificate templates Figure 1. Manage the certificate templates
@ -61,7 +61,7 @@ If you have an internal CA, complete these steps to create a code signing certif
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. 8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png) ![Edit Basic Constraints Extension.](../images/dg-fig29-enableconstraints.png)
Figure 2. Select constraints on the new template Figure 2. Select constraints on the new template
@ -77,7 +77,7 @@ When this certificate template has been created, you must publish it to the CA p
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3. 1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3.
![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png) ![Select Certificate Template to Issue.](../images/dg-fig30-selectnewcert.png)
Figure 3. Select the new certificate template to issue Figure 3. Select the new certificate template to issue
@ -95,7 +95,7 @@ Now that the template is available to be issued, you must request one from the c
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. 4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png) ![Request Certificates: more information required.](../images/dg-fig31-getmoreinfo.png)
Figure 4. Get more information for your code signing certificate Figure 4. Get more information for your code signing certificate

28
windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-windows-defender-application-control.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
View File

@ -21,11 +21,11 @@ ms.technology: itpro-security
- Windows Server 2016 and later - Windows Server 2016 and later
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging. *Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
You need to [obtain a code signing certificate for your own use](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism. You need to [obtain a code signing certificate for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned. Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned.
@ -46,7 +46,7 @@ To create a catalog file for an existing app, you can use a tool called **Packag
$PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip" $PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip"
``` ```
Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deployment/deploy-wdac-policies-with-script.md). Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deploy-wdac-policies-with-script.md).
2. Start Package Inspector to monitor file creation on a **local drive** where you install the app, for example, drive C: 2. Start Package Inspector to monitor file creation on a **local drive** where you install the app, for example, drive C:
@ -121,7 +121,7 @@ For the code signing certificate that you use to sign the catalog file, import i
3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. 3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png) ![Digital Signature list in file Properties.](../images/dg-fig12-verifysigning.png)
Figure 1. Verify that the signing certificate exists. Figure 1. Verify that the signing certificate exists.
@ -144,7 +144,7 @@ The following process walks you through the deployment of a signed catalog file
> [!NOTE] > [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies. > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies.
![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png) ![Group Policy Management, create a GPO.](../images/dg-fig13-createnewgpo.png)
Figure 2. Create a new GPO. Figure 2. Create a new GPO.
@ -154,7 +154,7 @@ The following process walks you through the deployment of a signed catalog file
5. Within the selected GPO, navigate to **Computer Configuration\\Preferences\\Windows Settings\\Files**. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3. 5. Within the selected GPO, navigate to **Computer Configuration\\Preferences\\Windows Settings\\Files**. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png) ![Group Policy Management Editor, New File.](../images/dg-fig14-createnewfile.png)
Figure 3. Create a new file. Figure 3. Create a new file.
@ -164,7 +164,7 @@ The following process walks you through the deployment of a signed catalog file
7. To keep versions consistent, in the **New File Properties** dialog box as shown in Figure 4, select **Replace** from the **Action** list so that the newest version is always used. 7. To keep versions consistent, in the **New File Properties** dialog box as shown in Figure 4, select **Replace** from the **Action** list so that the newest version is always used.
![File Properties, Replace option.](images/dg-fig15-setnewfileprops.png) ![File Properties, Replace option.](../images/dg-fig15-setnewfileprops.png)
Figure 4. Set the new file properties. Figure 4. Set the new file properties.
@ -197,7 +197,7 @@ Complete the following steps to create a new deployment package for catalog file
3. Name the package, set your organization as the manufacturer, and select an appropriate version number. 3. Name the package, set your organization as the manufacturer, and select an appropriate version number.
![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png) ![Create Package and Program Wizard.](../images/dg-fig16-specifyinfo.png)
Figure 5. Specify information about the new package. Figure 5. Specify information about the new package.
@ -218,7 +218,7 @@ Complete the following steps to create a new deployment package for catalog file
- From the **Program can run** list, select **Whether or not a user is logged on**. - From the **Program can run** list, select **Whether or not a user is logged on**.
- From the **Drive mode** list, select **Runs with UNC name**. - From the **Drive mode** list, select **Runs with UNC name**.
![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png) ![Standard Program page of wizard.](../images/dg-fig17-specifyinfo.png)
Figure 6. Specify information about the standard program. Figure 6. Specify information about the standard program.
@ -246,7 +246,7 @@ After you create the deployment package, deploy it to a collection so that the c
- Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box. - Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png) ![Deploy Software Wizard, User Experience page.](../images/dg-fig18-specifyux.png)
Figure 7. Specify the user experience. Figure 7. Specify the user experience.
@ -271,13 +271,13 @@ You can configure software inventory to find catalog files on your managed syste
3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8. 3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png) ![Create Custom Client Device Settings.](../images/dg-fig19-customsettings.png)
Figure 8. Select custom settings. Figure 8. Select custom settings.
4. In the navigation pane, select **Software Inventory**, and then select **Set Types**, as shown in Figure 9. 4. In the navigation pane, select **Software Inventory**, and then select **Set Types**, as shown in Figure 9.
![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png) ![Software Inventory settings for devices.](../images/dg-fig20-setsoftwareinv.png)
Figure 9. Set the software inventory. Figure 9. Set the software inventory.
@ -290,7 +290,7 @@ You can configure software inventory to find catalog files on your managed syste
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type `C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}` in the box, as shown in Figure 10. 7. In the **Path Properties** dialog box, select **Variable or path name**, and then type `C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}` in the box, as shown in Figure 10.
![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png) ![Path Properties, specifying a path.](../images/dg-fig21-pathproperties.png)
Figure 10. Set the path properties. Figure 10. Set the path properties.
@ -313,7 +313,7 @@ At the time of the next software inventory cycle, when the targeted clients rece
## Allow apps signed by your catalog signing certificate in your WDAC policy ## Allow apps signed by your catalog signing certificate in your WDAC policy
Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md). Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](../design/wdac-design-guide.md).
On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the following sample: On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the following sample:

4
windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
View File

@ -30,7 +30,7 @@ ms.topic: article
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
> [!IMPORTANT] > [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart. > Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
> >
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
@ -50,7 +50,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**. 2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**.
> [!NOTE] > [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md). > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../design/plan-wdac-management.md).
![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png) ![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png)

4
windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
View File

@ -26,7 +26,7 @@ ms.topic: how-to
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
> [!IMPORTANT] > [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. > Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart.
> >
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
@ -50,7 +50,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
## Deploy WDAC policies with custom OMA-URI ## Deploy WDAC policies with custom OMA-URI
> [!NOTE] > [!NOTE]
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy. > Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../design/deploy-multiple-wdac-policies.md) which allow more granular policy.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).

2
windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View File

@ -31,7 +31,7 @@ This article describes how to deploy Windows Defender Application Control (WDAC)
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> [!IMPORTANT] > [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. > Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
> >
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.

2
windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-windows-defender-application-control-policies.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## Removing WDAC policies ## Removing WDAC policies

8
windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-windows-defender-application-control-policies.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
View File

@ -24,7 +24,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You should now have one or more Windows Defender Application Control policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode. You should now have one or more Windows Defender Application Control policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
@ -33,11 +33,11 @@ You should now have one or more Windows Defender Application Control policies br
## Convert WDAC **base** policy from audit to enforced ## Convert WDAC **base** policy from audit to enforced
As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. As described in [common Windows Defender Application Control deployment scenarios](../design/common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout. **Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode. Alice previously created and deployed a policy for the organization's [fully managed devices](../design/create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-wdac-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
1. Initialize the variables that will be used and create the enforced policy by copying the audit version. 1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
@ -111,4 +111,4 @@ Since the enforced policy was given a unique PolicyID in the previous procedure,
## Deploy your enforced policy and supplemental policies ## Deploy your enforced policy and supplemental policies
Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](wdac-deployment-guide.md).

8
windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-windows-defender-application-control-policies.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
View File

@ -24,7 +24,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. Windows Defender Application Control deployments often include a few base policies and optional supplemental policies for specific use cases. This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. Windows Defender Application Control deployments often include a few base policies and optional supplemental policies for specific use cases.
@ -33,7 +33,7 @@ This article shows how to merge multiple policy XML files together and how to me
## Merge multiple WDAC policy XML files together ## Merge multiple WDAC policy XML files together
There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create Windows Defender Application Control policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session. There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create Windows Defender Application Control policy rules](audit-wdac-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
1. Initialize the variables that will be used: 1. Initialize the variables that will be used:
@ -57,7 +57,7 @@ There are many scenarios where you may want to merge two or more policy files to
Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps: Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:
1. Install the [WDAC Wizard](wdac-wizard.md) packaged MSIX app. 1. Install the [WDAC Wizard](../design/wdac-wizard.md) packaged MSIX app.
2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe. 2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe.
3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard: 3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:
@ -94,4 +94,4 @@ Now that you have your new, merged policy, you can convert and deploy the policy
2. Upload your merged policy XML and the associated binary to the source control solution you are using for your Windows Defender Application Control policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). 2. Upload your merged policy XML and the associated binary to the source control solution you are using for your Windows Defender Application Control policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md) 3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](wdac-deployment-guide.md)

6
windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
View File

@ -21,7 +21,7 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
## What is code signing and why is it important? ## What is code signing and why is it important?
@ -38,7 +38,7 @@ You can use catalog files to easily add a signature to an existing application w
> [!NOTE] > [!NOTE]
> Since catalogs identify the files they sign by hash, any change to the file may invalidate its signature. You will need to deploy updated catalog signatures any time the application is updated. Integrating code signing with your app development or app deployment processes is generally the best approach. Be aware of self-updating apps, as their app binaries may change without your knowledge. > Since catalogs identify the files they sign by hash, any change to the file may invalidate its signature. You will need to deploy updated catalog signatures any time the application is updated. Integrating code signing with your app development or app deployment processes is generally the best approach. Be aware of self-updating apps, as their app binaries may change without your knowledge.
To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-wdac.md).
## Signed WDAC policies ## Signed WDAC policies
@ -51,5 +51,5 @@ For more information on using signed policies, see [Use signed policies to prote
Some ways to obtain code signing certificates for your own use, include: Some ways to obtain code signing certificates for your own use, include:
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list). - Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). - To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning). - Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).

12
windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
View File

@ -21,11 +21,11 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure or blue screen. With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies. Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure or blue screen. With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies.
If you don't currently have a code signing certificate you can use to sign your policies, see [Obtain code signing certificates for your own use](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md#obtain-code-signing-certificates-for-your-own-use). If you don't currently have a code signing certificate you can use to sign your policies, see [Obtain code signing certificates for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use).
> [!WARNING] > [!WARNING]
> Boot failure, or blue screen, may occur if your signing certificate doesn't follow these rules: > Boot failure, or blue screen, may occur if your signing certificate doesn't follow these rules:
@ -35,7 +35,7 @@ If you don't currently have a code signing certificate you can use to sign your
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256. > - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. > - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](../design/select-types-of-rules-to-create.md).
> [!NOTE] > [!NOTE]
> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a `<SupplementalPolicySigner>` rule to the Base policy. > When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a `<SupplementalPolicySigner>` rule to the Base policy.
@ -51,7 +51,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
``` ```
> [!NOTE] > [!NOTE]
> This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information. > This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](../design/create-wdac-policy-using-reference-computer.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
2. Navigate to your desktop as the working directory: 2. Navigate to your desktop as the working directory:
@ -71,7 +71,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
``` ```
> [!IMPORTANT] > [!IMPORTANT]
> Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove Windows Defender Application Control policies causing boot stop failures](disable-windows-defender-application-control-policies.md#remove-wdac-policies-causing-boot-stop-failures). > Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove Windows Defender Application Control policies causing boot stop failures](disable-wdac-policies.md#remove-wdac-policies-causing-boot-stop-failures).
4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: 4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
@ -101,7 +101,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files: If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files:
1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
2. Sign the WDAC policy by using SignTool.exe: 2. Sign the WDAC policy by using SignTool.exe:

14
windows/security/application-security/application-control/windows-defender-application-control/deployment/windows-defender-application-control-deployment-guide.md → windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
View File

@ -21,9 +21,9 @@ ms.topic: overview
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](../design/wdac-design-guide.md), do so now before proceeding.
## Convert your WDAC policy XML to binary ## Convert your WDAC policy XML to binary
@ -56,13 +56,13 @@ All Windows Defender Application Control policy changes should be deployed in au
## Choose how to deploy WDAC policies ## Choose how to deploy WDAC policies
> [!IMPORTANT] > [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case. > Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-wdac-policies-with-script.md) in this case.
> >
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune - [Deploy using a Mobile Device Management (MDM) solution](deploy-wdac-policies-using-intune.md), such as Microsoft Intune
- [Deploy using Microsoft Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md) - [Deploy using Microsoft Configuration Manager](deploy-wdac-policies-with-memcm.md)
- [Deploy via script](deployment/deploy-wdac-policies-with-script.md) - [Deploy via script](deploy-wdac-policies-with-script.md)
- [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) - [Deploy via group policy](deploy-wdac-policies-using-group-policy.md)

2
windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-windows-defender-application-control-policy.md → windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and later - Windows Server 2016 and later
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.

2
windows/security/application-security/application-control/windows-defender-application-control/design/types-of-devices.md → windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It's common for organizations to have device use cases across each of the categories described. Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It's common for organizations to have device use cases across each of the categories described.

8
windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2019 and above - Windows Server 2019 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune. Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune.
@ -230,15 +230,15 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables
Set-RuleOption -FilePath <XML filepath> -Option 13 Set-RuleOption -FilePath <XML filepath> -Option 13
``` ```
4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). 4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](../deployment/wdac-deployment-guide.md).
> [!NOTE] > [!NOTE]
> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer. > Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer.
## Remove Managed Installer feature ## Remove Managed Installer feature
To remove the Managed Installer feature from the device, you'll need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems). To remove the Managed Installer feature from the device, you'll need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](../applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
## Related articles ## Related articles
- [Managed installer and ISG technical reference and troubleshooting guide](configure-wdac-managed-installer.md) - [Managed installer and ISG technical reference and troubleshooting guide](../operations/configure-wdac-managed-installer.md)

