true<\/Ena
## Configure conditional access
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
## Learn more about Conditional Access and Azure AD Health
- [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
- [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
-- [Control the health of Windows devices](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+- [Control the health of Windows devices](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related topics
+
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
similarity index 73%
rename from windows/security/cryptography-certificate-mgmt.md
rename to windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
index 2edd15d942..191b2d7c9c 100644
--- a/windows/security/cryptography-certificate-mgmt.md
+++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
@@ -1,22 +1,16 @@
---
title: Cryptography and Certificate Management
description: Get an overview of cryptography and certificate management in Windows
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: skhadeer, raverma
---
# Cryptography and Certificate Management
-
## Cryptography
-Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
+Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
@@ -28,10 +22,10 @@ Windows cryptographic modules provide low-level primitives such as:
- Signing and verification (padding support for OAEP, PSS, PKCS1)
- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
-These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
## Certificate management
-Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
-Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer.
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch starts event logging and prevents user access from Microsoft Edge.
diff --git a/windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png b/windows/security/operating-system-security/system-security/images/boot_process.png
similarity index 100%
rename from windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png
rename to windows/security/operating-system-security/system-security/images/boot_process.png
diff --git a/windows/security/threat-protection/images/hva-fig1-endtoend1.png b/windows/security/operating-system-security/system-security/images/hva-fig1-endtoend1.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig1-endtoend1.png
rename to windows/security/operating-system-security/system-security/images/hva-fig1-endtoend1.png
diff --git a/windows/security/threat-protection/images/hva-fig10-conditionalaccesscontrol.png b/windows/security/operating-system-security/system-security/images/hva-fig10-conditionalaccesscontrol.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig10-conditionalaccesscontrol.png
rename to windows/security/operating-system-security/system-security/images/hva-fig10-conditionalaccesscontrol.png
diff --git a/windows/security/threat-protection/images/hva-fig11-office365.png b/windows/security/operating-system-security/system-security/images/hva-fig11-office365.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig11-office365.png
rename to windows/security/operating-system-security/system-security/images/hva-fig11-office365.png
diff --git a/windows/security/threat-protection/images/hva-fig12-conditionalaccess12.png b/windows/security/operating-system-security/system-security/images/hva-fig12-conditionalaccess12.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig12-conditionalaccess12.png
rename to windows/security/operating-system-security/system-security/images/hva-fig12-conditionalaccess12.png
diff --git a/windows/security/threat-protection/images/hva-fig2-assessfromcloud2.png b/windows/security/operating-system-security/system-security/images/hva-fig2-assessfromcloud2.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig2-assessfromcloud2.png
rename to windows/security/operating-system-security/system-security/images/hva-fig2-assessfromcloud2.png
diff --git a/windows/security/threat-protection/images/hva-fig3-endtoendoverview3.png b/windows/security/operating-system-security/system-security/images/hva-fig3-endtoendoverview3.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig3-endtoendoverview3.png
rename to windows/security/operating-system-security/system-security/images/hva-fig3-endtoendoverview3.png
diff --git a/windows/security/threat-protection/images/hva-fig4-hardware.png b/windows/security/operating-system-security/system-security/images/hva-fig4-hardware.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig4-hardware.png
rename to windows/security/operating-system-security/system-security/images/hva-fig4-hardware.png
diff --git a/windows/security/threat-protection/images/hva-fig5-virtualbasedsecurity.png b/windows/security/operating-system-security/system-security/images/hva-fig5-virtualbasedsecurity.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig5-virtualbasedsecurity.png
rename to windows/security/operating-system-security/system-security/images/hva-fig5-virtualbasedsecurity.png
diff --git a/windows/security/threat-protection/images/hva-fig6-logs.png b/windows/security/operating-system-security/system-security/images/hva-fig6-logs.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig6-logs.png
rename to windows/security/operating-system-security/system-security/images/hva-fig6-logs.png
diff --git a/windows/security/threat-protection/images/hva-fig7-measurement.png b/windows/security/operating-system-security/system-security/images/hva-fig7-measurement.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig7-measurement.png
rename to windows/security/operating-system-security/system-security/images/hva-fig7-measurement.png
diff --git a/windows/security/threat-protection/images/hva-fig8-evaldevicehealth8.png b/windows/security/operating-system-security/system-security/images/hva-fig8-evaldevicehealth8.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig8-evaldevicehealth8.png
rename to windows/security/operating-system-security/system-security/images/hva-fig8-evaldevicehealth8.png
diff --git a/windows/security/threat-protection/images/hva-fig8a-healthattest8a.png b/windows/security/operating-system-security/system-security/images/hva-fig8a-healthattest8a.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig8a-healthattest8a.png
rename to windows/security/operating-system-security/system-security/images/hva-fig8a-healthattest8a.png
diff --git a/windows/security/threat-protection/images/hva-fig9-intune.png b/windows/security/operating-system-security/system-security/images/hva-fig9-intune.png
similarity index 100%
rename from windows/security/threat-protection/images/hva-fig9-intune.png
rename to windows/security/operating-system-security/system-security/images/hva-fig9-intune.png
diff --git a/windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png b/windows/security/operating-system-security/system-security/images/measured_boot.png
similarity index 100%
rename from windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
rename to windows/security/operating-system-security/system-security/images/measured_boot.png
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
similarity index 79%
rename from windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
rename to windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index dba7799e88..040f7b75d4 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -1,22 +1,12 @@
---
title: Control the health of Windows devices
description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
-ms.prod: windows-client
ms.date: 10/13/2017
-ms.localizationpriority: medium
-ms.technology: itpro-security
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
ms.topic: conceptual
---
# Control the health of Windows devices
-**Applies to**
-
-- Windows 10
-
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
## Introduction
@@ -77,13 +67,13 @@ Access to content is then authorized to the appropriate level of trust for whate
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted.
-### Microsoft's security investments in Windows 10
+### Microsoft's security investments in Windows 10
In Windows 10, there are three pillars of investments:
-- **Secure identities.** Microsoft is part of the FIDO alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources.
-- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
-- **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
+- **Secure identities.** Microsoft is part of the FIDO alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources.
+- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
+- **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
### Protect, control, and report on the security status of Windows 10-based devices
@@ -108,43 +98,43 @@ This section describes what Windows 10 offers in terms of security defenses and
### Windows 10 hardware-based security defenses
The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
-Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section.
:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
-- **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+- **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
- Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+ Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
- A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other:
+ A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other:
- - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+ - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+ - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
- Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
+ Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
- Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
+ Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
- TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+ TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
- - Update crypto strength to meet modern security needs
+ - Update crypto strength to meet modern security needs
- - Support for SHA-256 for PCRs
- - Support for HMAC command
+ - Support for SHA-256 for PCRs
+ - Support for HMAC command
- - Cryptographic algorithms flexibility to support government needs
+ - Cryptographic algorithms flexibility to support government needs
- - TPM 1.2 is severely restricted in terms of what algorithms it can support
- - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+ - TPM 1.2 is severely restricted in terms of what algorithms it can support
+ - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
- - Consistency across implementations
+ - Consistency across implementations
- - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
- - TPM 2.0 standardizes much of this behavior
+ - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+ - TPM 2.0 standardizes much of this behavior
-- **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM.
+- **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that's signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
@@ -154,7 +144,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
> [!NOTE]
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
-- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) can't be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
Secure Boot configuration policy does this protective action with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
@@ -163,7 +153,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
-- **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+- **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
Traditional antimalware apps don't start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
@@ -175,11 +165,12 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
-- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10.
- Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtual) section.
+- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10.
-- **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+ Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtualization-based-security) section.
+
+- **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
@@ -191,13 +182,13 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It's configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
-- **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
+- **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
-- **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health.
+- **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health.
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset.
@@ -207,7 +198,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation won't stop the boot process and enter remediation when a measurement doesn't work. But with conditional access control, health attestation will help to prevent access to high-value assets.
-### Virtualization-based security
+### Virtualization-based security
Virtualization-based security provides a new trust boundary for Windows 10 and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
@@ -215,14 +206,13 @@ Virtualization-based security helps to protect against a compromised kernel or a
The following Windows 10 services are protected with virtualization-based security:
-- **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
-- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
-- **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+- **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
+- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+- **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
> [!NOTE]
> Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
-
The schema below is a high-level view of Windows 10 with virtualization-based security.
:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
@@ -234,8 +224,8 @@ remote machines, which mitigates many PtH-style attacks.
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
-- **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
-- **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
+- **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
+- **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
Credential Guard is activated by a registry key and then enabled by using a UEFI variable. This activation is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that
credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
@@ -254,8 +244,8 @@ With Device Guard in Windows 10, organizations are now able to define their own
Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
-- **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
-- **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
+- **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
+- **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
At the time of this writing, and according to Microsoft's latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
@@ -263,9 +253,9 @@ Device Guard needs to be planned and configured to be truly effective. It isn't
There are three different parts that make up the Device Guard solution in Windows 10:
-- The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
-- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
-- The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
+- The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
+- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
+- The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@@ -325,25 +315,25 @@ Device health attestation uses the TPM to provide cryptographically strong and v
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
-For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-an-unhealthy-windows-10-based-device) section.
-[!INCLUDE [device-health-attestation-service](../../../includes/licensing/device-health-attestation-service.md)]
+[!INCLUDE [device-health-attestation-service](../../../../includes/licensing/device-health-attestation-service.md)]
-### Hardware requirements
+### Hardware requirements
The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
|Hardware|Motivation|
|--- |--- |
-|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.UEFI Secure Boot ensures that the device boots only authorized code.
Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
-|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.
**Note:** Device Guard can be enabled without using virtualization-based security.
|
-|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
-## Detect an unhealthy Windows 10-based device
+## Detect an unhealthy Windows 10-based device
As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
@@ -394,14 +384,14 @@ When you start a device equipped with TPM, a measurement of different components
The health attestation process works as follows:
-1. Hardware boot components are measured.
-2. Operating system boot components are measured.
-3. If Device Guard is enabled, current Device Guard policy is measured.
-4. Windows kernel is measured.
-5. Antivirus software is started as the first kernel mode driver.
-6. Boot start drivers are measured.
-7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
-8. Boot measurements are validated by the Health Attestation Service
+1. Hardware boot components are measured.
+2. Operating system boot components are measured.
+3. If Device Guard is enabled, current Device Guard policy is measured.
+4. Windows kernel is measured.
+5. Antivirus software is started as the first kernel mode driver.
+6. Boot start drivers are measured.
+7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
+8. Boot measurements are validated by the Health Attestation Service
> [!NOTE]
> By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
@@ -409,16 +399,16 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
The following process describes how health boot measurements are sent to the health attestation service:
-1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
-2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
-3. The remote device heath attestation service then:
+1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3. The remote device heath attestation service then:
- 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
- 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
- 3. Parses the properties in the TCG log.
- 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+ 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+ 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+ 3. Parses the properties in the TCG log.
+ 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
-4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
@@ -426,7 +416,7 @@ The following process describes how health boot measurements are sent to the hea
The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
-### Trusted Platform Module
+### Trusted Platform Module
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
@@ -434,11 +424,11 @@ In a simplified manner, the TPM is a passive component with limited resources. I
A TPM incorporates in a single component:
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
+- An RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
### Endorsement key
@@ -450,15 +440,15 @@ The endorsement key acts as an identity card for the TPM. For more information,
The endorsement key is often accompanied by one or two digital certificates:
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
> [!NOTE]
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
-- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
-- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
+- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
### Attestation Identity Keys
@@ -506,7 +496,7 @@ If the TPM ownership isn't known but the EK exists, the client library will prov
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
> [!NOTE]
-> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
### Windows 10 Health Attestation CSP
@@ -514,10 +504,10 @@ Windows 10 contains a configuration service provider (CSP) specialized for inter
The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
-- Collects data that is used to verify a device's health status
-- Forwards the data to the Health Attestation Service
-- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
-- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+- Collects data that is used to verify a device's health status
+- Forwards the data to the Health Attestation Service
+- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
@@ -532,21 +522,21 @@ The role of Windows Health Attestation Service is essentially to evaluate a set
Checking that a TPM attestation and the associated log are valid takes several steps:
-1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
-2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
-3. Next the logs should be checked to ensure that they match the PCR values reported.
