diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 67142745ef..6b7bda08f8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -1,6 +1,6 @@ --- title: Use AppLocker and Software Restriction Policies in the same domain (Windows) -description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. +description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 ms.reviewer: ms.author: vinpa @@ -14,7 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 11/07/2022 ms.technology: itpro-security --- @@ -23,19 +23,16 @@ ms.technology: itpro-security **Applies to** - Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. -This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. +> [!IMPORTANT] +> Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and above, and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs. ## Using AppLocker and Software Restriction Policies in the same domain -AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running -Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, -Windows 7 and later, the SRP policies are ignored. +AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. @@ -45,7 +42,7 @@ The following table compares the features and functions of Software Restriction |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.| |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.| +|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

SRP can also be configured in the “allowlist mode” so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.| |File types that can be controlled|SRP can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers

    SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers
  • Packaged apps and installers

    AppLocker maintains a separate rule collection for each of the five file types.| |Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)| |Rule types|SRP supports four types of rules:
  • Hash
  • Path
  • Signature
  • Internet zone|AppLocker supports three types of rules:
  • File hash
  • Path
  • Publisher| diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index cea19f889b..0fdfc798f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -12,10 +12,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 11/20/2019 +ms.date: 11/07/2022 ms.technology: itpro-security --- @@ -60,7 +60,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (third-party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. +2. **"ConfigMgr works”** rules that include signer and hash rules for Configuration Manager components to properly function. 3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer) The critical differences between this set of pseudo-rules and those pseudo-rules defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: @@ -85,13 +85,13 @@ Alice follows these steps to complete this task: $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName= "Lamna_FullyManagedClients_Audit" $LamnaPolicy=$PolicyPath+$PolicyName+".xml" - $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` 3. Copy the policy created by Configuration Manager to the desktop: ```powershell - cp $MEMCMPolicy $LamnaPolicy + cp $ConfigMgrPolicy $LamnaPolicy ``` 4. Give the new policy a unique ID, descriptive name, and initial version number: @@ -119,10 +119,9 @@ Alice follows these steps to complete this task: 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format: ```powershell - [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy - $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId - $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip" - ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin + [xml]$PolicyXML = Get-Content $LamnaPolicy + $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" + ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin ``` 8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index e8c10ae63e..7878df99b7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -12,10 +12,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/10/2022 +ms.date: 11/07/2022 ms.technology: itpro-security --- @@ -35,7 +35,7 @@ This section outlines the process to create a Windows Defender Application Contr > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As in [Windows Defender Application Control deployment in different scenarios: types of devices](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads. @@ -58,7 +58,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (third-party kernel drivers) - Windows Store signed apps -1. **"MEMCM works”** rules that include: +1. **"ConfigMgr works”** rules that include: - Signer and hash rules for Configuration Manager components to properly function. - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer. @@ -122,8 +122,8 @@ Alice follows these steps to complete this task: > If you do not use Configuration Manager, skip this step. ```powershell - $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" - Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy + $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$ConfigMgrPolicy Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer ``` @@ -149,9 +149,9 @@ Alice follows these steps to complete this task: 1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format: ```powershell - [xml]$policyXML = Get-Content $LamnaPolicy - $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip" - ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin + [xml]$PolicyXML = Get-Content $LamnaPolicy + $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" + ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin ``` 1. Upload your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 8ae20cf798..2c666bad22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -15,7 +15,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/05/2022 +ms.date: 11/02/2022 ms.technology: itpro-security --- @@ -35,12 +35,20 @@ When you create policies for use with Windows Defender Application Control (WDAC ## Example Base Policies | **Example Base Policy** | **Description** | **Where it can be found** | -|----------------------------|---------------------------------------------------------------|--------| -| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +|-------------------------|---------------------------------------------------------------|--------| +| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml | +| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | +| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml | +| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | +| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) | | **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | -| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml | +| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml | +| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using WDAC, if possible. | [Microsoft recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_UserMode_Blocklist.xml | +| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
    %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_Driver_Blocklist.xml | +| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/en-us/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSiPolicy.xml.xml | +| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSEPolicy.xml.xml | + +> [!NOTE] +> Not all policies shown available at %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies can be found on all versions of Windows. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index f7a1d7f0a0..4da8421cfe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -9,7 +9,7 @@ author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte manager: aaroncz -ms.date: 06/27/2022 +ms.date: 11/02/2022 ms.custom: asr ms.topic: overview --- @@ -27,17 +27,17 @@ ms.topic: overview | Capability | Windows Defender Application Control | AppLocker | |-------------|------|-------------| -| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | -| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
    For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
    Policies deployed through MDM are effective on all SKUs. | -| Management solutions | |