2
windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
View File

@ -72,7 +72,7 @@ Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $Exist
## Best Practices ## Best Practices
1. **Test first in Audit mode** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3076 audit block events](event-id-explanations.md) to ensure only the applications you intended to block are blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md) 1. **Test first in Audit mode** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3076 audit block events](../operations/event-id-explanations.md) to ensure only the applications you intended to block are blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](../operations/wdac-operational-guide.md)
2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be used if necessary. Since the hash of a file changes with any change to the file, it's hard to keep up with a hash-based block policy where the attacker can trivially update the file. While WDAC has optimized parsing of hash rules, some devices may see performance impacts at runtime evaluation if policies have tens of thousands or more hash rules. 2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be used if necessary. Since the hash of a file changes with any change to the file, it's hard to keep up with a hash-based block policy where the attacker can trivially update the file. While WDAC has optimized parsing of hash rules, some devices may see performance impacts at runtime evaluation if policies have tens of thousands or more hash rules.

8
windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-fully-managed-devices.md
View File

@ -27,14 +27,14 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
> [!NOTE] > [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. As described in [common Windows Defender Application Control deployment scenarios](common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. **Alice Pena** is the IT team lead tasked with the rollout of WDAC.
@ -163,5 +163,5 @@ Alice has defined a policy for Lamna's fully managed devices that makes some tra
## Up next ## Up next
- [Create a Windows Defender Application Control policy for fixed-workload devices using a reference computer](create-initial-default-policy.md) - [Create a Windows Defender Application Control policy for fixed-workload devices using a reference computer](create-wdac-policy-using-reference-computer.md)
- [Prepare to deploy Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md) - [Prepare to deploy Windows Defender Application Control policies](../deployment/wdac-deployment-guide.md)

10
windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-lightly-managed-devices.md
View File