-4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
+3. Next the logs should be checked to ensure that they match the PCR values reported.
+4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the device:
-- Secure Boot enablement
-- Boot and kernel debug enablement
-- BitLocker enablement
-- VSM enabled
-- Signed or unsigned Device Guard Code Integrity policy measurement
-- ELAM loaded
-- Safe Mode boot, DEP enablement, test signing enablement
-- Device TPM has been provisioned with a trusted endorsement certificate
+- Secure Boot enablement
+- Boot and kernel debug enablement
+- BitLocker enablement
+- VSM enabled
+- Signed or unsigned Device Guard Code Integrity policy measurement
+- ELAM loaded
+- Safe Mode boot, DEP enablement, test signing enablement
+- Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
@@ -562,29 +552,29 @@ To make device health relevant, the MDM solution evaluates the device health rep
A solution that uses MDM and the Health Attestation Service consists of three main parts:
-1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
-2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
-3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
+1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
:::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
-1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
-2. The MDM server specifies a nonce along with the request.
-3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
-4. The MDM server:
+1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2. The MDM server specifies a nonce along with the request.
+3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4. The MDM server:
- 1. Verifies that the nonce is as expected.
- 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+ 1. Verifies that the nonce is as expected.
+ 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
-5. The Health Attestation Service:
+5. The Health Attestation Service:
- 1. Decrypts the health blob.
- 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
- 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
- 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
- 5. Sends data back to the MDM server including health parameters, freshness, and so on.
+ 1. Decrypts the health blob.
+ 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+ 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
+ 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+ 5. Sends data back to the MDM server including health parameters, freshness, and so on.
> [!NOTE]
> The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
@@ -625,7 +615,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bui
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
-### Management of Windows Defender by third-party MDM
+### Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
@@ -641,7 +631,7 @@ If the device isn't registered, the user will get a message with instructions on
:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
-### Office 365 conditional access control
+### Office 365 conditional access control
Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
target groups.
@@ -663,20 +653,20 @@ Depending on the type of email application that employees use to access Exchange
Clients that attempt to access Office 365 will be evaluated for the following properties:
-- Is the device managed by an MDM?
-- Is the device registered with Azure AD?
-- Is the device compliant?
+- Is the device managed by an MDM?
+- Is the device registered with Azure AD?
+- Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
-- Enroll with an MDM solution.
-- Register with Azure AD.
-- Be compliant with the device policies set by the MDM solution.
+- Enroll with an MDM solution.
+- Register with Azure AD.
+- Be compliant with the device policies set by the MDM solution.
> [!NOTE]
> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
-### Cloud and on-premises apps conditional access control
+### Cloud and on-premises apps conditional access control
Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
@@ -689,22 +679,22 @@ For more information about conditional access, see [Azure Conditional Access Pre
For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
-- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
-- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
The following process describes how Azure AD conditional access works:
-1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
-2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
-3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
-4. User logs on and the MDM agent contacts the Intune/MDM server.
-5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
-6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
-7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
-8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
-9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4. User logs on and the MDM agent contacts the Intune/MDM server.
+5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
10. Intune/MDM server updates compliance state against device object in Azure AD.
11. User opens app, attempts to access a corporate managed asset.
12. Access gated by compliance claim in Azure AD.
@@ -719,43 +709,43 @@ Conditional access control is a topic that many organizations and IT pros may no
The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices.
-- **Understand that no solution is 100 percent secure**
+- **Understand that no solution is 100 percent secure**
If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
-- **Use health attestation with an MDM solution**
+- **Use health attestation with an MDM solution**
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
-- **Use Credential Guard**
+- **Use Credential Guard**
Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
-- **Use Device Guard**
+- **Use Device Guard**
Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
-- **Sign Device Guard policy**
+- **Sign Device Guard policy**
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
-- **Use virtualization-based security**
+- **Use virtualization-based security**
When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
-- **Start to deploy Device Guard with Audit mode**
+- **Start to deploy Device Guard with Audit mode**
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
-- **Build an isolated reference machine when deploying Device Guard**
+- **Build an isolated reference machine when deploying Device Guard**
Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
-- **Use AppLocker when it makes sense**
+- **Use AppLocker when it makes sense**
Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users.
-- **Lock down firmware and configuration**
+- **Lock down firmware and configuration**
After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
@@ -765,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
similarity index 83%
rename from windows/security/information-protection/secure-the-windows-10-boot-process.md
rename to windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index be0c4f800d..1383de920b 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -1,24 +1,16 @@
---
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.prod: windows-client
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
+ms.topic: conceptual
+ms.date: 03/09/2023
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 03/09/2023
-ms.technology: itpro-security
-appliesto:
-- ✅ Windows 10 and later
---
# Secure the Windows boot process
-
-The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+Windows has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, Windows includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
@@ -50,9 +42,9 @@ Windows supports four features to help prevent rootkits and bootkits from loadin
Figure 1 shows the Windows startup process.
-.png)
+
-*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
@@ -82,27 +74,23 @@ These requirements help protect you from rootkits while allowing you to run any
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
-The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
+The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
-1. Open the firmware menu, either:
-
- - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+1. Open the firmware menu, either:
+ - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+ - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
+3. Save changes and exit.
- - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
-
-2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
-
-3. Save changes and exit.
-
-Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
+Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
## Trusted Boot
-Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
## Early Launch Anti-Malware
@@ -129,13 +117,12 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
+
-
-.png)
-
-*Figure 2. Measured Boot proves the PC's health to a remote server*
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index 86abf54e55..2945f5f884 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -1,28 +1,28 @@
items:
- name: Secure the Windows boot process
- href: ../../information-protection/secure-the-windows-10-boot-process.md
+ href: secure-the-windows-10-boot-process.md
- name: Secure Boot and Trusted Boot
- href: ../../trusted-boot.md
-- name: Measured Boot
+ href: trusted-boot.md
+- name: Measured Boot 🔗
href: /windows/compatibility/measured-boot
- name: Device health attestation service
- href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+ href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
- name: Cryptography and certificate management
- href: ../../cryptography-certificate-mgmt.md
-- name: The Windows Security app
- href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+ href: cryptography-certificate-mgmt.md
+- name: Windows Security app
+ href: windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+ href: windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+ href: windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+ href: windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
- href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+ href: windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
- href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+ href: windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
- href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+ href: windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
- href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
+ href: windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
diff --git a/windows/security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
similarity index 87%
rename from windows/security/trusted-boot.md
rename to windows/security/operating-system-security/system-security/trusted-boot.md
index 8790964196..a5b511cc48 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -1,14 +1,11 @@
---
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2021
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: jsuther
+appliesto:
+ - "✅ Windows 11"
---
# Secure Boot and Trusted Boot
@@ -21,7 +18,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
## Trusted Boot
@@ -29,8 +26,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
-[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
## See also
-[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
new file mode 100644
index 0000000000..86a18cc532
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -0,0 +1,37 @@
+---
+title: Account protection in the Windows Security app
+description: Use the Account protection section to manage security for your account and sign in to Microsoft.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+
+# Account protection
+
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
+
+- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
+
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
+
+## Hide the Account protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+You can only configure these settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Account protection**.
+1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
index 817ff1949e..a4e6a2916e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,21 +1,12 @@
---
title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
ms.topic: article
---
# App and browser control
-**Applies to**
-
-- Windows 10 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
@@ -32,13 +23,9 @@ You can only prevent users from modifying Exploit protection settings by using G
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Hide the App & browser control section
@@ -51,13 +38,9 @@ This section can be hidden only by using Group Policy.
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
index 1aed92dc61..d792fabd4f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,20 +1,12 @@
---
title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Customize the Windows Security app for your organization
-**Applies to**
-
-- Windows 10 and later
-
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
@@ -36,11 +28,8 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-
4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@@ -51,8 +40,8 @@ There are two stages to using the contact card and customized notifications. Fir
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
+
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
index bfc66838f7..f3c57f4410 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@@ -2,52 +2,34 @@
title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
ms.date: 12/31/2018
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: article
---
# Device performance and health
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
-
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Device performance & health section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
+1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Device performance and health**.
-
-6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
new file mode 100644
index 0000000000..35915c9351
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@@ -0,0 +1,53 @@
+---
+title: Device security in the Windows Security app
+description: Use the Device security section to manage security built into your device, including virtualization-based security.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+# Device security
+
+The **Device security** section contains information and settings for built-in device security.
+
+You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device security section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Disable the Clear TPM button
+
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the TPM Firmware Update recommendation
+
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
index f4a6bb11c6..df1907c2a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@@ -1,50 +1,35 @@
---
title: Family options in the Windows Security app
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Family options
-**Applies to**
-
-- Windows 10 and later
-
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
-
## Hide the Family options section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Family options**.
+1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Family options**.
-
-6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 1d0d162d10..0d538dcab3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,49 +1,32 @@
---
title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
-
# Firewall and network protection
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Firewall & network protection section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
+1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
+1. Deploy the updated GPO as you normally do.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
-
-6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. Deploy the updated GPO as you normally do.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
similarity index 82%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
index 8ca7f8d1c1..d21b237aae 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,20 +1,12 @@
---
title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Hide Windows Security app notifications
-**Applies to**
-
-- Windows 10 and later
-
The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@@ -28,30 +20,21 @@ If you set **Hide all notifications** to **Enabled**, changing the **Hide non-cr
You can only use Group Policy to change these settings.
-
-
## Use Group Policy to hide non-critical notifications
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-
-2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
-
-6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Use Group Policy to hide all notifications
@@ -59,22 +42,18 @@ You can hide all notifications that are sourced from the Windows Security app. T
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
> [!NOTE]
> For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
-6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
> You can use the following registry key and DWORD value to **Hide all notifications**.
@@ -95,7 +74,7 @@ These notifications can be hidden only by using Group Policy.
| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
@@ -109,7 +88,7 @@ These notifications can be hidden only by using Group Policy.
| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
@@ -131,4 +110,4 @@ These notifications can be hidden only by using Group Policy.
| Dynamic lock on, bluetooth on, but device unpaired | | | No |Account protection notification|
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |Account protection notification|
| NoPa or federated no hello | | | No |Account protection notification|
-| NoPa or federated hello broken | | | No |Account protection notification|
\ No newline at end of file
+| NoPa or federated hello broken | | | No |Account protection notification|
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
new file mode 100644
index 0000000000..f17c9907ba
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -0,0 +1,58 @@
+---
+title: Virus and threat protection in the Windows Security app
+description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
+ms.date: 12/31/2017
+ms.topic: article
+---
+
+# Virus and threat protection
+
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
+
+In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
+
+IT administrators and IT pros can get more configuration information from these articles:
+
+- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
+- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
+- [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
+
+## Hide the Virus & threat protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Hide the Ransomware protection area
+
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+
+This area can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
similarity index 91%
rename from windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 41b535c96b..039d7fc3a6 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -1,32 +1,17 @@
---
-title: The Windows Security app
+title: Windows Security app
description: The Windows Security app brings together common Windows security features into one place.
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-ms.collection:
- - highpri
- - tier2
ms.date: 12/31/2017
ms.topic: article
+ms.collection:
+ - highpri
+ - tier2
---
-# The Windows Security app
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Windows Security app
This library describes the Windows Security app, and provides information on configuring certain features, including:
-
-
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -52,7 +37,7 @@ For more information about each section, options for configuring the sections, a
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
> [!NOTE]
@@ -65,9 +50,11 @@ For more information about each section, options for configuring the sections, a
- Select the icon in the notification area on the taskbar.
+
- Search the Start menu for **Windows Security**.
+
- Open an area from Windows **Settings**.
