From 400685ccf2212aadda5e7a72e1494b4b734eac0c Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 10 Jun 2021 14:19:34 -0700 Subject: [PATCH 1/4] Added CN info to the 2nd note under table 2 Also formatted the note as lists. --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 7a56e31130..ace22beaca 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > [!NOTE] -> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. ## Example of file rule levels in use From 571ca43d6a97e7d2c419e8ae53f880c1dfed2fb8 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 11 Jun 2021 10:22:00 -0700 Subject: [PATCH 2/4] Added the suggested edits for the 2nd note under the 2nd table. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ace22beaca..1f5068600a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -110,7 +110,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > [!NOTE] > - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. -> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. +> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP. ## Example of file rule levels in use From 86d8af570836ff725714dc4296572c51a294e83e Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 14 Jun 2021 10:25:05 -0700 Subject: [PATCH 3/4] Added additional text to the ApplicationControl CSP section --- ...ultiple-windows-defender-application-control-policies.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 80ef49b096..f3935c6b4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+ +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. + +See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. From 727dfe92ff3a817a49565fdcc874cda9a8e2a495 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 15 Jun 2021 16:29:59 -0700 Subject: [PATCH 4/4] Substituted because for that per the feedback. --- ...oy-multiple-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index f3935c6b4b..1f9364ad64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -103,7 +103,7 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.