@ -27,14 +27,14 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles. This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles.
> [!NOTE] > [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
As in [Windows Defender Application Control deployment in different scenarios: types of devices](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. As in [Windows Defender Application Control deployment in different scenarios: types of devices](common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads. **Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
@ -97,7 +97,7 @@ Alice follows these steps to complete this task:
1. Modify the policy to remove unsupported rule: 1. Modify the policy to remove unsupported rule:
> [!NOTE] > [!NOTE]
> `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step. > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](../wdac.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
```powershell ```powershell
[xml]$xml = Get-Content $LamnaPolicy [xml]$xml = Get-Content $LamnaPolicy
@ -191,7 +191,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
- **Intelligent Security Graph (ISG)** - **Intelligent Security Graph (ISG)**
See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option) See [security considerations with the Intelligent Security Graph](use-wdac-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
Possible mitigations: Possible mitigations:
@ -227,4 +227,4 @@ In order to minimize user productivity impact, Alice has defined a policy that m
## Up next ## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) - [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
- [Prepare to deploy Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md) - [Prepare to deploy Windows Defender Application Control policies](../deployment/wdac-deployment-guide.md)

4
windows/security/application-security/application-control/windows-defender-application-control/design/create-initial-default-policy.md → windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
View File

@ -27,14 +27,14 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity. This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity.
> [!NOTE] > [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. As described in [common Windows Defender Application Control deployment scenarios](common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. **Alice Pena** is the IT team lead tasked with the rollout of WDAC.

3
windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-windows-defender-application-control-policies.md → windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
@ -116,4 +116,3 @@ For more information on deploying multiple policies, optionally using Microsoft
* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. * If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit. * If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot. * This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.

2
windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies.md
View File

@ -21,7 +21,7 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use. These example policies are provided "as-is". You should thoroughly test the policies you deploy using safe deployment methods. When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use. These example policies are provided "as-is". You should thoroughly test the policies you deploy using safe deployment methods.

6
windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-windows-defender-application-control.md → windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
@ -96,7 +96,7 @@ Use the following steps to create a WDAC PFN rule for an app that is installed o
7. Select **Create Rule**. 7. Select **Create Rule**.
8. Create any other rules desired, then complete the Wizard. 8. Create any other rules desired, then complete the Wizard.
![Create PFN rule from WDAC Wizard](images/wdac-wizard-custom-pfn-rule.png) ![Create PFN rule from WDAC Wizard](../images/wdac-wizard-custom-pfn-rule.png)
##### Create a PFN rule using a custom string ##### Create a PFN rule using a custom string
@ -109,4 +109,4 @@ Use the following steps to create a PFN rule with a custom string value:
5. Select **Create Rule**. 5. Select **Create Rule**.
6. Create any other rules desired, then complete the Wizard. 6. Create any other rules desired, then complete the Wizard.
![Create PFN rule with custom string from WDAC Wizard](images/wdac-wizard-custom-manual-pfn-rule.png) ![Create PFN rule with custom string from WDAC Wizard](../images/wdac-wizard-custom-manual-pfn-rule.png)

4
windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
View File

@ -21,7 +21,7 @@ ms.topic: reference
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC. Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
@ -1540,4 +1540,4 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
## More information ## More information
- [Merge WDAC policies](merge-windows-defender-application-control-policies.md) - [Merge WDAC policies](../deployment/merge-wdac-policies.md)

2
windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
View File

@ -63,7 +63,7 @@ Customers who always want the most up-to-date driver blocklist can also use Wind
## Blocking vulnerable drivers using WDAC ## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. Microsoft recommends enabling [HVCI](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
> [!IMPORTANT] > [!IMPORTANT]
> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading. > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading.

10
windows/security/application-security/application-control/windows-defender-application-control/design/plan-windows-defender-application-control-management.md → windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
@ -37,7 +37,7 @@ The first step in implementing application control is to consider how your polic
Most Windows Defender Application Control policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include: Most Windows Defender Application Control policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files aren't prevented from executing. 1. [Define (or refine) the "circle-of-trust"](understand-wdac-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files aren't prevented from executing.
2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices. 2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices.
3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks. 3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
4. Repeat steps 2-3 until the remaining block events meet expectations. 4. Repeat steps 2-3 until the remaining block events meet expectations.
@ -45,7 +45,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. 6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
![Recommended WDAC policy deployment process.](images/policyflow.png) ![Recommended WDAC policy deployment process.](../images/policyflow.png)
### Keep WDAC policies in a source control or document management solution ### Keep WDAC policies in a source control or document management solution
@ -56,7 +56,7 @@ To effectively manage Windows Defender Application Control policies, you should
Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy. Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
> [!NOTE] > [!NOTE]
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10. > PolicyID only applies to policies using the [multiple policy format](deploy-multiple-wdac-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
> PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy. > PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy.
In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (for example, "1.0.0.0"). In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (for example, "1.0.0.0").
@ -71,7 +71,7 @@ Each time that a process is blocked by Windows Defender Application Control, eve
Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)). Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature. Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy ## Application and user support policy

4
windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and later - Windows Server 2016 and later
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
@ -117,7 +117,7 @@ As part of normal operations, they'll eventually install software updates, or pe
## File rule precedence order ## File rule precedence order
WDAC has a built-in file rule conflict logic that translates to precedence order. It first processes all explicit deny rules it finds. Then, it processes any explicit allow rules. If no deny or allow rule exists, WDAC checks for a [Managed Installer claim](deployment/deploy-wdac-policies-with-memcm.md) if allowed by the policy. Lastly, WDAC falls back to the [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md) if allowed by the policy. WDAC has a built-in file rule conflict logic that translates to precedence order. It first processes all explicit deny rules it finds. Then, it processes any explicit allow rules. If no deny or allow rule exists, WDAC checks for a [Managed Installer claim](../deployment/deploy-wdac-policies-with-memcm.md) if allowed by the policy. Lastly, WDAC falls back to the [ISG](use-wdac-with-intelligent-security-graph.md) if allowed by the policy.
> [!NOTE] > [!NOTE]
> To make it easier to reason over your WDAC policies, we recommend maintaining separate ALLOW and DENY policies on Windows versions that support [multiple WDAC policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies). > To make it easier to reason over your WDAC policies, we recommend maintaining separate ALLOW and DENY policies on Windows versions that support [multiple WDAC policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies).

12
windows/security/application-security/application-control/windows-defender-application-control/design/understand-windows-defender-application-control-policy-design-decisions.md → windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This article is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment. This article is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
@ -44,7 +44,7 @@ You should consider using Windows Defender Application Control as part of your o
## Decide what policies to create ## Decide what policies to create
Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This concurrent application opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-wdac-policies.md) to be applied to each device. This concurrent application opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create.
The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust," we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML. The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust," we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML.
@ -63,8 +63,8 @@ Organizations with well-defined, centrally managed app management and deployment
| Possible answers | Design considerations| | Possible answers | Design considerations|
| - | - | | - | - |
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | | All apps are centrally managed and deployed using endpoint management tools like [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide Windows Defender Application Control policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. | | Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-wdac-policies.md) can be used to allow team-specific exceptions to your core organization-wide Windows Defender Application Control policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. |
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | Windows Defender Application Control can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | | Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | Windows Defender Application Control can integrate with Microsoft's [Intelligent Security Graph](use-wdac-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | Windows Defender Application Control policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| | Users and teams are free to download and install apps without restriction. | Windows Defender Application Control policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
### Are internally developed line-of-business (LOB) apps and apps developed by third-party companies digitally signed? ### Are internally developed line-of-business (LOB) apps and apps developed by third-party companies digitally signed?
@ -73,8 +73,8 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
| Possible answers | Design considerations | | Possible answers | Design considerations |
| - | - | | - | - |
| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | | All apps used in your organization must be signed. | Organizations that enforce [codesigning](../deployment/use-code-signing-for-better-control-and-protection.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. | | Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](../deployment/deploy-catalog-files-to-support-wdac.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. |
### Are there specific groups in your organization that need customized application control policies? ### Are there specific groups in your organization that need customized application control policies?

2
windows/security/application-security/application-control/windows-defender-application-control/design/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md → windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2019 and above - Windows Server 2019 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You can use Windows Defender Application Control (WDAC) policies to control applications and also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): You can use Windows Defender Application Control (WDAC) policies to control applications and also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):

4
windows/security/application-security/application-control/windows-defender-application-control/design/use-windows-defender-application-control-with-intelligent-security-graph.md → windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2019 and above - Windows Server 2019 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy.
@ -112,4 +112,4 @@ Packaged apps aren't supported with the ISG and will need to be separately autho
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
> [!NOTE] > [!NOTE]
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). > A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).

0
windows/security/application-security/application-control/windows-defender-application-control/design/use-windows-defender-application-control-with-dynamic-code-security.md → windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
View File

10
windows/security/application-security/application-control/windows-defender-application-control/design/windows-defender-application-control-design-guide.md → windows/security/application-security/application-control/windows-defender-application-control/design/wdac-design-guide.md
View File

@ -27,7 +27,7 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This guide covers design and planning for Windows Defender Application Control (WDAC). It's intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. This guide covers design and planning for Windows Defender Application Control (WDAC). It's intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.
@ -46,10 +46,10 @@ Once these business factors are in place, you're ready to begin planning your Wi
| Topic | Description | | Topic | Description |
| - | - | | - | - |
| [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | | [Plan for WDAC policy management](plan-wdac-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions, when you plan a deployment of application control policies. | | [Understand WDAC policy design decisions](understand-wdac-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions, when you plan a deployment of application control policies. |
| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | | [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios, and helps you begin to develop a plan for deploying WDAC in your organization. | | [Policy creation for common WDAC usage scenarios](common-wdac-use-cases.md) | This set of topics outlines common use case scenarios, and helps you begin to develop a plan for deploying WDAC in your organization. |
| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit, and merge WDAC policies. | | [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit, and merge WDAC policies. |
After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers creating and testing policies, deploying the enforcement setting, and managing and maintaining policies. After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](../deployment/wdac-deployment-guide.md) covers creating and testing policies, deploying the enforcement setting, and managing and maintaining policies.

18
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-create-base-policy.md