@@ -78,7 +65,7 @@ For more information about each section, options for configuring the sections, a
## How the Windows Security app works with Windows security features
> [!IMPORTANT]
-> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
>
> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
@@ -86,7 +73,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
index a0ee50c4bb..8df8195bdd 100644
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@@ -1,6 +1,6 @@
items:
- name: Overview
- href: ../operating-system.md
+ href: index.md
- name: System security
href: system-security/toc.yml
- name: Virus and threat protection
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
index 18f1795945..1b896b0738 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@@ -1,18 +1,8 @@
---
title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.localizationpriority: medium
ms.date: 05/31/2023
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: reference
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index 74a3cd15d9..f474a45688 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,18 +1,10 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.prod: windows-client
-ms.technology: itpro-security
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer: paoloma
-manager: aaroncz
-ms.localizationpriority: medium
ms.date: 05/31/2023
-adobe-target: true
+ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
-ms.topic: conceptual
---
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index 8b326614fd..3940c5070c 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -1,19 +1,12 @@
---
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
+ms.date: 05/31/2023
+ms.topic: article
ms.localizationpriority: high
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-adobe-target: true
ms.collection:
- tier2
- highpri
-ms.date: 05/31/2023
-ms.topic: article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
index 9f7c2d6f2f..8e86c254c7 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -2,7 +2,8 @@ items:
- name: Microsoft Defender Antivirus 🔗
href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
- name: Configuring LSA Protection
- href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
+ href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+ preserveContext: true
- name: Attack surface reduction (ASR) 🔗
href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
- name: Tamper protection for MDE 🔗
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
deleted file mode 100644
index d5a1753a2a..0000000000
--- a/windows/security/operating-system.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.reviewer:
-ms.topic: article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 09/21/2021
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.
Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
-Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.
Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).
|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
-| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.
Learn more about [Encryption](encryption-data-protection.md).
-| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).|
-| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).|
-| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.
Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
-| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.
Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).
|
-| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.
Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).
-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).
Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.
Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
-| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.
Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
-| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.
In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.
Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
-| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.
Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
-| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
-| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.
Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
-
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index eb76f1d581..14cccd81d4 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -83,7 +83,7 @@ This subcategory allows you to audit events generated by changes to security gro
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
-- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
diff --git a/windows/security/threat-protection/images/community.png b/windows/security/threat-protection/images/community.png
deleted file mode 100644
index 8d99720c6e..0000000000
Binary files a/windows/security/threat-protection/images/community.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 8d0ace0072..6dcfe5687d 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -1,93 +1,81 @@
---
-title: Configure security policy settings
+title: Configure security policy settings
description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
-ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320
-ms.reviewer:
ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
-ms.collection:
- - highpri
- - tier3
+ms.collection:
+- highpri
+- tier3
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: itpro-security
+ms.date: 06/07/2023
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
+
# Configure security policy settings
-**Applies to**
-- Windows 11
-- Windows 10
-
-Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
-
-You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
+This article describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
When a local setting is inaccessible, it indicates that a GPO currently controls that setting.
-## To configure a setting using the Local Security Policy console
+## To configure a setting using the Local Security Policy console
-1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
-2. Under **Security Settings** of the console tree, do one of the following:
+1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
+1. Under **Security Settings** of the console tree, do one of the following:
+ - Select **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+ - Select **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+1. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
+1. Modify the security policy setting, and then select **OK**.
- - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
- - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+> [!NOTE]
+>
+> - Some security policy settings require that the device be restarted before the setting takes effect.
+> - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
-3. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
-4. Modify the security policy setting, and then click **OK**.
-
- > [!NOTE]
- > - Some security policy settings require that the device be restarted before the setting takes effect.
- > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
-
-## To configure a security policy setting using the Local Group Policy Editor console
+## To configure a security policy setting using the Local Group Policy Editor console
You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
-1. Open the Local Group Policy Editor (gpedit.msc).
-2. In the console tree, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
-3. Do one of the following:
+1. Open the Local Group Policy Editor (gpedit.msc).
+1. In the console tree, click **Computer Configuration**, select **Windows Settings**, and then select **Security Settings**.
+1. Do one of the following:
+ - Select **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+ - Select **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+1. In the details pane, double-click the security policy setting that you want to modify.
- - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
- - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+ > [!NOTE]
+ > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-4. In the details pane, double-click the security policy setting that you want to modify.
-
- > [!NOTE]
- > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-
-5. Modify the security policy setting, and then click **OK**.
+1. Modify the security policy setting, and then select **OK**.
> [!NOTE]
> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
-
-## To configure a setting for a domain controller
+
+## To configure a setting for a domain controller
The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).
-1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
-2. Do one of the following:
+1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
+1. Do one of the following:
- - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
- - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+ - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
+ - Select **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
-3. In the details pane, double-click the security policy that you want to modify.
+1. In the details pane, double-click the security policy that you want to modify.
- > [!NOTE]
- > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-
-4. Modify the security policy setting, and then click **OK**.
+ > [!NOTE]
+ > If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
+1. Modify the security policy setting, and then select **OK**.
> [!IMPORTANT]
-> - Always test a newly created policy in a test organizational unit before you apply it to your network.
-> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
-
-## Related topics
+>
+> - Always test a newly created policy in a test organizational unit before you apply it to your network.
+> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+
+## Related articles
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index f0c1ef0a6c..dbc99216c2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
+NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
### Vulnerability
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index a8b2882f5b..5829e660c8 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -1,30 +1,22 @@
---
-title: Password must meet complexity requirements
+title: Password must meet complexity requirements
description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
-ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe
-ms.reviewer:
ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
-ms.collection:
- - highpri
- - tier3
+ms.collection:
+ - highpri
+ - tier3
ms.topic: conceptual
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 06/07/2023
---
# Password must meet complexity requirements
**Applies to**
-- Windows 11
-- Windows 10
+- Windows 11
+- Windows 10
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
@@ -32,41 +24,39 @@ Describes the best practices, location, values, and security considerations for
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
-1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
+1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
- The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
- The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
+ The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
-2. The password contains characters from three of the following categories:
+2. The password contains characters from three of the following categories:
- - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- - Base 10 digits (0 through 9)
- - Non-alphanumeric characters (special characters):
- (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)
- Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
- - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
+ - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
+ - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
+ - Base 10 digits (0 through 9)
+ - Non-alphanumeric characters (special characters): ``(~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)``
+ Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
+ - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
Complexity requirements are enforced when passwords are changed or created.
-The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they can't be directly modified.
+The rules that are included in the Windows Server password complexity requirements are part of `Passfilt.dll`, and they can't be directly modified.
When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it.
-Other settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
+Other settings that can be included in a custom `Passfilt.dll` are the use of non-upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
### Possible values
-- Enabled
-- Disabled
-- Not defined
+- Enabled
+- Disabled
+- Not defined
### Best practices
> [!TIP]
> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
-Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
+Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that don't add more complexity to the password.)
@@ -74,21 +64,21 @@ Short passwords that contain only alphanumeric characters are easy to compromise
### Location
-**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+`Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy`
### Default values
The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
-| Server type or Group Policy Object (GPO) | Default value |
-|---|---|
-| Default domain policy | Enabled |
-| Default domain controller policy | Enabled |
-| Stand-alone server default settings | Disabled |
-| Domain controller effective default settings | Enabled |
-| Member server effective default settings | Enabled|
-| Effective GPO default settings on client computers | Disabled |
-
+| Server type or Group Policy Object (GPO) | Default value |
+|----------------------------------------------------|---------------|
+| Default domain policy | Enabled |
+| Default domain controller policy | Enabled |
+| Stand-alone server default settings | Disabled |
+| Domain controller effective default settings | Enabled |
+| Member server effective default settings | Enabled |
+| Effective GPO default settings on client computers | Disabled |
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -107,9 +97,9 @@ When combined with a [Minimum password length](minimum-password-length.md) of 8,
If the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could occur because users might not be used to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to follow the complexity requirement with minimal difficulty.
-If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
+If your organization has more stringent security requirements, you can create a custom version of the `Passfilt.dll` file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
-The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
+The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128-0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
## Related articles
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 0400b53abf..0af1870a2a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -1,17 +1,12 @@
---
-title: Add rules for packaged apps to existing AppLocker rule-set
+title: Add rules for packaged apps to existing AppLocker rule-set
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
-ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Add rules for packaged apps to existing AppLocker rule-set
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,6 +21,4 @@ This topic for IT professionals describes how to update your existing AppLocker
You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
-RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
-
-
+RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index 3746acc1c8..6e41e6c5e2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -1,17 +1,12 @@
---
-title: Administer AppLocker
+title: Administer AppLocker
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
-ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 02/28/2019
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Administer AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -62,7 +51,7 @@ You can administer AppLocker policies by using the Group Policy Management Conso
### Administer AppLocker using Group Policy
-You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
+You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
1. Open the Group Policy Management Console (GPMC).
2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
@@ -76,4 +65,4 @@ You must have Edit Setting permission to edit a GPO. By default, members of the
## Using Windows PowerShell to administer AppLocker
-For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](/powershell/module/applocker/).
\ No newline at end of file
+For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](/powershell/module/applocker/).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index fee5823096..37127bd09f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -1,17 +1,12 @@
---
-title: AppLocker architecture and components
+title: AppLocker architecture and components
description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
-ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,16 +14,10 @@ ms.technology: itpro-security
# AppLocker architecture and components
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic for IT professional describes AppLocker’s basic architecture and its major components.
+This topic for IT professional describes AppLocker's basic architecture and its major components.
AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
@@ -49,5 +38,3 @@ Before a script file is run, the script host (for example, for .ps1 files, the s
## Related topics
- [AppLocker technical reference](applocker-technical-reference.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
index dccdeafe16..52acbce003 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
@@ -1,17 +1,12 @@
---
-title: AppLocker functions
+title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
-ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker functions
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This article for the IT professional lists the functions and security levels for
## Functions
-Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2:
+Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2:
- [SaferGetPolicyInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetpolicyinformation)
- [SaferCreateLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercreatelevel)
@@ -61,4 +50,3 @@ AppLocker and SRP use the security level IDs to specify the access requirements
## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 238a5d1884..c13e82db76 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -1,93 +1,63 @@
---
-title: AppLocker
-description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
-ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
-ms.reviewer:
+title: AppLocker
+description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
-ms.collection:
- - highpri
- - tier3
+ms.collection:
+- highpri
+- tier3
ms.topic: conceptual
-ms.date: 10/16/2017
-ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 06/07/2023
---
# AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
> [!NOTE]
> AppLocker is unable to control processes running under the system account on any operating system.
AppLocker can help you:
-- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
-- Assign a rule to a security group or an individual user.
-- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
-- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
-- Simplify creating and managing AppLocker rules by using Windows PowerShell.
+- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
+- Assign a rule to a security group or an individual user.
+- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
+- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
+- Simplify creating and managing AppLocker rules by using Windows PowerShell.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
-- **Application inventory**
-
- AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
-
-- **Protection against unwanted software**
-
- AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
-
-- **Licensing conformance**
-
- AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
-
-- **Software standardization**
-
- AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
-
-- **Manageability improvement**
-
- AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
-
+- **Application inventory**: AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+- **Protection against unwanted software**: AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
+- **Licensing conformance**: AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
+- **Software standardization**: AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
+- **Manageability improvement**: AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
## When to use AppLocker
-In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
+In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
-However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.
-Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
The following are examples of scenarios in which AppLocker can be used:
-- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
-- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
-- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
-- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
-- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
-- Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
-- A single user or small group of users needs to use a specific app that is denied for all others.
-- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
-- In addition to other measures, you need to control the access to sensitive data through app usage.
+- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
+- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
+- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
+- Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
+- A single user or small group of users needs to use a specific app that is denied for all others.
+- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
@@ -99,8 +69,8 @@ AppLocker can help you protect the digital assets within your organization, redu
AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
> [!NOTE]
-> The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
-
+> GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
+
### Using AppLocker on Server Core
AppLocker on Server Core installations isn't supported.
@@ -111,42 +81,38 @@ You can administer AppLocker policies by using a virtualized instance of Windows
### Security considerations
-Application control policies specify which apps are allowed to run on the local computer.
-
-The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
+Application control policies specify which apps are allowed to run on the local computer. The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it's important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
-For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
+For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). When you use AppLocker to create application control policies, you should be aware of the following security considerations:
-When you use AppLocker to create application control policies, you should be aware of the following security considerations:
-
-- Who has the rights to set AppLocker policies?
-- How do you validate that the policies are enforced?
