diff --git a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md index 0d9c04fc68..5e17a306fa 100644 --- a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -152,7 +152,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy, > **Note**  Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. -3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: +3. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: ` Add-SignerRule -FilePath -CertificatePath -User ` diff --git a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md index b97a44ed0e..1fe2c03c15 100644 --- a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md @@ -110,7 +110,7 @@ For example: ### Enable the managed installer option in WDAC policy In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](https://technet.microsoft.com/itpro/powershell/windows/configci/set-ruleoption). +This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps). An example of the managed installer option being set in policy is shown below. ```code diff --git a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md index 909c8b6e52..1abe52b44a 100644 --- a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md +++ b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md @@ -42,7 +42,7 @@ If you plan to use an internal CA to sign catalog files or WDAC policies, see th WDAC policies include *policy rules*, which control options such as audit mode or whether UMCI is enabled in a WDAC policy. You can modify these options in a new or existing WDAC policy. (For information about *file rules*, which specify the level at which applications will be identified and trusted, see the next section, [Windows Defender Application Control file rule levels](#windows-defender-application-control-file-rule-levels).) -To modify the policy rule options of an existing WDAC policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy: +To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy: - To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command: diff --git a/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md b/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md index 0408fa63d3..5bb386464c 100644 --- a/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md +++ b/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md @@ -20,25 +20,6 @@ With thousands of new malicious files created every day, using traditional metho Windows Defender Device Guard also uses virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely. -This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes: - -- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - -- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) - -- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) - -- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md) - - - [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) - - - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md) - - - [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md) - - - [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) - -- [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md) ## Related topics diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index 64881457e7..2d66a5c847 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -811,7 +811,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the WDAC policy to a binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the WDAC policy to a binary format: ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` @@ -955,11 +955,11 @@ To merge two WDAC policies, complete the following steps in an elevated Windows > [!Note] > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly. -2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new WDAC policy: +2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy?view=win10-ps) to merge two policies and create a new WDAC policy: ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` -3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the merged WDAC policy to binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the merged WDAC policy to binary format: ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` @@ -987,7 +987,7 @@ Every WDAC policy is created with audit mode enabled. After you have successfull 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options. - To ensure that these options are enabled in a policy, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect. + To ensure that these options are enabled in a policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect. ` Set-RuleOption -FilePath $InitialCIPolicy -Option 9` @@ -997,14 +997,14 @@ Every WDAC policy is created with audit mode enabled. After you have successfull ` copy $InitialCIPolicy $EnforcedCIPolicy` -4. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to delete the audit mode rule option: +4. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to delete the audit mode rule option: ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` > [!Note] > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy. -5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new WDAC policy to binary format: +5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the new WDAC policy to binary format: ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` @@ -1052,7 +1052,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` cd $env:USERPROFILE\Desktop ` -5. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add an update signer certificate to the WDAC policy: +5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add an update signer certificate to the WDAC policy: ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` @@ -1060,11 +1060,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see the [Disable signed Windows Defender Application Control policies within Windows](#disable-signed-windows-defender-application-control-policies-within-windows) section. -6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option: +6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to remove the unsigned policy rule option: ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` -7. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the policy to binary format: +7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the policy to binary format: ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`