View File

@ -27,9 +27,9 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
When creating policies for use with Windows Defender Application Control (WDAC), it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. When creating policies for use with Windows Defender Application Control (WDAC), it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](wdac-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
## Template Base Policies ## Template Base Policies
@ -39,13 +39,13 @@ Each of the template policies has a unique set of policy allowlist rules that af
|---------------------------------|-------------------------------------------------------------------| |---------------------------------|-------------------------------------------------------------------|
| **Default Windows Mode** | Default Windows mode authorizes the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li></ul>| | **Default Windows Mode** | Default Windows mode authorizes the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li></ul>|
| **Allow Microsoft Mode** | Allow mode authorizes the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li><li>*All Microsoft-signed software*</li></ul>| | **Allow Microsoft Mode** | Allow mode authorizes the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li><li>*All Microsoft-signed software*</li></ul>|
| **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li><li>All Microsoft-signed software</li><li>*Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-windows-defender-application-control-with-intelligent-security-graph.md)*</li></ul>| | **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li><li>All Microsoft-signed software</li><li>*Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-wdac-with-intelligent-security-graph.md)*</li></ul>|
*Italicized content denotes the changes in the current policy with respect to the policy prior.* *Italicized content denotes the changes in the current policy with respect to the policy prior.*
More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example Windows Defender Application Control base policies article](example-wdac-base-policies.md). More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example Windows Defender Application Control base policies article](example-wdac-base-policies.md).
![Selecting a base template for the policy.](images/wdac-wizard-template-selection.png) ![Selecting a base template for the policy.](../images/wdac-wizard-template-selection.png)
Once the base template is selected, give the policy a name and choose where to save the application control policy on disk. Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
@ -62,7 +62,7 @@ The following table has a description of each policy rule, beginning with the le
| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all Windows Defender Application Control policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all Windows Defender Application Control policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | | **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 isn't supported and may have unintended results. | | **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 isn't supported and may have unintended results. |
|**[Hypervisor-protected code integrity (HVCI)](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.| |**[Hypervisor-protected code integrity (HVCI)](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). | | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. | | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
| **Require WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Henceforth, every new Windowscompatible driver must be WHQL certified. | | **Require WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Henceforth, every new Windowscompatible driver must be WHQL certified. |
@ -71,7 +71,7 @@ The following table has a description of each policy rule, beginning with the le
| **User Mode Code Integrity** | Windows Defender Application Control policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | | **User Mode Code Integrity** | Windows Defender Application Control policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Rule options UI for Windows Allowed mode policy.](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) > ![Rule options UI for Windows Allowed mode policy.](../images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
### Advanced Policy Rules Description ### Advanced Policy Rules Description
@ -86,7 +86,7 @@ Selecting the **+ Advanced Options** label shows another column of policy rules,
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option causes WDAC to periodically revalidate the reputation for files authorized by the ISG.| | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option causes WDAC to periodically revalidate the reputation for files authorized by the ISG.|
| **Require EV Signers** | This option isn't currently supported. | | **Require EV Signers** | This option isn't currently supported. |
![Rule options UI for Windows Allowed mode.](images/wdac-wizard-rule-options-UI.png) ![Rule options UI for Windows Allowed mode.](../images/wdac-wizard-rule-options-UI.png)
> [!NOTE] > [!NOTE]
> We recommend that you **enable Audit Mode** initially because it allows you to test new Windows Defender Application Control policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. > We recommend that you **enable Audit Mode** initially because it allows you to test new Windows Defender Application Control policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
@ -107,7 +107,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ![Custom filepublisher file rule creation.](../images/wdac-wizard-custom-publisher-rule.png)
### Filepath Rules ### Filepath Rules
@ -125,7 +125,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
| **Internal name** | Specifies the internal name of the binary. | | **Internal name** | Specifies the internal name of the binary. |
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) > ![Custom file attributes rule.](../images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules ### File Hash Rules

18
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-create-supplemental-policy.md
View File

@ -27,25 +27,25 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are used, applications allowed by the base or any of its supplemental policies are allowed to run. Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are used, applications allowed by the base or any of its supplemental policies are allowed to run.
Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules. Prerequisite information about application control can be accessed through the [WDAC design guide](wdac-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
## Expanding a Base Policy ## Expanding a Base Policy
Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard verifies if the base policy allows supplementals and shows the following confirmation. Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard verifies if the base policy allows supplementals and shows the following confirmation.
![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png) ![Base policy allows supplemental policies.](../images/wdac-wizard-supplemental-expandable.png)
If the base policy isn't configured for supplemental policies, the Wizard attempts to convert the policy to one that can be supplemented. Once successful, the Wizard shows a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. If the base policy isn't configured for supplemental policies, the Wizard attempts to convert the policy to one that can be supplemented. Once successful, the Wizard shows a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png) ![Wizard confirms modification of base policy.](../images/wdac-wizard-confirm-base-policy-modification.png)
Policies that can't be supplemented, for instance another supplemental policy, are detected by the Wizard and show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). Policies that can't be supplemented, for instance another supplemental policy, are detected by the Wizard and show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-wdac-policies.md).
![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png) ![Wizard detects a bad base policy.](../images/wdac-wizard-supplemental-not-base.png)
## Configuring Policy Rules ## Configuring Policy Rules
@ -63,7 +63,7 @@ Supplemental policies can only configure three policy rules. The following table
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. | | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
| **Disable Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. | | **Disable Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. |
![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png) ![Rule options UI for Windows Allowed mode.](../images/wdac-wizard-supplemental-policy-rule-options-UI.png)
## Creating custom file rules ## Creating custom file rules
@ -81,7 +81,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ![Custom filepublisher file rule creation.](../images/wdac-wizard-custom-publisher-rule.png)
### Filepath Rules ### Filepath Rules
@ -98,7 +98,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
| **Product name** | Specifies the name of the product with which the binary ships. | | **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. | | **Internal name** | Specifies the internal name of the binary. |
![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) ![Custom file attributes rule.](../images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules ### File Hash Rules

6
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-editing-policy.md
View File

@ -27,7 +27,7 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
The Windows Defender Application Control Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities: The Windows Defender Application Control Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
<ul> <ul>
@ -40,7 +40,7 @@ The Windows Defender Application Control Wizard makes editing and viewing WDAC p
The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains other policy rule options that are less common to most users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains other policy rule options that are less common to most users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png) ![Configuring the policy rules.](../images/wdac-wizard-edit-policy-rules.png)
A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules). A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
@ -54,7 +54,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more
The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
![Removing file rule from policy during edit.](images/wdac-wizard-edit-remove-file-rule.png) ![Removing file rule from policy during edit.](../images/wdac-wizard-edit-remove-file-rule.png)
**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.

4
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-merging-policies.md
View File

@ -25,8 +25,8 @@ Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC
Select the policies you wish to merge into one policy using the `+ Add Policy` button under the table. Once added, policies will be enumerated within the table. To remove a policy from the table, if accidentally added, highlight the policy row and select the `- Remove Policy` button. Confirmation will be required before the policy is withdrawn from the table. Select the policies you wish to merge into one policy using the `+ Add Policy` button under the table. Once added, policies will be enumerated within the table. To remove a policy from the table, if accidentally added, highlight the policy row and select the `- Remove Policy` button. Confirmation will be required before the policy is withdrawn from the table.
> [!NOTE] > [!NOTE]
> The policy type and ID of the final output policy will be determined based on the type and ID of the **first policy** in the policy list table. For instance, if a legacy policy format policy and a multi-policy format policy are merged together, the output format of the policy will be whichever policy is specified first in the table. For more information on policy formats, visit the [Multiple Windows Defender Application Control (WDAC) Policies page](deploy-multiple-windows-defender-application-control-policies.md). > The policy type and ID of the final output policy will be determined based on the type and ID of the **first policy** in the policy list table. For instance, if a legacy policy format policy and a multi-policy format policy are merged together, the output format of the policy will be whichever policy is specified first in the table. For more information on policy formats, visit the [Multiple Windows Defender Application Control (WDAC) Policies page](deploy-multiple-wdac-policies.md).
Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy.
![Merging WDAC policies into a final WDAC policy.](images/wdac-wizard-merge.png) ![Merging WDAC policies into a final WDAC policy.](../images/wdac-wizard-merge.png)

14
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md
View File

@ -27,7 +27,7 @@ ms.technology: itpro-security
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types: As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types:
@ -47,7 +47,7 @@ To create rules from the WDAC event logs on the system:
The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png) > [![Parse WDAC and AppLocker event log system events](../images/wdac-wizard-event-log-system.png)](../images/wdac-wizard-event-log-system-expanded.png)
4. Select the Next button to view the audit and block events and create rules. 4. Select the Next button to view the audit and block events and create rules.
5. [Generate rules from the events](#creating-policy-rules-from-the-events). 5. [Generate rules from the events](#creating-policy-rules-from-the-events).
@ -64,14 +64,14 @@ To create rules from the WDAC `.EVTX` event logs files on the system:
The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png) > [![Parse evtx file WDAC events](../images/wdac-wizard-event-log-files.png)](../images/wdac-wizard-event-log-files-expanded.png)
5. Select the Next button to view the audit and block events and create rules. 5. Select the Next button to view the audit and block events and create rules.
6. [Generate rules from the events](#creating-policy-rules-from-the-events). 6. [Generate rules from the events](#creating-policy-rules-from-the-events).
## MDE Advanced Hunting WDAC Event Parsing ## MDE Advanced Hunting WDAC Event Parsing
To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md): To create rules from the WDAC events in [MDE Advanced Hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md):
1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: 1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export:
@ -101,7 +101,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](querying-applicat
2. Export the WDAC event results by selecting the **Export** button in the results view. 2. Export the WDAC event results by selecting the **Export** button in the results view.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png) > [![Export the MDE Advanced Hunting results to CSV](../images/wdac-wizard-event-log-mde-ah-export.png)](../images/wdac-wizard-event-log-mde-ah-export-expanded.png)
3. Select **Policy Editor** from the WDAC Wizard main page. 3. Select **Policy Editor** from the WDAC Wizard main page.
4. Select **Convert Event Log to a WDAC Policy**. 4. Select **Convert Event Log to a WDAC Policy**.
@ -111,7 +111,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](querying-applicat
The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) > [![Parse the Advanced Hunting CSV WDAC event files](../images/wdac-wizard-event-log-mde-ah-parsing.png)](../images/wdac-wizard-event-log-mde-ah-parsing-expanded.png)
7. Select the Next button to view the audit and block events and create rules. 7. Select the Next button to view the audit and block events and create rules.
8. [Generate rules from the events](#creating-policy-rules-from-the-events). 8. [Generate rules from the events](#creating-policy-rules-from-the-events).
@ -128,7 +128,7 @@ To create a rule and add it to the WDAC policy:
4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. 4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png) > [![Adding a publisher rule to the WDAC policy](../images/wdac-wizard-event-rule-creation.png)](../images/wdac-wizard-event-rule-creation-expanded.png)
5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. 5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies.

4
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard.md
View File

@ -21,7 +21,7 @@ ms.date: 05/24/2022
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