-- What events should you audit?
+- Who has the rights to set AppLocker policies?
+- How do you validate that the policies are enforced?
+- What events should you audit?
For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
-| Setting | Default value |
-| - | - |
-| Accounts created | None |
-| Authentication method | Not applicable |
-| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
-| Ports opened | None |
+| Setting | Default value |
+|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| Accounts created | None |
+| Authentication method | Not applicable |
+| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
+| Ports opened | None |
| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
-| Protocols used | Not applicable |
-| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
-| Security Policies | None required. AppLocker creates security policies. |
-| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
-| Storage of credentials | None |
-
+| Protocols used | Not applicable |
+| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
+| Security Policies | None required. AppLocker creates security policies. |
+| System Services required | Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
+| Storage of credentials | None |
+
## In this section
-| Topic | Description |
-| - | - |
-| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
-| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
-| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
-| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
+| Article | Description |
+|----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Administer AppLocker](administer-applocker.md) | This article for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
+| [AppLocker design guide](applocker-policies-design-guide.md) | This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
+| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
+| [AppLocker technical reference](applocker-technical-reference.md) | This overview article for IT professionals provides links to the articles in the technical reference. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index a651d67814..2c37794578 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -1,31 +1,19 @@
---
-title: AppLocker deployment guide
+title: AppLocker deployment guide
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
-ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
---
-
# AppLocker deployment guide
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -63,4 +51,3 @@ This guide provides steps based on your design and planning investigation for de
| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index 6aff5add05..0953e691f1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -1,17 +1,12 @@
---
-title: AppLocker design guide
+title: AppLocker design guide
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
-ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker design guide
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,6 +35,5 @@ To understand if AppLocker is the correct application control solution for your
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you're planning to deploy AppLocker rules. |
| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
-
+
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 46d2994927..e4b467ac07 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -1,17 +1,12 @@
---
-title: AppLocker policy use scenarios
+title: AppLocker policy use scenarios
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
-ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker policy use scenarios
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -71,5 +60,3 @@ The following are examples of scenarios in which AppLocker can be used:
## Related topics
- [AppLocker technical reference](applocker-technical-reference.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index 82be229c35..f9b3d75543 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -1,17 +1,12 @@
---
-title: AppLocker processes and interactions
+title: AppLocker processes and interactions
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
-ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker processes and interactions
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
index 4d62e1248b..2371faff67 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
@@ -1,17 +1,12 @@
---
-title: AppLocker settings
+title: AppLocker settings
description: This topic for the IT professional lists the settings used by AppLocker.
-ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker settings
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
index 24739dbfcd..a4e2b5c421 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -1,17 +1,12 @@
---
-title: AppLocker technical reference
+title: AppLocker technical reference
description: This overview topic for IT professionals provides links to the topics in the technical reference.
-ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker technical reference
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -39,9 +28,9 @@ AppLocker advances the application control features and functionality of Softwar
| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
-| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker’s basic architecture and its major components. |
+| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker's basic architecture and its major components. |
| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. |
| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. |
| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. |
-| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |
+| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index db47a41ae0..762f500737 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -1,17 +1,12 @@
---
-title: Configure an AppLocker policy for audit only
+title: Configure an AppLocker policy for audit only
description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
-ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 06/08/2018
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Configure an AppLocker policy for audit only
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -33,7 +22,7 @@ This topic for IT professionals describes how to set AppLocker policies to **Aud
After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
-
+
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
**To audit rule collections**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 0eaf785afa..5677e08745 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -1,17 +1,12 @@
---
-title: Configure an AppLocker policy for enforce rules
+title: Configure an AppLocker policy for enforce rules
description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
-ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,18 +14,12 @@ ms.technology: itpro-security
# Configure an AppLocker policy for enforce rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
->**Note:** When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
+>**Note:** When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index 2f81ecf9ea..d7fb5a0851 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -1,17 +1,12 @@
---
-title: Add exceptions for an AppLocker rule
+title: Add exceptions for an AppLocker rule
description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
-ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Add exceptions for an AppLocker rule
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -45,5 +34,3 @@ You can perform this task by using the Group Policy Management Console for an Ap
- For a path exception, choose the file or folder path to exclude, and then click **OK**.
- For a file hash exception, edit the file hash rule, and click **Remove**.
- For a packaged apps exception, click **Add** to create the exceptions based on reference app and rule scope.
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index a9229d7b60..ad878e7040 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -1,17 +1,12 @@
---
-title: Configure the AppLocker reference device
+title: Configure the AppLocker reference device
description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
-ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Configure the AppLocker reference device
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -39,13 +28,13 @@ An AppLocker reference device that is used for the development and deployment of
The reference device doesn't need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
->**Warning:** Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
+>**Warning:** Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
**To configure a reference device**
1. If the operating system isn't already installed, install one of the supported editions of Windows on the device.
- >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
+ >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
2. Configure the administrator account.
@@ -59,5 +48,3 @@ The reference device doesn't need to be joined to a domain, but it must be able
- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md).
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index 7b55776a9f..b9261a395b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -1,17 +1,12 @@
---
-title: Configure the Application Identity service
+title: Configure the Application Identity service
description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
-ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561
ms.reviewer:
ms.author: vinpa
-ms.pagetype: security
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 07/01/2021
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Configure the Application Identity service
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals shows how to configure the Application Identity
The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.
->**Important:** When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
+>**Important:** When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
**To start the Application Identity service automatically using Group Policy**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index bda3579c22..357689283c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -1,17 +1,12 @@
---
-title: Create a rule for packaged apps
+title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
-ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule for packaged apps
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -63,7 +52,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
|Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
|Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
|Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
- |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
+ |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding "Microsoft.Bing*" as the Package name. |
6. Select **Next**.
7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index f03d446082..592e0d0250 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -1,17 +1,12 @@
---
-title: Create a rule that uses a file hash condition
+title: Create a rule that uses a file hash condition
description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
-ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule that uses a file hash condition
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,7 +35,7 @@ AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins
5. On the **Conditions** page, select the **File hash** rule condition, and then click **Next**.
6. **Browse Files** to locate the targeted application file.
- >**Note:** You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
-
+ >**Note:** You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
+
7. Click **Next**.
8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index c79af9cb24..019d399434 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -1,17 +1,12 @@
---
-title: Create a rule that uses a path condition
+title: Create a rule that uses a path condition
description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
-ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule that uses a path condition
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals shows how to create an AppLocker rule with a pat
The path condition identifies an app by its location in the file system of the computer or on the network.
->**Important:** When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
+>**Important:** When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
@@ -47,7 +36,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
5. On the **Conditions** page, select the **Path** rule condition, and then click **Next**.
6. Click **Browse Files** to locate the targeted folder for the app.
- >**Note:** When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+ >**Note:** When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
7. Click **Next**.
8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 66440056c3..b7973d180c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -1,17 +1,12 @@
---
-title: Create a rule that uses a publisher condition
+title: Create a rule that uses a publisher condition
description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
-ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule that uses a publisher condition
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
index d9ad04fc74..a9b4962478 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -1,17 +1,12 @@
---
-title: Create AppLocker default rules
+title: Create AppLocker default rules
description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
-ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create AppLocker default rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 014f1edcd3..1811f0ba24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -1,17 +1,12 @@
---
-title: Create a list of apps deployed to each business group
+title: Create a list of apps deployed to each business group
description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
-ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a list of apps deployed to each business group
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -81,5 +70,3 @@ For guidance, see the following topics:
- [Select the types of rules to create](select-types-of-rules-to-create.md)
- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index d632badeea..5de5930086 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Create Your AppLocker policies
+title: Create Your AppLocker policies
description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
-ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create Your AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -44,7 +33,6 @@ You can develop an application control policy plan to guide you in making succes
6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-
## Step 2: Create your rules and rule collections
Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md).
@@ -64,7 +52,7 @@ In a test environment or with the enforcement setting set at **Audit only**, ver
## Step 6: Implement the policy
-Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**.
+Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value-**Enforce rules** or **Audit only**.
## Step 7: Test the effect of the policy and adjust
Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. For information on how to do these tasks, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
@@ -80,4 +68,3 @@ Follow the steps described in the following topics to continue the deployment pr
## See also
- [AppLocker deployment guide](applocker-policies-deployment-guide.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
index 7f416d3255..5e05fb2c6e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -1,17 +1,12 @@
---
-title: Create Your AppLocker rules
+title: Create Your AppLocker rules
description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
-ms.assetid: b684a3a5-929c-4f70-8742-04088022f232
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create Your AppLocker rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -48,7 +37,7 @@ You can use a reference device to automatically create a set of default rules fo
You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you're targeting a few applications within a business group.
->**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
+>**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
For information about performing this task, see:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index 88f67e4728..e639e46f0b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -1,17 +1,12 @@
---
-title: Delete an AppLocker rule
+title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule.
-ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 03/10/2023
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Delete an AppLocker rule
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 21b28d7b69..b01a4cb864 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -1,17 +1,12 @@
---
-title: Deploy AppLocker policies by using the enforce rules setting
+title: Deploy AppLocker policies by using the enforce rules setting
description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
-ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Deploy AppLocker policies by using the enforce rules setting
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -51,7 +40,7 @@ Rule enforcement is applied only to a collection of rules, not to individual rul
You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the
Microsoft Desktop Optimization Pack.
->**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
@@ -64,5 +53,3 @@ When a policy is deployed, it's important to monitor the actual implementation o
## Other resources
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index ae2ca63f83..bd454cbc25 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -1,17 +1,12 @@
---
-title: Deploy the AppLocker policy into production
+title: Deploy the AppLocker policy into production
description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
-ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Deploy the AppLocker policy into production
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 21bcfc2b31..75cb76fbb6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -1,17 +1,12 @@
---
-title: Determine the Group Policy structure and rule enforcement
+title: Determine the Group Policy structure and rule enforcement
description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules.
-ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Determine the Group Policy structure and rule enforcement
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -45,4 +34,4 @@ When you're determining how many Group Policy Objects (GPOs) to create when you
- GPO naming conventions
- GPO size limits
->**Note:** There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
+>**Note:** There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index 8308562822..aae68e89c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -1,17 +1,12 @@
---
-title: Find digitally signed apps on a reference device
+title: Find digitally signed apps on a reference device
description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
-ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Determine which apps are digitally signed on a reference device
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,5 +35,3 @@ For command parameters, syntax, and examples, see [Get-AppLockerFileInformation]
## Related topics
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-
-
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index 84e059c69f..bd8cd14419 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -1,17 +1,12 @@
---
-title: Determine your application control objectives
+title: Determine your application control objectives
description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
-ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Determine your application control objectives
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -42,7 +31,7 @@ Use the following table to develop your own objectives and determine which appli
|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.
AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the “allowlist mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
+|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the "allowlist mode" such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:
ExecutablesDLLsScriptsWindows Installers
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:ExecutablesDLLsScriptsWindows InstallersPackaged apps and installers
AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:Executables (.exe, .com)DLLs (.ocx, .dll)Scripts (.vbs, .js, .ps1, .cmd, .bat)Windows Installers (.msi, .mst, .msp)Packaged app installers (.appx)|
|Rule types|SRP supports four types of rules:HashPathSignature
Internet zone|AppLocker supports three types of rules:HashPathPublisher|
@@ -50,7 +39,7 @@ Use the following table to develop your own objectives and determine which appli
|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|
+|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as "Allow everything from Windows except for Regedit.exe".|
|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index a06323374d..050d675248 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -1,17 +1,12 @@
---
-title: Display a custom URL message when users try to run a blocked app
+title: Display a custom URL message when users try to run a blocked app
description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
ms.reviewer:
ms.author: vinpa
-ms.pagetype: security
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Display a custom URL message when users try to run a blocked app
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals describes the steps for displaying a customized
With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed.
-To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To display a custom URL message when users try to run a blocked app**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 46473d9aea..641ee98a64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: DLL rules in AppLocker
+title: DLL rules in AppLocker
description: This topic describes the file formats and available default rules for the DLL rule collection.
-ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# DLL rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 23268ed540..a99df09d89 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,30 +1,19 @@
---
-title: Document Group Policy structure & AppLocker rule enforcement
+title: Document Group Policy structure & AppLocker rule enforcement
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
-ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
-ms.pagetype: security
ms.date: 09/21/2017
ms.technology: itpro-security
---
# Document the Group Policy structure and AppLocker rule enforcement
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -49,13 +38,10 @@ The following table includes the sample data that was collected when you determi
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||
-||||Internet Explorer 7|C:\Program Files\Internet Explorer|File is signed; create a publisher condition|Deny||
+||||Internet Explorer 7|C:\Program Files\Internet Explorer|File is signed; create a publisher condition|Deny||
||||Windows files|C:\Windows|Use a default rule for the Windows path|Allow||
## Next steps
After you've determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 9748146d20..1e1cb3e944 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -1,17 +1,12 @@
---
-title: Document your app list
+title: Document your app list
description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
-ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Document your app list
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -48,7 +37,7 @@ The following table provides an example of how to list applications for each bus
||||Windows files|C:\Windows|
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|
-||||Internet Explorer 7|C:\Program Files\Internet Explorer|
+||||Internet Explorer 7|C:\Program Files\Internet Explorer|
||||Windows files|C:\Windows|
>[!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index e5f75fa28f..f2803a91f2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -1,17 +1,12 @@
---
-title: Document your AppLocker rules
+title: Document your AppLocker rules
description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
-ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Document your AppLocker rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index b336d09cf5..0ebddf77d5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -1,17 +1,12 @@
---
-title: Edit an AppLocker policy
+title: Edit an AppLocker policy
description: This topic for IT professionals describes the steps required to modify an AppLocker policy.
-ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Edit an AppLocker policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -55,8 +44,8 @@ AppLocker provides a feature to export and import AppLocker policies as an XML f
After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
->**Caution:** Importing a policy onto another PC will overwrite the existing policy on that PC.
-
+>**Caution:** Importing a policy onto another PC will overwrite the existing policy on that PC.
+
### Step 3: Use AppLocker to modify and test the rule
AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection.
@@ -77,10 +66,10 @@ AppLocker provides ways to modify, delete, or add rules to a policy by modifying
For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
->**Caution:** You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
-
->**Note:** If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.
-
+>**Caution:** You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+>**Note:** If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.
+
## Editing an AppLocker policy by using the Local Security Policy snap-in
The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks.
@@ -91,8 +80,8 @@ On the PC where you maintain policies, open the AppLocker snap-in from the Local
After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
->**Caution:** Importing a policy onto another PC will overwrite the existing policy on that PC.
-
+>**Caution:** Importing a policy onto another PC will overwrite the existing policy on that PC.
+
### Step 2: Identify and modify the rule to change, delete, or add
AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
index 46acb129b9..5c05fb3560 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -1,17 +1,12 @@
---
-title: Edit AppLocker rules
+title: Edit AppLocker rules
description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
-ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Edit AppLocker rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -67,4 +56,3 @@ You can perform this task by using the Group Policy Management Console for an Ap
- Click the **Path** tab to configure the path on the computer in which the rule should be enforced.
- Click the **Exceptions** tab to create exceptions for specific files in a folder.
- When you finish updating the rule, click **OK**.
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index e38beaacec..a97f271c3d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -1,17 +1,12 @@
---
-title: Enable the DLL rule collection
+title: Enable the DLL rule collection
description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
-ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Enable the DLL rule collection
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -41,4 +30,4 @@ AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins
1. From the AppLocker console, right-click **AppLocker**, and then click **Properties.**
2. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
- >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+ >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
index 70a2dfe070..947a69a2ad 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -1,17 +1,12 @@
---
-title: Enforce AppLocker rules
+title: Enforce AppLocker rules
description: This topic for IT professionals describes how to enforce application control rules by using AppLocker.
-ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Enforce AppLocker rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -38,7 +27,4 @@ There is no audit mode for the DLL rule collection. DLL rules affect specific ap
To enforce AppLocker rules by configuring an AppLocker policy to **Enforce rules**, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
->**Caution:** AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
-
-
-
+>**Caution:** AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index 1d3fbf552a..461262fab4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Executable rules in AppLocker
+title: Executable rules in AppLocker
description: This topic describes the file formats and available default rules for the executable rule collection.
-ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Executable rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index 7b838b91ae..bde1c865ad 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -1,17 +1,12 @@
---
-title: Export an AppLocker policy from a GPO
+title: Export an AppLocker policy from a GPO
description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
-ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Export an AppLocker policy from a GPO
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals describes the steps to export an AppLocker polic
Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device.
-To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**Export the policy from the GPO**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index 2dc105b517..93e466a216 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -1,17 +1,12 @@
---
-title: Export an AppLocker policy to an XML file
+title: Export an AppLocker policy to an XML file
description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
-ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Export an AppLocker policy to an XML file
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
index 40f88e9b91..e4168feaaa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -1,17 +1,12 @@
---
-title: How AppLocker works
+title: How AppLocker works
description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
-ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# How AppLocker works
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index 4ce5fe6eb6..c9eee9963c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -1,17 +1,12 @@
---
-title: Import an AppLocker policy from another computer
+title: Import an AppLocker policy from another computer
description: This topic for IT professionals describes how to import an AppLocker policy.
-ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 12/31/2017
@@ -19,12 +14,6 @@ ms.date: 12/31/2017
# Import an AppLocker policy from another computer
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2012 R2 and later
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -34,7 +23,7 @@ Before completing this procedure, you should have exported an AppLocker policy.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
-> **Caution:** Importing a policy will overwrite the existing policy on that computer.
+> **Caution:** Importing a policy will overwrite the existing policy on that computer.
**To import an AppLocker policy**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index 71fb649374..aa4be6cdf0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -1,17 +1,12 @@
---
-title: Import an AppLocker policy into a GPO
+title: Import an AppLocker policy into a GPO
description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
-ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,21 +14,15 @@ ms.technology: itpro-security
# Import an AppLocker policy into a GPO
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
->**Important:** Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md).
+>**Important:** Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md).
-To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To import an AppLocker policy into a GPO**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 551719338a..e9d52b57ce 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Maintain AppLocker policies
+title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
-ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 12/31/2017
@@ -19,12 +14,6 @@ ms.date: 12/31/2017
# Maintain AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -50,7 +39,6 @@ Using the AppLocker configuration service provider, you can select which apps ar
For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
-
## Maintaining AppLocker policies by using Group Policy
For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
@@ -60,7 +48,7 @@ As new apps are deployed or existing apps are removed by your organization or up
You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create
versions of GPOs.
->**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
### Step 1: Understand the current behavior of the policy
@@ -119,4 +107,4 @@ After deploying a policy, evaluate the policy's effectiveness.
## Other resources
-- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
\ No newline at end of file
+- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index 1f192ee5b6..d04546c8ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -1,17 +1,12 @@
---
-title: Manage packaged apps with AppLocker
+title: Manage packaged apps with AppLocker
description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy.
-ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Manage packaged apps with AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -38,16 +27,16 @@ With packaged apps, it's possible to control the entire app by using a single Ap
> [!NOTE]
> AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
-Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
+Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software's publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
### Comparing classic Windows apps and packaged apps
-AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
-2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
+AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
+2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
-- **Installing the apps** All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
-- **Changing the system state** Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes.
-- **Acquiring the apps** Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
+- **Installing the apps** All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
+- **Changing the system state** Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes.
+- **Acquiring the apps** Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
@@ -60,7 +49,7 @@ For more info about packaged apps, see [Packaged apps and packaged app installer
You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet.
> [!NOTE]
-> Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+> Not all packaged apps are listed in AppLocker's application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](/powershell/module/applocker/).
@@ -85,4 +74,4 @@ Just as there are differences in managing each rule collection, you need to mana
3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this update, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
-4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this monitoring, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
\ No newline at end of file
+4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this monitoring, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index f800cda2fe..f9ff7dc54d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -1,17 +1,12 @@
---
-title: Merge AppLocker policies by using Set-ApplockerPolicy
+title: Merge AppLocker policies by using Set-ApplockerPolicy
description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
-ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Merge AppLocker policies by using Set-ApplockerPolicy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -48,4 +37,4 @@ Gets the local AppLocker policy, and then merges the policy with the existing Ap
```powershell
C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index 07851d0989..41657a25bd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -1,17 +1,12 @@
---
-title: Merge AppLocker policies manually
+title: Merge AppLocker policies manually
description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
-ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Merge AppLocker policies manually
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index c0e644de33..32c0267869 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -1,17 +1,12 @@
---
-title: Monitor app usage with AppLocker
+title: Monitor app usage with AppLocker
description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
-ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Monitor app usage with AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -75,13 +64,13 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
2. Run the following command to review how many times a file would have been blocked from running if rules were enforced:
```powershell
- Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics
+ Get-AppLockerFileInformation -EventLog -EventType Audited -Statistics
```
3. Run the following command to review how many times a file has been allowed to run or prevented from running:
```powershell
- Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics
+ Get-AppLockerFileInformation -EventLog -EventType Allowed -Statistics
```
### View the AppLocker Log in Event Viewer
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
index cca5552fbb..ef107acf59 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -1,17 +1,12 @@
---
-title: Optimize AppLocker performance
+title: Optimize AppLocker performance
description: This topic for IT professionals describes how to optimize AppLocker policy enforcement.
-ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Optimize AppLocker performance
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -43,4 +32,4 @@ condition.
### Using the DLL rule collection
-When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation.
\ No newline at end of file
+When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 3c367e9dad..48e94f6635 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Packaged apps and packaged app installer rules in AppLocker
+title: Packaged apps and packaged app installer rules in AppLocker
description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
-ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 10/13/2017
ms.technology: itpro-security
@@ -19,19 +14,13 @@ ms.technology: itpro-security
# Packaged apps and packaged app installer rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
Universal Windows apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation.
-Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It's therefore possible to control an entire app with a single rule.
+Typically, an app consists of multiple components - the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections - exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It's therefore possible to control an entire app with a single rule.
AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 8384c7debf..f2e8463f25 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -1,17 +1,12 @@
---
-title: Plan for AppLocker policy management
+title: Plan for AppLocker policy management
description: This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
-ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Plan for AppLocker policy management
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -91,7 +80,7 @@ You can edit an AppLocker policy by adding, changing, or removing rules. However
**New version of a supported app**
-When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you're using publisher conditions and the version isn't specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app hasn't altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied.
+When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you're using publisher conditions and the version isn't specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app hasn't altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version-the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied.
To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version.
@@ -149,7 +138,7 @@ The following table contains the added sample data that was collected when deter
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help desk|
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|Web help|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||Web help|
-||||Internet Explorer 7|C:\Program Files\Internet Explorer|File is signed; create a publisher condition|Deny||Web help|
+||||Internet Explorer 7|C:\Program Files\Internet Explorer|File is signed; create a publisher condition|Deny||Web help|
||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help desk|
The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
@@ -173,4 +162,3 @@ The following table is an example of what to consider and record.
|--- |--- |--- |--- |--- |
|Bank Tellers|Planned: Monthly through business office triageEmergency: Request through help desk|Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required|
|Human Resources|Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR
30-day notice required|
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 5aa365b37a..06168d1e9a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -1,17 +1,12 @@
---
-title: Refresh an AppLocker policy
+title: Refresh an AppLocker policy
description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
-ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Refresh an AppLocker policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -36,7 +25,7 @@ To use Group Policy to distribute the AppLocker policy change, you need to retri
[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
-To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To manually refresh the AppLocker policy by using Group Policy**
@@ -65,6 +54,6 @@ To make the same change on another device, you can use any of the following meth
- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
- >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
-
+ >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+
- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 5df2060dbd..40579e3963 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Requirements for deploying AppLocker policies
+title: Requirements for deploying AppLocker policies
description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
-ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Requirements for deploying AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 23c6363413..47b2d12aba 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,17 +1,12 @@
---
-title: Requirements to use AppLocker
+title: Requirements to use AppLocker
description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
-ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Requirements to use AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -47,21 +36,21 @@ The following table shows the Windows versions on which AppLocker features are s
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
- Policies deployed through GP are only supported on Enterprise and Server editions.
