From da766c37ef8c251862a05106e289fea60f506059 Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 10:03:42 -0700 Subject: [PATCH] Remove dup signing page, add operational guide Updating TOC to remove "Signing WDAC policies with SignTool.exe" page, as it is a duplicate of "Use signed policies to protect Windows Defender Application Control against tampering" Additionally, adding an operational guide section to follow design and deployment guides. --- .../TOC.md | 11 ++--- ...r-application-control-operational-guide.md | 41 +++++++++++++++++++ 2 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 7275492629..364e2c3baf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,23 +21,24 @@ ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) -### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) +### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) -### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) +### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) +### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md) -### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) -### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) -#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md) +## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) + ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md new file mode 100644 index 0000000000..8e14e7cb0d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -0,0 +1,41 @@ +--- +title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10) +description: Gather information about how your deployed Windows Defender Application Control policies are behaving. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 03/16/2020 +--- + +# Windows Defender Application Control operational guide + +**Applies to** +- Windows 10 +- Windows Server 2016 + +After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature. + +## WDAC Events Overview + +WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. + +WDAC events are generated under two locations: + +1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## In this section + +| Topic | Description | +| - | - | +| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |