From 1623bd88914ef8efc838a9c09991e4ed833fc7ed Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 10 Aug 2022 17:41:28 -0700 Subject: [PATCH 01/11] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...tion-control-with-dynamic-code-security.md | 39 ++++++++++++------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 0d8e2466d8..643078438f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Control and .NET Hardening (Windows) -description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. +title: Windows Defender Application Control and .NET (Windows) +description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,30 +11,43 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 06/15/2022 +ms.date: 08/10/2022 ms.technology: windows-sec --- -# Windows Defender Application Control and .NET hardening +# Windows Defender Application Control (WDAC) and .NET -Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those sets approved by an organization. -Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. -Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. +.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets a NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it. + +The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles this gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When this happens, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies. + +In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md#net-native-images-may-generate-false-positive-block-events). + +To mitigate any performance impact caused when the WDAC EA is not valid or missing, use any of the following strategies: + +1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature; +2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies; +3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md) for the native images + +## WDAC and .NET hardening + +Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls. +Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime. When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share. -Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. +Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. -Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries. -Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. -Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. +Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries. +Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. +Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that. -To enable Dynamic Code Security, add the following option to the `` section of your policy: +To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: ```xml From 250baa6a9f77836f0d664d6ff0324e0976fb760b Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 10 Aug 2022 17:45:16 -0700 Subject: [PATCH 02/11] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...fender-application-control-with-dynamic-code-security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 643078438f..3f791dbc51 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -20,13 +20,13 @@ ms.technology: windows-sec # Windows Defender Application Control (WDAC) and .NET -.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets a NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it. +.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it. -The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles this gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When this happens, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies. +The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies. In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md#net-native-images-may-generate-false-positive-block-events). -To mitigate any performance impact caused when the WDAC EA is not valid or missing, use any of the following strategies: +To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies: 1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature; 2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies; From c7ee875dce91280ffb1c36e8187a65362ab4afcf Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 12 Aug 2022 09:12:11 -0700 Subject: [PATCH 03/11] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 3f791dbc51..53338e3cd2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -45,7 +45,7 @@ Dynamic Code Security isn't enabled by default because existing policies may not Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that. +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](https://docs.microsoft.com/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: From d8fb642a27b8c9caaf05fe43e8d0046ec8f8715e Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 12 Aug 2022 09:30:20 -0700 Subject: [PATCH 04/11] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 53338e3cd2..c006eae0d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -45,7 +45,7 @@ Dynamic Code Security isn't enabled by default because existing policies may not Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](https://docs.microsoft.com/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100).md) document for how to fix that. To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: From 4988b2350b2cd75c4d5c0422f11a6d5fbb0e8764 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 12 Aug 2022 09:33:20 -0700 Subject: [PATCH 05/11] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index c006eae0d9..53338e3cd2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -45,7 +45,7 @@ Dynamic Code Security isn't enabled by default because existing policies may not Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100).md) document for how to fix that. +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](https://docs.microsoft.com/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: From cb17b68fde31cea68852962580aec5cc9d221a23 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 12 Aug 2022 10:34:03 -0700 Subject: [PATCH 06/11] Fixed relative links to remove ".md" --- ...defender-application-control-with-dynamic-code-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 53338e3cd2..19165ef7da 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -24,13 +24,13 @@ ms.technology: windows-sec The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies. -In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md#net-native-images-may-generate-false-positive-block-events). +In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events). To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies: 1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature; 2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies; -3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md) for the native images +3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control) for the native images ## WDAC and .NET hardening From b2bccf5b91f72cc6000b0d55f8cc8bac51760a44 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 12 Aug 2022 15:10:26 -0700 Subject: [PATCH 07/11] Added hyperlink to Changes made at tenant enrollment. --- .../operate/windows-autopatch-unenroll-tenant.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 7ff238e112..36f12e46cd 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -33,14 +33,14 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). | -| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We will not delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | +| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | ## Your responsibilities after unenrolling your tenant | Responsibility | Description | | ----- | ----- | | Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | -| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. | +| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | | Windows Autopatch cloud service accounts | After unenrollment, you may safely remove the cloud service accounts created during the enrollment process. The accounts are:
  • MsAdmin
  • MsAdminInt
  • MsTest
| | Conditional access policy | After unenrollment, you may safely remove the **Modern Workplace – Secure Workstation** conditional access policy. | | Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | From 08bb3159bab854e793166365f89c3782044d05b7 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 12 Aug 2022 15:34:25 -0700 Subject: [PATCH 08/11] Clarify filepath rules only apply to user mode binaries. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 474a39e5dd..e1f7559c0d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -90,7 +90,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the |----------- | ----------- | | **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. | -| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. | +| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. | | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. | | **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). | | **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | From 49ab86489d765f9b4bbe6f3822ea7cf759d1291e Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 12 Aug 2022 16:55:39 -0600 Subject: [PATCH 09/11] Update use-windows-defender-application-control-with-dynamic-code-security.md Replace absolute link line 48. --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 19165ef7da..4256d0a041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -45,7 +45,7 @@ Dynamic Code Security isn't enabled by default because existing policies may not Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](https://docs.microsoft.com/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: From 27644b5870e7060e14d04d71f3b4433c723b95a2 Mon Sep 17 00:00:00 2001 From: Office Content Publishing 4 <87501895+officedocspr4@users.noreply.github.com> Date: Sat, 13 Aug 2022 23:32:07 -0700 Subject: [PATCH 10/11] Uploaded file: education-content-updates.md - 2022-08-13 23:32:07.3280 --- .../includes/education-content-updates.md | 47 +++++++++++++++---- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 8c86acd85f..e06d4cfd48 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,45 @@ +## Week of August 08, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | +| 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified | +| 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified | +| 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | +| 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified | +| 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | +| 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified | +| 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | +| 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | +| 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified | +| 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified | +| 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified | +| 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified | +| 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | +| 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified | +| 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified | +| 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified | +| 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified | +| 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified | +| 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified | +| 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified | +| 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified | +| 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified | +| 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified | +| 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified | +| 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified | +| 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | +| 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified | +| 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified | +| 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified | +| 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | +| 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | + + ## Week of July 25, 2022 @@ -11,11 +50,3 @@ | 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified | | 7/25/2022 | Edit an existing topic using the Edit link | removed | | 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified | - - -## Week of June 27, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 6/30/2022 | Get Minecraft Education Edition with your Windows 10 device promotion | removed | From e95edea6e1588eedcfa11d45bbc4923fed8a0ee9 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 15 Aug 2022 08:30:48 -0700 Subject: [PATCH 11/11] Fixed link --- windows/client-management/mdm/policy-csp-admx-deviceguard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 58f38e4da3..d39a25209b 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -15,7 +15,7 @@ manager: aaroncz # Policy CSP - ADMX_DeviceGuard > [!WARNING] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).