- Policies deployed through MDM are supported on all editions.
|
-| Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
+| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
- Policies deployed through GP are only supported on Enterprise and Server editions.
- Policies deployed through MDM are supported on all editions.
|
+| Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
| Windows 8.1 Pro| Yes| No| N/A||
-| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
+| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
| Windows RT 8.1| No| No| N/A||
| Windows 8 Pro| Yes| No| N/A||
-| Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
+| Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
| Windows RT| No| No| N/A| |
-| Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
-| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
-| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
-| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
-| Windows 7 Ultimate| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
-| Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
-| Windows 7 Professional| Yes| No| Executable
Windows Installer
Script
DLL| No AppLocker rules are enforced.|
+| Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows 7 Ultimate| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows 7 Professional| Yes| No| Executable
Windows Installer
Script
DLL| No AppLocker rules are enforced.|
AppLocker isn't supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature isn't supported on the above operating systems.
@@ -75,4 +64,4 @@ AppLocker isn't supported on versions of the Windows operating system not listed
- [Optimize AppLocker performance](optimize-applocker-performance.md)
- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
- [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
-- [AppLocker Design Guide](applocker-policies-design-guide.md)
\ No newline at end of file
+- [AppLocker Design Guide](applocker-policies-design-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index f02e55d1b8..d6ba932c98 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -1,17 +1,12 @@
---
-title: Run the Automatically Generate Rules wizard
+title: Run the Automatically Generate Rules wizard
description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
-ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Run the Automatically Generate Rules wizard
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -52,4 +41,4 @@ You can perform this task by using the Group Policy Management Console for an Ap
8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**.
->**Note:** If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.
+>**Note:** If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 77e77e2f49..bee1694c3a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Script rules in AppLocker
+title: Script rules in AppLocker
description: This article describes the file formats and available default rules for the script rule collection.
-ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 06/15/2022
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Script rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index ddcf98dc38..f32ff85c69 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -1,17 +1,12 @@
---
-title: Security considerations for AppLocker
+title: Security considerations for AppLocker
description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
-ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Security considerations for AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -43,9 +32,9 @@ AppLocker runs in the context of Administrator or LocalSystem, which is the high
When files are being secured in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it's still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy.
-AppLocker doesn't protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe.
+AppLocker doesn't protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe.
-You can't use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+You can't use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker can't control every kind of interpreted code, such as Microsoft Office macros.
@@ -61,4 +50,4 @@ You can block the Windows Subsystem for Linux by blocking LxssManager.dll.
## Related topics
-- [AppLocker technical reference](applocker-technical-reference.md)
\ No newline at end of file
+- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 43ddf77312..7776bf7386 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -1,17 +1,12 @@
---
-title: Select the types of rules to create
+title: Select the types of rules to create
description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
-ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Select the types of rules to create
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index 44df75bc53..0c029929bf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -1,17 +1,12 @@
---
-title: Test an AppLocker policy by using Test-AppLockerPolicy
+title: Test an AppLocker policy by using Test-AppLockerPolicy
description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
-ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Test an AppLocker policy by using Test-AppLockerPolicy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -41,17 +30,17 @@ Any user account can be used to complete this procedure.
1. Open a Windows PowerShell command prompt window as an administrator.
2. Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file:
- `Get-AppLockerPolicy –Effective –XML > `
+ `Get-AppLockerPolicy -Effective -XML > `
2. Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed:
- `Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy -User -Filter | Export-CSV `
+ `Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy -User -Filter | Export-CSV `
The following shows example input for **Test-AppLockerPolicy**:
```syntax
-PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml
-PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv
+PS C:\ Get-AppLockerPolicy -Effective -XML > C:\Effective.xml
+PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' -filter *.exe -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy C:\Effective.xml -User contoso\zwie -Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv
```
In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index 9a6dd54ca3..71815be79b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -1,17 +1,12 @@
---
-title: Test and update an AppLocker policy
+title: Test and update an AppLocker policy
description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
-ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Test and update an AppLocker policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -67,10 +56,8 @@ After you've identified which rules need to be edited or added to the policy, yo
## Step 6: Repeat policy testing, analysis, and policy modification
-Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement.
+Repeat the previous steps 3-5 until all the rules perform as intended before applying enforcement.
## Other resources
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index 9ce6b9e70c..9fcea89142 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -1,17 +1,12 @@
---
-title: Tools to use with AppLocker
+title: Tools to use with AppLocker
description: This topic for the IT professional describes the tools available to create and administer AppLocker policies.
-ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Tools to use with AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -64,4 +53,4 @@ The following tools can help you administer the application control policies cre
## Related topics
-- [AppLocker technical reference](applocker-technical-reference.md)
\ No newline at end of file
+- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 9b4ba84412..9b5abb0b0b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -1,17 +1,12 @@
---
-title: Understand AppLocker enforcement settings
+title: Understand AppLocker enforcement settings
description: This topic describes the AppLocker enforcement settings for rule collections.
-ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understand AppLocker enforcement settings
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 7fb08dd316..d61a4fdf98 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -1,17 +1,12 @@
---
-title: Understand AppLocker policy design decisions
+title: Understand AppLocker policy design decisions
description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment.
-ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 10/13/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understand AppLocker policy design decisions
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -107,7 +96,7 @@ If your organization supports multiple Windows operating systems, app control po
### Are there specific groups in your organization that need customized application control policies?
-Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization.
+Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group's priorities before you deploy application control policies for the entire organization.
| Possible answers | Design considerations |
| - | - |
@@ -132,7 +121,6 @@ Preventing your users from accessing known, deployed, or personal applications w
| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. |
| No | Invest time in developing online support processes and documentation before deployment. |
-
### Do you know what applications require restrictive policies?
Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data.
@@ -151,7 +139,6 @@ Implementing a successful application control policy is based on your knowledge
| Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. |
| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. |
-
### Does your organization already have SRP deployed?
Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP.
@@ -196,4 +183,3 @@ Because the effectiveness of application control policies is dependent on the ab
The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, you can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index e0f5c0575d..fc99a9815b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -1,17 +1,12 @@
---
-title: Understand AppLocker rules and enforcement setting inheritance in Group Policy
+title: Understand AppLocker rules and enforcement setting inheritance in Group Policy
description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
-ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -42,7 +31,7 @@ Group Policy merges AppLocker policy in two ways:
1. **Explicit deny.** An administrator created a rule to deny a file.
2. **Explicit allow.** An administrator created a rule to allow a file.
3. **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked.
-
+
- **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced.
Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index 82fc009a1b..ab1522f49e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -1,17 +1,12 @@
---
-title: Understand the AppLocker policy deployment process
+title: Understand the AppLocker policy deployment process
description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
-ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understand the AppLocker policy deployment process
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -44,5 +33,3 @@ The following topics contain information about designing, planning, deploying, a
- For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md).
- For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md).
- For info about AppLocker policy architecture, components, and processing, see [AppLocker technical reference](applocker-technical-reference.md).
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index 1e8aee1c7e..cec55e8e38 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -1,17 +1,12 @@
---
-title: Understanding AppLocker allow and deny actions on rules
+title: Understanding AppLocker allow and deny actions on rules
description: This topic explains the differences between allow and deny actions on AppLocker rules.
-ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding AppLocker allow and deny actions on rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,7 +35,7 @@ Although you can use AppLocker to create a rule to allow all files to run and th
| File hash | A user could modify the hash for a file.|
| Path | A user could move the denied file to a different location and run it from there.|
->**Important:** If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.
+>**Important:** If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index d15cdff954..606e9924ec 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -1,17 +1,12 @@
---
-title: Understanding AppLocker default rules
+title: Understanding AppLocker default rules
description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
-ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding AppLocker default rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index a54b284804..377eb5019a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -1,17 +1,12 @@
---
-title: Understanding AppLocker rule behavior
+title: Understanding AppLocker rule behavior
description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
-ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding AppLocker rule behavior
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -37,8 +26,8 @@ A rule can be configured to use either an allow or deny action:
- **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
- **Deny**. You can specify which files aren't allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
->**Important:** You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
-
+>**Important:** You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
+
## Related topics
- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index 94c277a12b..1787c045ef 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -1,17 +1,12 @@
---
-title: Understanding AppLocker rule collections
+title: Understanding AppLocker rule collections
description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
-ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding AppLocker rule collections
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -40,7 +29,7 @@ An AppLocker rule collection is a set of rules that apply to one of five types:
If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps.
->**Important:** Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.
+>**Important:** Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.
For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
@@ -48,4 +37,3 @@ For info about how to enable the DLL rule collection, see [Enable the DLL rule c
- [How AppLocker works](how-applocker-works-techref.md)
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index 7bdf8b04f3..b26445b191 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -1,17 +1,12 @@
---
-title: Understanding AppLocker rule condition types
+title: Understanding AppLocker rule condition types
description: This topic for the IT professional describes the three types of AppLocker rule conditions.
-ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding AppLocker rule condition types
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -58,15 +47,15 @@ Selecting the appropriate condition for each rule depends on the overall applica
> [!NOTE]
> To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example,
- `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.
-
+ `Get-AppLockerFileInformation -Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.
+
2. What rule condition type does your organization prefer?
If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place.
> [!NOTE]
> For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
-
+
## Related topics
- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index 4ac6b603d7..71ae842b65 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -1,17 +1,12 @@
---
-title: Understanding AppLocker rule exceptions
+title: Understanding AppLocker rule exceptions
description: This topic describes the result of applying AppLocker rule exceptions to rule collections.
-ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding AppLocker rule exceptions
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index 0582d50ebd..6e13561e2c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Understanding the file hash rule condition in AppLocker
+title: Understanding the file hash rule condition in AppLocker
description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied.
-ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding the file hash rule condition in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 2e970ac2c4..5d3e6d2d29 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Understanding the path rule condition in AppLocker
+title: Understanding the path rule condition in AppLocker
description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied.
-ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding the path rule condition in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -44,7 +33,6 @@ The asterisk (\*) wildcard character can be used within **Path** field. The aste
AppLocker uses path variables for well-known directories in Windows. Path variables aren't environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables.
-
| Windows directory or drive | AppLocker path variable | Windows environment variable |
|---------------------------------------------------------|-------------------------|----------------------------------------|
| Windows | %WINDIR% | %SystemRoot% |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index 76fed21426..dbc7fe282d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Understanding the publisher rule condition in AppLocker
+title: Understanding the publisher rule condition in AppLocker
description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied.
-ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Understanding the publisher rule condition in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -42,7 +31,7 @@ Wildcard characters can be used as values in the publisher rule fields according
- **Publisher**
- The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) isn't a valid wildcard character in this field.
+ The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name "\*x\*". A question mark (?) isn't a valid wildcard character in this field.
- **Product name**
@@ -62,7 +51,7 @@ Wildcard characters can be used as values in the publisher rule fields according
The following table describes how a publisher condition is applied.
-| Option | The publisher condition allows or denies…|
+| Option | The publisher condition allows or denies...|
| - | - |
| **All signed files** | All files that are signed by a publisher.|
| **Publisher only** | All files that are signed by the named publisher.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index e63ab0e64b..eb14fbd674 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -1,16 +1,11 @@
---
-title: Use a reference device to create and maintain AppLocker policies
+title: Use a reference device to create and maintain AppLocker policies
description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
-ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.reviewer:
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Use a reference device to create and maintain AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -36,7 +25,7 @@ An AppLocker reference device is a baseline device you can use to configure poli
An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment.
->**Important:** The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+>**Important:** The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies.
@@ -44,13 +33,13 @@ You can perform AppLocker policy testing on the reference device by using the **
With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For information on how to automatically generate rules, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
->**Note:** If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.
+>**Note:** If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.
## Step 2: Create the default rules on the reference device
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md).