The Windows Defender Application Control policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. It was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge Application Control policies. This tool uses the [ConfigCI PowerShell cmdlets](/powershell/module/configci) in the backend so the output policy of the tool and PowerShell cmdlets is identical. The Windows Defender Application Control policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. It was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge Application Control policies. This tool uses the [ConfigCI PowerShell cmdlets](/powershell/module/configci) in the backend so the output policy of the tool and PowerShell cmdlets is identical.
@ -31,7 +31,7 @@ Download the tool from the official [Windows Defender Application Control Policy
### Supported clients ### Supported clients
As the tool uses the cmdlets in the background, it's functional on clients only where the cmdlets are supported. For more information, see [Application Control feature availability](feature-availability.md). Specifically, the tool verifies that the client meets one of the following requirements: As the tool uses the cmdlets in the background, it's functional on clients only where the cmdlets are supported. For more information, see [Application Control feature availability](../feature-availability.md). Specifically, the tool verifies that the client meets one of the following requirements:
- Windows 10, version 1909 or later - Windows 10, version 1909 or later
- For pre-1909 builds, the Enterprise SKU of Windows is installed - For pre-1909 builds, the Enterprise SKU of Windows is installed

2
windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
View File

@ -28,7 +28,7 @@ ms.topic: overview
|-------------|------|-------------| |-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Available on Windows 8 or later. | | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Available on Windows 8 or later. |
| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).<br><br>Windows versions older than version 2004, including Windows Server 2019:<br><ul><li>Policies deployed through GP are only supported on Enterprise and Server editions.</li><li>Policies deployed through MDM are supported on all editions.</li></ul>| | SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).<br><br>Windows versions older than version 2004, including Windows Server 2019:<br><ul><li>Policies deployed through GP are only supported on Enterprise and Server editions.</li><li>Policies deployed through MDM are supported on all editions.</li></ul>|
| Management solutions | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md)</li><li>[Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>[Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> | | Management solutions | <ul><li>[Intune](deployment/deploy-wdac-policies-using-intune.md)</li><li>[Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](deployment/deploy-wdac-policies-using-group-policy.md) </li><li>[Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
| Per-User and Per-User group rules | Not available (policies are device-wide). | Available on Windows 8+. | | Per-User and Per-User group rules | Not available (policies are device-wide). | Available on Windows 8+. |
| Kernel mode policies | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. | | Kernel mode policies | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. |
| [Rule option 11 - Disabled:Script Enforcement](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement) | Available on all versions of Windows 10 except 1607 LTSB, Windows 11, and Windows Server 2019 and above. **Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors. | MSI and Script rule collection is separately configurable. | | [Rule option 11 - Disabled:Script Enforcement](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement) | Available on all versions of Windows 10 except 1607 LTSB, Windows 11, and Windows Server 2019 and above. **Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors. | MSI and Script rule collection is separately configurable. |

58
windows/security/application-security/application-control/windows-defender-application-control/index.yml
View File

@ -19,7 +19,7 @@ landingContent:
- linkListType: overview - linkListType: overview
links: links:
- text: What is Application Control? - text: What is Application Control?
url: windows-defender-application-control.md url: wdac.md
- text: What is Windows Defender Application Control (WDAC)? - text: What is Windows Defender Application Control (WDAC)?
url: wdac-and-applocker-overview.md url: wdac-and-applocker-overview.md
- text: What is AppLocker? - text: What is AppLocker?
@ -32,31 +32,31 @@ landingContent:
- linkListType: overview - linkListType: overview
links: links:
- text: Using code signing to simplify application control - text: Using code signing to simplify application control
url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md url: deployment/use-code-signing-for-better-control-and-protection.md
- text: Microsoft's Recommended Blocklist - text: Microsoft's Recommended Blocklist
url: microsoft-recommended-block-rules.md url: design/microsoft-recommended-block-rules.md
- text: Microsoft's Recommended Driver Blocklist - text: Microsoft's Recommended Driver Blocklist
url: microsoft-recommended-driver-block-rules.md url: design/microsoft-recommended-driver-block-rules.md
- text: Example WDAC policies - text: Example WDAC policies
url: example-wdac-base-policies.md url: design/example-wdac-base-policies.md
- text: LOB Win32 apps on S Mode - text: LOB Win32 apps on S Mode
url: LOB-win32-apps-on-s.md url: deployment/LOB-win32-apps-on-s.md
- text: Managing multiple policies - text: Managing multiple policies
url: deploy-multiple-windows-defender-application-control-policies.md url: design/deploy-multiple-wdac-policies.md
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Create a WDAC policy for a lightly managed device - text: Create a WDAC policy for a lightly managed device
url: create-wdac-policy-for-lightly-managed-devices.md url: design/create-wdac-policy-for-lightly-managed-devices.md
- text: Create a WDAC policy for a fully managed device - text: Create a WDAC policy for a fully managed device
url: create-wdac-policy-for-fully-managed-devices.md url: design/create-wdac-policy-for-fully-managed-devices.md
- text: Create a WDAC policy for a fixed-workload - text: Create a WDAC policy for a fixed-workload
url: create-initial-default-policy.md url: design/create-wdac-policy-using-reference-computer.md
- text: Create a WDAC deny list policy - text: Create a WDAC deny list policy
url: create-wdac-deny-policy.md url: design/create-wdac-deny-policy.md
- text: Deploying catalog files for WDAC management - text: Deploying catalog files for WDAC management
url: deploy-catalog-files-to-support-windows-defender-application-control.md url: deployment/deploy-catalog-files-to-support-wdac.md
- text: Using the WDAC Wizard - text: Using the WDAC Wizard
url: wdac-wizard.md url: design/wdac-wizard.md
#- linkListType: Tutorial (videos) #- linkListType: Tutorial (videos)
# links: # links:
# - text: Using the WDAC Wizard # - text: Using the WDAC Wizard
@ -69,44 +69,44 @@ landingContent:
- linkListType: overview - linkListType: overview
links: links:
- text: Understanding policy and file rules - text: Understanding policy and file rules
url: select-types-of-rules-to-create.md url: design/select-types-of-rules-to-create.md
- text: Understanding WDAC secure settings - text: Understanding WDAC secure settings
url: understanding-wdac-policy-settings.md url: design/understanding-wdac-policy-settings.md
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Allow managed installer and configure managed installer rules - text: Allow managed installer and configure managed installer rules
url: configure-authorized-apps-deployed-with-a-managed-installer.md url: design/configure-authorized-apps-deployed-with-a-managed-installer.md
- text: Allow reputable apps with ISG - text: Allow reputable apps with ISG
url: use-windows-defender-application-control-with-intelligent-security-graph.md url: design/use-wdac-with-intelligent-security-graph.md
- text: Managed MSIX and Appx Packaged Apps - text: Managed MSIX and Appx Packaged Apps
url: manage-packaged-apps-with-windows-defender-application-control.md url: design/manage-packaged-apps-with-wdac.md
- text: Allow com object registration - text: Allow com object registration
url: allow-com-object-registration-in-windows-defender-application-control-policy.md url: design/allow-com-object-registration-in-wdac-policy.md
- text: Manage plug-ins, add-ins and modules - text: Manage plug-ins, add-ins and modules
url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md url: design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
# Card # Card
- title: Learn how to deploy WDAC Policies - title: Learn how to deploy WDAC Policies
linkLists: linkLists:
- linkListType: overview - linkListType: overview
links: links:
- text: Using signed policies to protect against tampering - text: Using signed policies to protect against tampering
url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md url: deployment/use-signed-policies-to-protect-wdac-against-tampering.md
- text: Audit mode policies - text: Audit mode policies
url: audit-windows-defender-application-control-policies.md url: deployment/audit-wdac-policies.md
- text: Enforcement mode policies - text: Enforcement mode policies
url: enforce-windows-defender-application-control-policies.md url: deployment/enforce-wdac-policies.md
- text: Disabling WDAC policies - text: Disabling WDAC policies
url: disable-windows-defender-application-control-policies.md url: deployment/disable-wdac-policies.md
- linkListType: tutorial - linkListType: tutorial
links: links:
- text: Deployment with MDM - text: Deployment with MDM
url: deployment/deploy-windows-defender-application-control-policies-using-intune.md url: deployment/deploy-wdac-policies-using-intune.md
- text: Deployment with Configuration Manager - text: Deployment with Configuration Manager
url: deployment/deploy-wdac-policies-with-memcm.md url: deployment/deploy-wdac-policies-with-memcm.md
- text: Deployment with script and refresh policy - text: Deployment with script and refresh policy
url: deployment/deploy-wdac-policies-with-script.md url: deployment/deploy-wdac-policies-with-script.md
- text: Deployment with group policy - text: Deployment with group policy
url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md url: deployment/deploy-wdac-policies-using-group-policy.md
# Card # Card
- title: Learn how to troubleshoot and debug WDAC events - title: Learn how to troubleshoot and debug WDAC events
linkLists: linkLists:
@ -115,10 +115,10 @@ landingContent:
- text: Debugging and troubleshooting - text: Debugging and troubleshooting
url: operations/wdac-debugging-and-troubleshooting.md url: operations/wdac-debugging-and-troubleshooting.md
- text: Understanding event IDs - text: Understanding event IDs
url: event-id-explanations.md url: operations/event-id-explanations.md
- text: Understanding event Tags - text: Understanding event Tags
url: event-tag-explanations.md url: operations/event-tag-explanations.md
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Querying events using advanced hunting - text: Querying events using advanced hunting
url: querying-application-control-events-centrally-using-advanced-hunting.md url: operations/querying-application-control-events-centrally-using-advanced-hunting.md

2
windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2019 and above - Windows Server 2019 and above
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
## Enabling managed installer and Intelligent Security Graph (ISG) logging events ## Enabling managed installer and Intelligent Security Graph (ISG) logging events

2
windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations.md
View File

@ -57,7 +57,7 @@ These events are found in the **AppLocker MSI and Script** event log.
|--------|-----------| |--------|-----------|
| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run, but wouldn't have passed the WDAC policy if it was enforced. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. | | 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run, but wouldn't have passed the WDAC policy if it was enforced. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
| 8029 | This event is the enforcement mode equivalent of event 8028. Note: While this event says that a script was blocked, the script hosts control the actual script enforcement behavior. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell runs script not allowed by your WDAC policy in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). | | 8029 | This event is the enforcement mode equivalent of event 8028. Note: While this event says that a script was blocked, the script hosts control the actual script enforcement behavior. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell runs script not allowed by your WDAC policy in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). |
| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](../design/allow-com-object-registration-in-wdac-policy.md). |
| 8037 | This event indicates that a script host checked whether to allow a script to run, and the file passed the WDAC policy. | | 8037 | This event indicates that a script host checked whether to allow a script to run, and the file passed the WDAC policy. |
| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files generate a single 8038 event with TotalSignatureCount 0. These events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files generate a single 8038 event with TotalSignatureCount 0. These events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
| 8039 | This event indicates that a packaged app (MSIX/AppX) was allowed to install or run because the WDAC policy is in audit mode. But, it would have been blocked if the policy was enforced. | | 8039 | This event indicates that a packaged app (MSIX/AppX) was allowed to install or run because the WDAC policy is in audit mode. But, it would have been blocked if the policy was enforced. |

12
windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations.md
View File

@ -102,22 +102,22 @@ The Application Control policy rule option values can be derived from the "Optio
- Identify the hex code listed in the "Options" field. - Identify the hex code listed in the "Options" field.
- Convert the hex code to binary. - Convert the hex code to binary.
:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options."::: :::image type="content" source="../images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
For a simple solution for converting hex to binary, follow these steps: For a simple solution for converting hex to binary, follow these steps:
1. Open the Calculator app. 1. Open the Calculator app.
1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false"::: 1. Select the menu icon. :::image type="icon" source="../images/calculator-menu-icon.png" border="false":::
1. Select **Programmer** mode. 1. Select **Programmer** mode.
1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false"::: 1. Select **HEX**. :::image type="icon" source="../images/hex-icon.png" border="false":::
1. Enter your hex code. For example, `80881000`. 1. Enter your hex code. For example, `80881000`.
1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false"::: 1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="../images/bit-toggling-keyboard-icon.png" border="false":::
:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary."::: :::image type="content" source="../images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
This view provides the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy. This view provides the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy.
Next, use the bit addresses and their values from the following table to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode. Next, use the bit addresses and their values from the following table to determine the state of each [policy rule-option](../design/select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
| Bit Address | Policy Rule Option | | Bit Address | Policy Rule Option |
|-------|------| |-------|------|

2
windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
View File

@ -97,7 +97,7 @@ msiexec i c:\temp\Windows10_Version_1511_ADMX.msi
``` ```
### Slow boot and performance with custom policies ### Slow boot and performance with custom policies
WDAC will evaluate all running processes, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, it's strongly recommended to build off the [WDAC base templates](../example-wdac-base-policies.md). WDAC will evaluate all running processes, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, it's strongly recommended to build off the [WDAC base templates](../design/example-wdac-base-policies.md).
#### AppId Tagging policy considerations #### AppId Tagging policy considerations

4
windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
View File

@ -132,7 +132,7 @@ Here's an example of detailed EventData from a typical WDAC enforcement mode blo
#### Event 3077 - WDAC enforcement block event #### Event 3077 - WDAC enforcement block event
![Example 3077 block event for PowerShell.exe.](/windows/security/threat-protection/windows-defender-application-control/images/event-3077.png) ![Example 3077 block event for PowerShell.exe.](../images/event-3077.png)
| Element name | Description | | Element name | Description |
| ----- | ----- | | ----- | ----- |
@ -160,7 +160,7 @@ Here's an example of detailed EventData from a typical WDAC enforcement mode blo
#### Event 3089 - WDAC signature information event #### Event 3089 - WDAC signature information event
![Example 3089 signature information event for PowerShell.exe.](/windows/security/threat-protection/windows-defender-application-control/images/event-3089.png) ![Example 3089 signature information event for PowerShell.exe.](../images/event-3089.png)
| Element name | Description | | Element name | Description |
| ----- | ----- | | ----- | ----- |

2
windows/security/application-security/application-control/windows-defender-application-control/operations/windows-defender-application-control-operational-guide.md → windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md
View File

@ -27,7 +27,7 @@ ms.topic: article
- Windows Server 2016 and above - Windows Server 2016 and above
> [!NOTE] > [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You now understand how to design and deploy your Windows Defender Application Control (WDAC) policies. This guide explains how to understand the effects your policies have and how to troubleshoot when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. You now understand how to design and deploy your Windows Defender Application Control (WDAC) policies. This guide explains how to understand the effects your policies have and how to troubleshoot when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.

6
windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
View File

@ -40,9 +40,9 @@ Windows Defender Application Control policies apply to the managed computer as a
- Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) - The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-wdac-with-intelligent-security-graph.md)
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md)) - The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary - The process that launched the app or binary
> [!NOTE] > [!NOTE]

10
windows/security/application-security/application-control/windows-defender-application-control/windows-defender-application-control.md → windows/security/application-security/application-control/windows-defender-application-control/wdac.md
View File

@ -51,7 +51,7 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## WDAC and Smart App Control ## WDAC and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
@ -66,7 +66,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks ### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
- Infdefaultinstall.exe - Infdefaultinstall.exe
- Microsoft.Build.dll - Microsoft.Build.dll
@ -77,7 +77,7 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](micros
## Related articles ## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md) - [WDAC design guide](design/wdac-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md) - [WDAC deployment guide](deployment/wdac-deployment-guide.md)
- [WDAC operational guide](windows-defender-application-control-operational-guide.md) - [WDAC operational guide](operations/wdac-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md) - [AppLocker overview](applocker/applocker-overview.md)

2
windows/security/application-security/index.md
View File

@ -19,6 +19,6 @@ The following table summarizes the Windows security features and capabilities fo
| Security Measures | Features & Capabilities | | Security Measures | Features & Capabilities |
|:---|:---| |:---|:---|
| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](../threat-protection/windows-defender-application-control/windows-defender-application-control.md) | | Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](application-control/windows-defender-application-control/wdac.md) |
| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). | | Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). |
| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) | | Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) |

4
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -94,8 +94,8 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
### Related to cloud experience host ### Related to cloud experience host
- [Windows Hello for Business](./hello-identity-verification.md) - [Windows Hello for Business](hello-identity-verification.md)
- [Managed Windows Hello in organization](./hello-manage-in-organization.md) - [Managed Windows Hello in organization](hello-manage-in-organization.md)
### More information on cloud experience host ### More information on cloud experience host

2
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -203,7 +203,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Repeat this procedure on all your domain controllers 1. Repeat this procedure on all your domain controllers
> [!NOTE] > [!NOTE]
> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers. > You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
> [!IMPORTANT] > [!IMPORTANT]
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire. > If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -101,7 +101,7 @@ To configure the cloud Kerberos trust policy:
> [!IMPORTANT] > [!IMPORTANT]
> *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
:::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png"::: :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="images/hello-cloud-trust-intune.png" lightbox="images/hello-cloud-trust-intune-large.png":::
1. Assign the policy to a security group that contains as members the devices or users that you want to configure. 1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
@ -147,7 +147,7 @@ The Windows Hello for Business provisioning process begins immediately after a u
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png" lightbox="./images/cloud-trust-prereq-check.png"::: :::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="images/cloud-trust-prereq-check.png" lightbox="images/cloud-trust-prereq-check.png":::
The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
View File

@ -72,7 +72,7 @@ It's suggested to create a security group (for example, *Windows Hello for Busin
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
> [!NOTE] > [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) > If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
### Enable Windows Hello for Business group policy setting ### Enable Windows Hello for Business group policy setting

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -81,7 +81,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE] > [!NOTE]
> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](./hello-hybrid-cloud-kerberos-trust.md). > Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.

2
windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
View File

@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include ms.topic: include
--- ---
[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices") [domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md)

22
windows/security/index.yml
View File

@ -42,13 +42,13 @@ landingContent:
- text: Trusted Platform Module - text: Trusted Platform Module
url: information-protection/tpm/trusted-platform-module-top-node.md url: information-protection/tpm/trusted-platform-module-top-node.md
- text: Windows Defender System Guard firmware protection - text: Windows Defender System Guard firmware protection
url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
- text: System Guard Secure Launch and SMM protection enablement - text: System Guard Secure Launch and SMM protection enablement
url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md url: hardware-security/system-guard-secure-launch-and-smm-protection.md
- text: Virtualization-based protection of code integrity - text: Virtualization-based protection of code integrity
url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md url: hardware-security/enable-virtualization-based-protection-of-code-integrity.md
- text: Kernel DMA Protection - text: Kernel DMA Protection
url: information-protection/kernel-dma-protection-for-thunderbolt.md url: hardware-security/kernel-dma-protection-for-thunderbolt.md
# Cards and links should be based on top customer tasks or top subjects # Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb # Start card title with a verb
# Card (optional) # Card (optional)
@ -65,11 +65,11 @@ landingContent:
- text: Encryption and data protection - text: Encryption and data protection
url: operating-system-security/data-protection/index.md url: operating-system-security/data-protection/index.md
- text: Windows security baselines - text: Windows security baselines
url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide - text: Virtual private network guide
url: identity-protection/vpn/vpn-guide.md url: operating-system-security/network-security/vpn/vpn-guide.md
- text: Windows Defender Firewall - text: Windows Defender Firewall
url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md url: operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
- text: Virus & threat protection - text: Virus & threat protection
url: threat-protection/index.md url: threat-protection/index.md
# Cards and links should be based on top customer tasks or top subjects # Cards and links should be based on top customer tasks or top subjects
@ -84,17 +84,17 @@ landingContent:
- linkListType: concept - linkListType: concept
links: links:
- text: Application Control and virtualization-based protection - text: Application Control and virtualization-based protection
url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md url: application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- text: Application Control - text: Application Control
url: threat-protection/windows-defender-application-control/windows-defender-application-control.md url: application-security/application-control/windows-defender-application-control/wdac.md
- text: Application Guard - text: Application Guard
url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md url: application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
- text: Windows Sandbox - text: Windows Sandbox
url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md
- text: Microsoft Defender SmartScreen - text: Microsoft Defender SmartScreen
url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md
- text: S/MIME for Windows - text: S/MIME for Windows
url: identity-protection/configure-s-mime.md url: operating-system-security/data-protection/configure-s-mime.md
# Cards and links should be based on top customer tasks or top subjects # Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb # Start card title with a verb
# Card (optional) # Card (optional)

2
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -106,7 +106,7 @@ The following table defines which Windows features require TPM support.
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|- -|-|-|-|-
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard) | No | Yes | Yes Windows Defender Application Control (Device Guard) | No | Yes | Yes
Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.

2
windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -140,4 +140,4 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
- [Trusted Platform Module](trusted-platform-module-top-node.md) - [Trusted Platform Module](trusted-platform-module-top-node.md)
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true) - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -183,7 +183,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the
### Add an AppLocker policy file ### Add an AppLocker policy file
For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](../../threat-protection/windows-defender-application-control/applocker/applocker-overview.md) content. For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](../../application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md) content.
**To create an app rule and xml file using the AppLocker tool** **To create an app rule and xml file using the AppLocker tool**

4
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -211,7 +211,7 @@ This section covers two examples of using an AppLocker XML file to the **Protect
- [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps) - [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps)
- [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps) - [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps)
For more info about AppLocker, see the [AppLocker](../../threat-protection/windows-defender-application-control/applocker/applocker-overview.md) content. For more info about AppLocker, see the [AppLocker](../../application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md) content.
#### Create a Packaged App rule for Store apps #### Create a Packaged App rule for Store apps
@ -600,7 +600,7 @@ You can restrict which files are protected by WIP when they're downloaded from a
- [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms) - [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms)
- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](./overview-create-wip-policy.md) - [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](overview-create-wip-policy.md)
- [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment) - [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)

4
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -21,11 +21,11 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description| |Task|Description|
|----|-----------| |----|-----------|
|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. | |Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it's incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it's incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](./create-and-verify-an-efs-dra-certificate.md) topic.| |Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic.|
>[!NOTE] >[!NOTE]

8
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -72,7 +72,7 @@ Pre-boot authentication with a PIN can mitigate an attack vector for devices tha
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server. To address these issues, [BitLocker Network Unlock](bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
### Protecting Thunderbolt and other DMA ports ### Protecting Thunderbolt and other DMA ports
@ -92,7 +92,7 @@ If kernel DMA protection isn't enabled, follow these steps to protect Thunderbol
- MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
- Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.) - Group Policy: [Disable new DMA devices when this computer is locked](bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
@ -166,7 +166,7 @@ Mitigation:
> [!IMPORTANT] > [!IMPORTANT]
> These settings are **not configured** by default. > These settings are **not configured** by default.
For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](./bitlocker-group-policy-settings.md) is: For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](bitlocker-group-policy-settings.md) is:
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup** - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
@ -178,6 +178,6 @@ For secure administrative workstations, Microsoft recommends a TPM with PIN prot
## Related articles ## Related articles
- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
- [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) - [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)

2
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -112,7 +112,7 @@ Requiring a PIN at startup is a useful security feature because it acts as a sec
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md). For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md).
## Configure Network Unlock ## Configure Network Unlock

4
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -15,7 +15,7 @@ Though much Windows [BitLocker documentation](index.md) has been published, cust
## Managing domain-joined computers and moving to cloud ## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
@ -92,7 +92,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml) - [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) - [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) - [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
- [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md) - [BitLocker Group Policy Reference](bitlocker-group-policy-settings.md)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
*(Overview)* *(Overview)*
- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider) - [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)

16
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -331,17 +331,17 @@ It can also be configured using mobile device management (MDM), including in Int
**`<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>`** **`<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>`**
![Custom URL.](./images/bl-intune-custom-url.png) ![Custom URL.](images/bl-intune-custom-url.png)
Example of a customized recovery screen: Example of a customized recovery screen:
![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png) ![Customized BitLocker Recovery Screen.](images/bl-password-hint1.png)
### BitLocker recovery key hints ### BitLocker recovery key hints
BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen. BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
![Customized BitLocker recovery screen.](./images/bl-password-hint2.png) ![Customized BitLocker recovery screen.](images/bl-password-hint2.png)
> [!IMPORTANT] > [!IMPORTANT]
> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. > It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
@ -378,7 +378,7 @@ There are rules governing which hint is shown during the recovery (in the order
**Result:** The hints for the Microsoft account and custom URL are displayed. **Result:** The hints for the Microsoft account and custom URL are displayed.
![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png) ![Example 1 of Customized BitLocker recovery screen.](images/rp-example1.png)
#### Example 2 (single recovery key with single backup) #### Example 2 (single recovery key with single backup)
@ -392,7 +392,7 @@ There are rules governing which hint is shown during the recovery (in the order
**Result:** Only the custom URL is displayed. **Result:** Only the custom URL is displayed.
![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png) ![Example 2 of customized BitLocker recovery screen.](images/rp-example2.png)
#### Example 3 (single recovery key with multiple backups) #### Example 3 (single recovery key with multiple backups)
@ -406,7 +406,7 @@ There are rules governing which hint is shown during the recovery (in the order
**Result:** Only the Microsoft Account hint is displayed. **Result:** Only the Microsoft Account hint is displayed.
![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png) ![Example 3 of customized BitLocker recovery screen.](images/rp-example3.png)
#### Example 4 (multiple recovery passwords) #### Example 4 (multiple recovery passwords)
@ -435,7 +435,7 @@ There are rules governing which hint is shown during the recovery (in the order
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png) ![Example 4 of customized BitLocker recovery screen.](images/rp-example4.png)
#### Example 5 (multiple recovery passwords) #### Example 5 (multiple recovery passwords)
@ -461,7 +461,7 @@ There are rules governing which hint is shown during the recovery (in the order
**Result:** The hint for the most recent key is displayed. **Result:** The hint for the most recent key is displayed.
![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png) ![Example 5 of customized BitLocker recovery screen.](images/rp-example5.png)
## Using additional recovery information ## Using additional recovery information

