deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

added preview text

Browse Source
This commit is contained in:
Justin Hall 2019-05-06 14:28:02 -07:00
parent cab27d6990
commit db7c319f3b
2 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md
View File

@ -17,6 +17,9 @@ ms.date: 05/06/2018
- Windows 10
- Windows Server 2016
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Windows 10 S mode is a locked-down system that only runs Store apps.
Although it provides tight security and thereby promises reduced management, its application control restrictions make it difficult for some to adopt it widely.
Sideloading makes S mode a more viable proposition for enterprise and education workloads by allowing critical Desktop apps in addition to Store apps.

27
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md
View File

@ -17,9 +17,14 @@ ms.date: 05/06/2018
- Windows 10
- Windows Server 2016
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic covers improvements introduced in Windows 10, version 1903.
## Path-based rules
Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules.
Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.
- New-CIPolicy parameters
- FilePath: create path rules under path \<path to scan> for anything not user-writeable (at the individual file level)
@ -34,29 +39,25 @@ Beginning with Windows 10 version 1903, WDAC policies can contain path-based rul
```
Useful for wildcards like C:\foo\\*
- Usage: same flow as per-app rules
```xml
- Usage follows the same flow as per-app rules:
```powershell
$rules = New-CIPolicyRule …
$rules += New-CIPolicyRule …
```
```console
New-CIPolicyRule -f .\mypolicy.xml -u
```
- Wildcards supported:
Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
- One or the other, not both at the same time
- Does not support wildcard in the middle (ex. C:\\*\foo.exe)
- Wildcards supported
- Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
- One or the other, not both at the same time
- Does not support wildcard in the middle (ex. C:\\*\foo.exe)
- Examples:
- %WINDIR%\\...
- %SYSTEM32%\\...
- %OSDRIVE%\\...
- Disable default FilePath rule protection of enforcing user-writeability
For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
```console
- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
```powershell
Set-RuleOption -o 18 .\policy.xml
```