->**Important:** You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
+>**Important:** You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
## Step 3: Modify rules and the rule collection on the reference device
@@ -72,7 +61,7 @@ You should test each set of rules to ensure that they perform as intended. The *
- [Test an AppLocker Policy with Test-AppLockerPolicy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791772(v=ws.10))
- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10))
->**Caution:** If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
+>**Caution:** If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
## Step 5: Export and import the policy into production
@@ -94,4 +83,4 @@ If more refinements or updates are necessary after a policy is deployed, use the
## See also
-- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
\ No newline at end of file
+- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 1cfb01105a..9415499e71 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -1,17 +1,12 @@
---
-title: Use AppLocker and Software Restriction Policies in the same domain
+title: Use AppLocker and Software Restriction Policies in the same domain
description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
-ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 11/07/2022
ms.technology: itpro-security
@@ -19,11 +14,6 @@ ms.technology: itpro-security
# Use AppLocker and Software Restriction Policies in the same domain
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-
This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
> [!IMPORTANT]
@@ -31,7 +21,7 @@ This article for IT professionals describes concepts and procedures to help you
## Using AppLocker and Software Restriction Policies in the same domain
-AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
+AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
@@ -41,15 +31,15 @@ The following table compares the features and functions of Software Restriction
|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.
AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.
SRP can also be configured in the “allowlist mode” so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.|
+|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.
SRP can also be configured in the "allowlist mode" so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the "allowlist mode" where only those files are allowed to run for which there's a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:ExecutablesDllsScriptsWindows Installers
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:ExecutablesDllsScriptsWindows InstallersPackaged apps and installers
AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:Executables (.exe, .com)Dlls (.ocx, .dll)Scripts (.vbs, .js, .ps1, .cmd, .bat)Windows Installers (.msi, .mst, .msp)Packaged app installers (.appx)|
|Rule types|SRP supports four types of rules:HashPathSignatureInternet zone|AppLocker supports three types of rules:File hashPathPublisher|
-|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.
Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, and not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
+|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.
Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, and not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
|Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.|
+|Support for rule exceptions|SRP doesn't support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as "Allow everything from Windows except for regedit.exe".|
|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 6c0c369c78..155e3e6d17 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -1,17 +1,12 @@
---
-title: Use the AppLocker Windows PowerShell cmdlets
+title: Use the AppLocker Windows PowerShell cmdlets
description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
-ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Use the AppLocker Windows PowerShell cmdlets
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -35,7 +24,7 @@ This topic for IT professionals describes how each AppLocker Windows PowerShell
The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the
Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
-To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
+To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
### Retrieve application information
@@ -63,4 +52,4 @@ The [Test-AppLockerPolicy](/powershell/module/applocker/test-applockerpolicy) cm
## Other resources
-- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
\ No newline at end of file
+- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index c7de76bb21..2aedf66058 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -1,17 +1,12 @@
---
-title: Using Event Viewer with AppLocker
+title: Using Event Viewer with AppLocker
description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
-ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 02/02/2023
@@ -19,12 +14,6 @@ ms.date: 02/02/2023
# Using Event Viewer with AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -89,4 +78,3 @@ The following table contains information about the events that you can use to de
## Related articles
- [Tools to use with AppLocker](tools-to-use-with-applocker.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index b7aec02c5b..d8b071c1c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Use Software Restriction Policies and AppLocker policies
+title: Use Software Restriction Policies and AppLocker policies
description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
-ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Use Software Restriction Policies and AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,23 +21,23 @@ This topic for the IT professional describes how to use Software Restriction Pol
## Understand the difference between SRP and AppLocker
-You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md).
## Use SRP and AppLocker in the same domain
SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they're applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
->**Important:** As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
+>**Important:** As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO.
| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP |
| - | - | - | - |
-| Windows 10, Windows 8.1, Windows 8, and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.|
-| Windows Vista| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|
-| Windows XP| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|
+| Windows 10, Windows 8.1, Windows 8, and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.|
+| Windows Vista| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|
+| Windows XP| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|
->**Note:** For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+>**Note:** For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
## Test and validate SRPs and AppLocker policies that are deployed in the same environment
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index 3a6fb08e52..68586393f4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -1,17 +1,12 @@
---
-title: What Is AppLocker
+title: What Is AppLocker
description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
-ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# What Is AppLocker?
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -83,5 +72,3 @@ The following table compares the application control functions of Software Restr
## Related topics
- [AppLocker technical reference](applocker-technical-reference.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 43981062e8..9a410a20af 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: Windows Installer rules in AppLocker
+title: Windows Installer rules in AppLocker
description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
-ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Windows Installer rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -47,5 +36,3 @@ The purpose of this collection is to allow you to control the installation of fi
## Related topics
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
index ca6e21acbd..8e4a0a0395 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Working with AppLocker policies
+title: Working with AppLocker policies
description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
-ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Working with AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,5 +35,4 @@ This topic for IT professionals provides links to procedural topics about creati
| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.|
| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).|
| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.|
-| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
-
+| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 2cec2568d1..8d170ef5ed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -1,14 +1,10 @@
---
-title: Working with AppLocker rules
+title: Working with AppLocker rules
description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: vinaypamnani-msft
ms.localizationpriority: medium
msauthor: v-anbic
@@ -19,12 +15,6 @@ ms.topic: conceptual
# Working with AppLocker rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -67,7 +57,7 @@ The AppLocker console is organized into rule collections, which are executable f
| Packaged apps and packaged app installers | .appx|
| DLL files | .dll
.ocx|
->**Important:** If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+>**Important:** If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
@@ -93,7 +83,7 @@ This condition identifies an app based on its digital signature and extended att
When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving up the slider or by using a wildcard character (\*) in the product, file name, or version number fields.
->**Note:** To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+>**Note:** To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
@@ -103,8 +93,7 @@ The **File version** and **Package version** control whether a user can run a sp
The following table describes how a publisher condition is applied.
-
-| Option | The publisher condition allows or denies… |
+| Option | The publisher condition allows or denies... |
|---|---|
| **All signed files** | All files that are signed by any publisher.|
| **Publisher only**| All files that are signed by the named publisher.|
@@ -132,7 +121,7 @@ The following table details these path variables.
| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
| Removable storage device (for example, a USB flash drive)| %HOT% | |
->**Important:** Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
+>**Important:** Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
### File hash
@@ -202,7 +191,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
- >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+ >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
## AppLocker wizards
@@ -221,7 +210,7 @@ You can create rules by using two AppLocker wizards:
- **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
- If an app isn't digitally signed, you can't use a publisher rule condition for that app.
-- AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
+- AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
- The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection doesn't contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.
- When an AppLocker rule collection is set to **Audit only**, the rules aren't enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index cae9d23e45..232ca50f2f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -16,7 +16,7 @@ author: jgeurten
ms.reviewer: jsuther
ms.author: vinpa
manager: aaroncz
-ms.date: 02/08/2023
+ms.date: 06/06/2023
ms.technology: itpro-security
ms.topic: article
---
@@ -100,7 +100,7 @@ To check that the policy was successfully applied on your computer:
```xml
- 10.0.25860.0
+ 10.0.25880.0
{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
@@ -221,10 +221,10 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
+
+
+
+
@@ -377,6 +377,12 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
@@ -541,6 +547,28 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -583,6 +611,56 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -690,18 +768,18 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -980,35 +1058,38 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1035,16 +1116,48 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1057,7 +1170,7 @@ To check that the policy was successfully applied on your computer:
-
+
@@ -1066,6 +1179,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1074,11 +1188,14 @@ To check that the policy was successfully applied on your computer:
+
+
+
@@ -1092,11 +1209,13 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1105,10 +1224,12 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1132,6 +1253,10 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
@@ -1140,6 +1265,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1153,6 +1279,9 @@ To check that the policy was successfully applied on your computer:
+
+
+
@@ -1170,7 +1299,7 @@ To check that the policy was successfully applied on your computer:
-
+
@@ -1181,6 +1310,8 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1202,6 +1333,9 @@ To check that the policy was successfully applied on your computer:
+
+
+
@@ -1258,12 +1392,14 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1272,10 +1408,13 @@ To check that the policy was successfully applied on your computer:
+
+
+
@@ -1283,10 +1422,12 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1306,6 +1447,10 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
@@ -1367,6 +1512,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1623,13 +1769,34 @@ To check that the policy was successfully applied on your computer:
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
@@ -1639,8 +1806,8 @@ To check that the policy was successfully applied on your computer:
-
+
@@ -1752,6 +1919,16 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
@@ -1832,6 +2009,18 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1851,6 +2040,10 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
@@ -1909,6 +2102,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1916,8 +2110,10 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1933,7 +2129,6 @@ To check that the policy was successfully applied on your computer:
-
@@ -1966,6 +2161,9 @@ To check that the policy was successfully applied on your computer:
+
+
+
@@ -2221,6 +2419,12 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
@@ -2373,6 +2577,28 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2427,6 +2653,56 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2535,18 +2811,18 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2833,35 +3109,38 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2884,6 +3163,14 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
@@ -2894,6 +3181,30 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2926,7 +3237,7 @@ To check that the policy was successfully applied on your computer:
- 10.0.25860.0
+ 10.0.25880.0
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 3630632cf7..1c867e7010 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -13,7 +13,7 @@ author: jgeurten
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
-ms.date: 05/26/2023
+ms.date: 06/07/2023
ms.technology: itpro-security
ms.topic: article
---
@@ -80,17 +80,17 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
-| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
+| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found later in this article. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
-| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | Not supported. |
| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
-| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. |
+| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
> [!NOTE]
> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
@@ -122,6 +122,22 @@ WDAC has a built-in file rule conflict logic that translates to precedence order
> [!NOTE]
> To make it easier to reason over your WDAC policies, we recommend maintaining separate ALLOW and DENY policies on Windows versions that support [multiple WDAC policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies).
+## Use -SpecificFileNameLevel with FileName, FilePublisher, or WHQLFilePublisher level rules
+
+By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels will use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer may use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
+
+Table 3 describes the available resource header attribute options you can set with -SpecificFileNameLevel.
+
+### Table 3. -SpecificFileNameLevel options
+
+| SpecificFileNameLevel value | Description |
+|----------- | ----------- |
+| **FileDescription** | Specifies the file description provided by the developer of the binary. |
+| **InternalName** | Specifies the internal name of the binary. |
+| **OriginalFileName** | Specifies the original file name, or the name with which the file was first created, of the binary. |
+| **PackageFamilyName** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. |
+| **ProductName** | Specifies the name of the product with which the binary ships. |
+
## More information about filepath rules
Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
@@ -180,22 +196,10 @@ During validation, WDAC selects which hashes are calculated based on how the fil
In the cmdlets, rather than try to predict which hash will be used, we precalculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already.
-### Why does scan create eight hash rules for certain XML files?
+### Why does scan create eight hash rules for certain files?
Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules.
-## Windows Defender Application Control filename rules
+### When does WDAC use the flat file hash value?
-File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they're based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
-
-Use Table 3 to select the appropriate file name level for your use cases. For instance, an LOB or production application and its binaries may all share the same product name. This option lets you easily create targeted policies based on the Product Name filename rule level.
-
-### Table 3. Windows Defender Application Control policy - filename levels
-
-| Rule level | Description |
-|----------- | ----------- |
-| **File Description** | Specifies the file description provided by the developer of the binary. |
-| **Internal Name** | Specifies the internal name of the binary. |
-| **Original File Name** | Specifies the original file name, or the name with which the file was first created, of the binary. |
-| **Package Family Name** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. |
-| **Product Name** | Specifies the name of the product with which the binary ships. |
+There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
index 73c7ef9d1e..6913539635 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -14,7 +14,7 @@ ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual
-ms.date: 10/14/2020
+ms.date: 06/07/2023
ms.technology: itpro-security
---
@@ -29,23 +29,21 @@ ms.technology: itpro-security
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-When creating policies for use with Windows Defender Application Control (WDAC), it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
-
+When creating policies for use with Windows Defender Application Control (WDAC), it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
## Template Base Policies
-Each of the template policies has a unique set of policy allowlist rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility.
+Each of the template policies has a unique set of policy allowlist rules that affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy has a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility.