2
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -79,7 +79,7 @@ When installing the BitLocker optional component on a server, the Enhanced Stora
| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | | [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.| | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. | | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. | | [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.| | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core | | [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |

6
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -11,13 +11,13 @@ This article describes how to configure the recommendations in the article [VPN
The recommendations can be implemented for the built-in Windows VPN client using a *Force Tunneling with Exclusions* approach, defining IP-based exclusions even when using *force tunneling*. Certain traffic can be *split* to use the physical interface, while still forcing all other traffic via the VPN interface. Traffic addressed to defined destinations (like those listed in the Microsoft 365 optimized categories) follows a much more direct and efficient path, without the need to traverse or *hairpin* via the VPN tunnel and back out of the organization's network. For cloud-services like Microsoft 365, this makes a significant difference in performance and usability for remote users. The recommendations can be implemented for the built-in Windows VPN client using a *Force Tunneling with Exclusions* approach, defining IP-based exclusions even when using *force tunneling*. Certain traffic can be *split* to use the physical interface, while still forcing all other traffic via the VPN interface. Traffic addressed to defined destinations (like those listed in the Microsoft 365 optimized categories) follows a much more direct and efficient path, without the need to traverse or *hairpin* via the VPN tunnel and back out of the organization's network. For cloud-services like Microsoft 365, this makes a significant difference in performance and usability for remote users.
> [!NOTE] > [!NOTE]
> The term *force tunneling with exclusions* is sometimes confusingly called *split tunnels* by other vendors and in some online documentation. For Windows VPN, the term *split tunneling* is defined differently, as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration). > The term *force tunneling with exclusions* is sometimes confusingly called *split tunnels* by other vendors and in some online documentation. For Windows VPN, the term *split tunneling* is defined differently, as described in the article [VPN routing decisions](vpn-routing.md#split-tunnel-configuration).
## Solution Overview ## Solution Overview
The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files).
Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](./vpn-profile-options.md#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](vpn-profile-options.md#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).
To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section: To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
@ -640,7 +640,7 @@ Write-Host "$Message"
``` ```
An example of an [Intune-ready XML file](./vpn-profile-options.md#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Microsoft 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. An example of an [Intune-ready XML file](vpn-profile-options.md#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Microsoft 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file.
>[!NOTE] >[!NOTE]
>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.

10
windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
View File

@ -19,7 +19,7 @@ network. These recommendations cover a wide range of deployments including home
networks and enterprise desktop/server systems. networks and enterprise desktop/server systems.
To open Windows Firewall, go to the **Start** menu, select **Run**, To open Windows Firewall, go to the **Start** menu, select **Run**,
type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md). type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md).
## Keep default settings ## Keep default settings
@ -45,7 +45,7 @@ Firewall whenever possible. These settings have been designed to secure your dev
> [!IMPORTANT] > [!IMPORTANT]
> To maintain maximum security, do not change the default Block setting for inbound connections. > To maintain maximum security, do not change the default Block setting for inbound connections.
For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](./turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](./checklist-configuring-basic-firewall-settings.md). For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md).
## Understand rule precedence for inbound rules ## Understand rule precedence for inbound rules
@ -58,7 +58,7 @@ This rule-adding task can be accomplished by right-clicking either **Inbound Rul
*Figure 3: Rule Creation Wizard* *Figure 3: Rule Creation Wizard*
> [!NOTE] > [!NOTE]
>This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](./windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation. >This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions. In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.
@ -108,7 +108,7 @@ Creation of application rules at runtime can also be prohibited by administrator
*Figure 4: Dialog box to allow access* *Figure 4: Dialog box to allow access*
See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbound-firewall-rules.md). See also [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md).
## Establish local policy merge and application rules ## Establish local policy merge and application rules
@ -202,7 +202,7 @@ What follows are a few general guidelines for configuring outbound rules.
- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use - It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments) - In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](./checklist-creating-outbound-firewall-rules.md). For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md).
## Document your changes ## Document your changes

2
windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md
View File

@ -154,7 +154,7 @@ To disable stealth-mode, see [Disable stealth mode in Windows](/troubleshoot/win
Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback isn't enabled) or the private range is configured incorrectly. Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback isn't enabled) or the private range is configured incorrectly.
For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](./troubleshooting-uwp-firewall.md). For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](troubleshooting-uwp-firewall.md).
**WSH default** **WSH default**

4
windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
View File

@ -42,7 +42,7 @@ Windows supports four features to help prevent rootkits and bootkits from loadin
Figure 1 shows the Windows startup process. Figure 1 shows the Windows startup process.
![Screenshot that shows the Windows startup process.](./images/boot_process.png) ![Screenshot that shows the Windows startup process.](images/boot_process.png)
*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*: *Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
@ -117,7 +117,7 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process. Figure 2 illustrates the Measured Boot and remote attestation process.
![Screenshot that shows the Measured Boot and remote attestation process.](./images/measured_boot.png) ![Screenshot that shows the Measured Boot and remote attestation process.](images/measured_boot.png)
*Figure 2. Measured Boot proves the PC's health to a remote server*: *Figure 2. Measured Boot proves the PC's health to a remote server*:

2
windows/security/operating-system-security/virus-and-threat-protection/toc.yml
View File

@ -9,7 +9,7 @@ items:
- name: Tamper protection for MDE 🔗 - name: Tamper protection for MDE 🔗
href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
- name: Microsoft Vulnerable Driver Blocklist 🔗 - name: Microsoft Vulnerable Driver Blocklist 🔗
href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md href: ../../application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
- name: Controlled folder access 🔗 - name: Controlled folder access 🔗
href: /microsoft-365/security/defender-endpoint/controlled-folders href: /microsoft-365/security/defender-endpoint/controlled-folders
- name: Exploit protection 🔗 - name: Exploit protection 🔗

2
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -74,7 +74,7 @@ This category includes the following subcategories:
- [Audit Process Creation](audit-process-creation.md) - [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md) - [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md) - [Audit RPC Events](audit-rpc-events.md)
- [Audit Token Right Adjusted](./audit-token-right-adjusted.md) - [Audit Token Right Adjusted](audit-token-right-adjusted.md)
## DS Access ## DS Access

2
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -27,6 +27,6 @@ When you apply basic audit policy settings to the local computer by using the Lo
| Topic | Description | | Topic | Description |
| - | - | | - | - |
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies | | [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
| [Advanced security auditing FAQ](./advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. | [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. | [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

2
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -29,7 +29,7 @@ This subcategory contains events about issued TGSs and failed TGS requests.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](./appendix-a-security-monitoring-recommendations-for-many-audit-events.md).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | | Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |

5
windows/security/threat-protection/auditing/security-auditing-overview.md
View File

@ -31,7 +31,4 @@ Security auditing is one of the most powerful tools that you can use to maintain
| Topic | Description | | Topic | Description |
| - | - | | - | - |
|[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. | |[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. |
|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently. | |[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently. |

2
windows/security/threat-protection/fips-140-validation.md
View File

@ -47,7 +47,7 @@ Each of the cryptographic modules has a defined security policy that must be met
### Step 3: Enable the FIPS security policy ### Step 3: Enable the FIPS security policy
Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](./security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Step 4: Ensure that only FIPS validated cryptographic algorithms are used ### Step 4: Ensure that only FIPS validated cryptographic algorithms are used

2
windows/security/threat-protection/index.md
View File

@ -26,7 +26,7 @@ See the following articles to learn more about the different areas of Windows th
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection) - [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) - [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview) - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Windows Firewall](../operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md)
- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) - [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
## Next-generation protection ## Next-generation protection

2
windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -388,7 +388,7 @@ Examples:
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
``` ```
- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy. For more information, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control/windows-defender-application-control-deployment-guide.md). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections. - **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy. For more information, see [Deploying Windows Defender Application Control (WDAC) policies](../application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections.
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example: - **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:

2
windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
View File

@ -86,7 +86,7 @@ Settings are applied in the following order through a Group Policy Object (GPO),
When a local setting is greyed out, it indicates that a GPO currently controls that setting. When a local setting is greyed out, it indicates that a GPO currently controls that setting.
> [!NOTE] > [!NOTE]
> More information about configuring the policy can be found [here](./how-to-configure-security-policy-settings.md). > More information about configuring the policy can be found [here](how-to-configure-security-policy-settings.md).
## Security considerations ## Security considerations

2
windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
View File

@ -172,4 +172,4 @@ If the policy is defined, admin tools, scripts and software that formerly enumer
## Next steps ## Next steps
[Security Options](./security-options.md) [Security Options](security-options.md)

2
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -666,4 +666,4 @@ You can get more info with the following links:
- [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90)) - [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
- [Event Query Schema](/windows/win32/wes/queryschema-schema) - [Event Query Schema](/windows/win32/wes/queryschema-schema)
- [Windows Event Collector](/windows/win32/wec/windows-event-collector) - [Windows Event Collector](/windows/win32/wec/windows-event-collector)
- [4625(F): An account failed to log on](./auditing/event-4625.md) - [4625(F): An account failed to log on](auditing/event-4625.md)