diff --git a/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md b/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md index 249ce3ddce..5bbde4033e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md @@ -17,6 +17,9 @@ ms.date: 05/06/2018 - Windows 10 - Windows Server 2016 +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Windows 10 S mode is a locked-down system that only runs Store apps. Although it provides tight security and thereby promises reduced management, its application control restrictions make it difficult for some to adopt it widely. Sideloading makes S mode a more viable proposition for enterprise and education workloads by allowing critical Desktop apps in addition to Store apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md index 69413bcaca..d3c5ebd625 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md @@ -17,9 +17,14 @@ ms.date: 05/06/2018 - Windows 10 - Windows Server 2016 +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic covers improvements introduced in Windows 10, version 1903. + ## Path-based rules -Beginning with Windows 10 version 1903, WDAC policies can contain path-based rules. +Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. - New-CIPolicy parameters - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) @@ -34,29 +39,25 @@ Beginning with Windows 10 version 1903, WDAC policies can contain path-based rul ``` Useful for wildcards like C:\foo\\* -- Usage: same flow as per-app rules - ```xml +- Usage follows the same flow as per-app rules: + ```powershell $rules = New-CIPolicyRule … $rules += New-CIPolicyRule … … - ``` - - ```console New-CIPolicyRule -f .\mypolicy.xml -u ``` -- Wildcards supported: - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - - One or the other, not both at the same time - - Does not support wildcard in the middle (ex. C:\\*\foo.exe) +- Wildcards supported + - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) + - One or the other, not both at the same time + - Does not support wildcard in the middle (ex. C:\\*\foo.exe) - Examples: - %WINDIR%\\... - %SYSTEM32%\\... - %OSDRIVE%\\... -- Disable default FilePath rule protection of enforcing user-writeability - For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: - ```console +- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: + ```powershell Set-RuleOption -o 18 .\policy.xml ```