-
-| Template Base Policy | Description |
+| Template Base Policy | Description |
|---------------------------------|-------------------------------------------------------------------|
-| **Default Windows Mode** | Default Windows mode will authorize the following components: - Windows operating components - any binary installed by a fresh install of Windows
- Apps installed from the Microsoft Store
- Microsoft Office365 apps, OneDrive, and Microsoft Teams
- Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
|
-| **Allow Microsoft Mode** | Allow mode will authorize the following components: - Windows operating components - any binary installed by a fresh install of Windows
- Apps installed from the Microsoft Store
- Microsoft Office365 apps, OneDrive, and Microsoft Teams
- Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
- *All Microsoft-signed software*
|
-| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components: - Windows operating components - any binary installed by a fresh install of Windows
- Apps installed from the Microsoft Store
- Microsoft Office365 apps, OneDrive, and Microsoft Teams
- Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
- All Microsoft-signed software
- *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-windows-defender-application-control-with-intelligent-security-graph.md)*
|
+| **Default Windows Mode** | Default Windows mode authorizes the following components: - Windows operating components - any binary installed by a fresh install of Windows
- Apps installed from the Microsoft Store
- Microsoft Office365 apps, OneDrive, and Microsoft Teams
- Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
|
+| **Allow Microsoft Mode** | Allow mode authorizes the following components: - Windows operating components - any binary installed by a fresh install of Windows
- Apps installed from the Microsoft Store
- Microsoft Office365 apps, OneDrive, and Microsoft Teams
- Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
- *All Microsoft-signed software*
|
+| **Signed and Reputable Mode** | Signed and Reputable mode authorizes the following components: - Windows operating components - any binary installed by a fresh install of Windows
- Apps installed from the Microsoft Store
- Microsoft Office365 apps, OneDrive, and Microsoft Teams
- Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)
- All Microsoft-signed software
- *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-windows-defender-application-control-with-intelligent-security-graph.md)*
|
*Italicized content denotes the changes in the current policy with respect to the policy prior.*
-More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example Windows Defender Application Control base policies article](example-wdac-base-policies.md).
+More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example Windows Defender Application Control base policies article](example-wdac-base-policies.md).
@@ -53,11 +51,11 @@ Once the base template is selected, give the policy a name and choose where to s
## Configuring Policy Rules
-Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule will appear at the bottom of the page when the mouse hovers over the rule title.
+Upon page launch, policy rules are automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule appears at the bottom of the page when the mouse hovers over the rule title.
### Policy Rules Description
-A description of each policy rule, beginning with the left-most column, is provided below. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a full description of each policy rule.
+The following table has a description of each policy rule, beginning with the left-most column. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a fuller description of each policy rule.
| Rule option | Description |
|------------ | ----------- |
@@ -77,33 +75,33 @@ A description of each policy rule, beginning with the left-most column, is provi
### Advanced Policy Rules Description
-Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. A description of each policy rule is provided below.
+Selecting the **+ Advanced Options** label shows another column of policy rules, advanced policy rules. The following table provides a description of each advanced policy rule.
| Rule option | Description |
|------------ | ----------- |
-| **Boot Audit on Failure** | Used when the Windows Defender Application Control (WDAC) policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
-| **Disable Flight Signing** | If enabled, WDAC policies won't trust flightroot-signed binaries. This option would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
-| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that's only writable by an administrator) for any FileRule that allows a file based on FilePath. |
+| **Boot Audit on Failure** | Used when the Windows Defender Application Control (WDAC) policy is in enforcement mode. When a driver fails during startup, the WDAC policy is placed in audit mode so that Windows loads. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
+| **Disable Flight Signing** | If enabled, WDAC policies block flightroot-signed binaries. This option would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
+| **Disable Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. |
| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
-| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
-| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement. |
+| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option causes WDAC to periodically revalidate the reputation for files authorized by the ISG.|
+| **Require EV Signers** | This option isn't currently supported. |
> [!NOTE]
-> We recommend that you **enable Audit Mode** initially because it allows you to test new Windows Defender Application Control policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
+> We recommend that you **enable Audit Mode** initially because it allows you to test new Windows Defender Application Control policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
## Creating custom file rules
-[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules:
+[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy specify the level at which applications are identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting **+ Custom Rules** opens the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules:
### Publisher Rules
-The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding Windows Defender Application Control (WDAC) rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
+The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The following table shows the relationship between the slider placement, the corresponding Windows Defender Application Control (WDAC) rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
| Rule Condition | WDAC Rule Level | Description |
|------------ | ----------- | ----------- |
-| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
+| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate is affected. |
| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example, a device driver corp, is affected. |
| **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
@@ -113,11 +111,11 @@ The Publisher file rule type uses properties in the code signing certificate cha
### Filepath Rules
-Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
### File Attribute Rules
-The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
+The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The following table describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
@@ -131,11 +129,11 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
### File Hash Rules
-Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product version's hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level.
+Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product version's hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard uses file hash as the fallback in case a file rule can't be created using the specified file rule level.
#### Deleting Signing Rules
-The policy signing rules list table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. You'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.
+The policy signing rules list table on the left of the page documents the allow and deny rules in the template, and any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. You're then prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
index 53a8d5c954..a37f25ff34 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -14,7 +14,7 @@ ms.reviewer: isbrahm
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual
-ms.date: 10/14/2020
+ms.date: 06/07/2023
ms.technology: itpro-security
---
@@ -29,54 +29,53 @@ ms.technology: itpro-security
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are being used, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
+Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are used, applications allowed by the base or any of its supplemental policies are allowed to run.
Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
## Expanding a Base Policy
-Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
+Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard verifies if the base policy allows supplementals and shows the following confirmation.
-If the base policy isn't configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
+If the base policy isn't configured for supplemental policies, the Wizard attempts to convert the policy to one that can be supplemented. Once successful, the Wizard shows a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
-Policies that can't be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
+Policies that can't be supplemented, for instance another supplemental policy, are detected by the Wizard and show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
## Configuring Policy Rules
-Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and won't be modifiable in the user interface.
+Upon page launch, policy rules are automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules are inherited from the base policy. The Wizard automatically parses the base policy and sets the required supplemental policy rules to match the base policy rules. Inherited policy rules are grayed out and aren't modifiable in the user interface.
-A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title.
+A short description of the rule is shown at the bottom of the page when the cursor is placed on the rule title.
### Configurable Supplemental Policy Rules Description
-There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules.
-
+Supplemental policies can only configure three policy rules. The following table describes each policy rule, beginning with the left-most column. Selecting the **+ Advanced Options** label shows another column of policy rules, the advanced policy rules.
| Rule option | Description |
|------------ | ----------- |
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
-| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
+| **Disable Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. |
## Creating custom file rules
-File rules in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules:
+File rules in an application control policy specify the level at which applications are identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting **+ Custom Rules** opens the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules:
### Publisher Rules
-The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding Windows Defender Application Control (WDAC) rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
+The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The following table shows the relationship between the slider placement, the corresponding Windows Defender Application Control (WDAC) rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
| Rule Condition | WDAC Rule Level | Description |
|------------ | ----------- | ----------- |
-| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
+| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate is affected. |
| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example, a device driver publisher, is affected. |
| **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
@@ -86,11 +85,11 @@ The Publisher file rule type uses properties in the code signing certificate cha
### Filepath Rules
-Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
### File Attribute Rules
-The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
+The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The following table describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
@@ -99,17 +98,15 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
| **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. |
-
### File Hash Rules
-Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level.
+Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard uses file hash as the fallback in case a file rule can't be created using the specified file rule level.
-
-#### Deleting Signing Rules
+#### Deleting Signing Rules
-The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.
+The table on the left of the page documents the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. You're again prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
deleted file mode 100644
index b85fb0dfe8..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Account protection in the Windows Security app
-description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-ms.technology: itpro-security
-ms.topic: article
----
-
-
-# Account protection
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
-
-- [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md)
-- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
-
-You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
-
-## Hide the Account protection section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-You can only configure these settings by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Account protection**.
-
-6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
deleted file mode 100644
index d56e6ecd4f..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Device security in the Windows Security app
-description: Use the Device security section to manage security built into your device, including virtualization-based security.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
-ms.topic: article
----
-
-# Device security
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Device security** section contains information and settings for built-in device security.
-
-You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
-## Hide the Device security section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
-
-> [!IMPORTANT]
-> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
-## Disable the Clear TPM button
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
-
-> [!IMPORTANT]
-> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
-## Hide the TPM Firmware Update recommendation
-If you don't want users to see the recommendation to update TPM firmware, you can disable it.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
deleted file mode 100644
index cfb558208e..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Virus and threat protection in the Windows Security app
-description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
-keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Virus and threat protection
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
-
-In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
-
-IT administrators and IT pros can get more configuration information from these articles:
-
-- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
-- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
-- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
-- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
-- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
-- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
-
-You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
-
-
-## Hide the Virus & threat protection section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-This section can be hidden only by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
-
-6. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
-## Hide the Ransomware protection area
-
-You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
-
-This area can be hidden only by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
-
-6. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 65d2045cbc..cb6fa4d054 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -24,10 +24,10 @@ More information about this change can be found on the [Microsoft Security Guida
Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
-- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
+- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
+- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
+- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
**What file formats are supported by the new SCT?**
@@ -45,41 +45,31 @@ No. A potential alternative is Desired State Configuration (DSC), a feature of t
No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit likewise doesn't include SCAP support.
-
-
## Version Matrix
-**Client Versions**
+**Client Versions**:
| Name | Build | Baseline Release Date | Security Tools |
-| ---- | ----- | --------------------- | -------------- |
-| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+|--|--|--|--|
+| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
| [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update) | October 2022
December 2021
December 2020
October 2018
October 2016
January 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-
+**Server Versions**:
-**Server Versions**
+| Name | Build | Baseline Release Date | Security Tools |
+|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|---------------------------------------------------------------------|
+| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Name | Build | Baseline Release Date | Security Tools |
-|---|---|---|---|
-|Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) |September 2021 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) |November 2018 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+**Microsoft Products**:
-
+| Name | Details | Security Tools |
+|-------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
+| Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-**Microsoft Products**
-
-
-| Name | Details | Security Tools |
-|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-
-
-
-## See also
+## Related articles
[Windows security baselines](windows-security-baselines.md)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index bac325bbe0..66e75d737f 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,94 +1,85 @@
---
-title: Microsoft Security Compliance Toolkit 1.0 Guide
-description: This article describes how to use Security Compliance Toolkit 1.0 in your organization
+title: Microsoft Security Compliance Toolkit Guide
+description: This article describes how to use Security Compliance Toolkit in your organization
ms.prod: windows-client
ms.localizationpriority: medium
ms.author: vinpa
author: vinaypamnani-msft
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
ms.topic: conceptual
-ms.date: 02/14/2022
+ms.date: 06/07/2023
ms.reviewer: rmunck
ms.technology: itpro-security
---
-# Microsoft Security Compliance Toolkit 1.0 - How to use
+# Microsoft Security Compliance Toolkit - How to use
## What is the Security Compliance Toolkit (SCT)?
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
-
The Security Compliance Toolkit consists of:
-- Windows 11 security baseline
- - Windows 11, version 22H2
- - Windows 11, version 21H2
-- Windows 10 security baselines
- - Windows 10, version 22H2
- - Windows 10, version 21H2
- - Windows 10, version 20H2
- - Windows 10, version 1809
- - Windows 10, version 1607
- - Windows 10, version 1507
-
-- Windows Server security baselines
- - Windows Server 2022
- - Windows Server 2019
- - Windows Server 2016
- - Windows Server 2012 R2
-
-- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
-
-- Microsoft Edge security baseline
- - Edge version 107
-
-- Tools
- - Policy Analyzer
- - Local Group Policy Object (LGPO)
- - Set Object Security
- - GPO to Policy Rules
-
+- Windows 11 security baseline
+ - Windows 11, version 22H2
+ - Windows 11, version 21H2
+- Windows 10 security baselines
+ - Windows 10, version 22H2
+ - Windows 10, version 21H2
+ - Windows 10, version 20H2
+ - Windows 10, version 1809
+ - Windows 10, version 1607
+ - Windows 10, version 1507
+- Windows Server security baselines
+ - Windows Server 2022
+ - Windows Server 2019
+ - Windows Server 2016
+ - Windows Server 2012 R2
+- Microsoft Office security baseline
+ - Office 2016
+ - Microsoft 365 Apps for Enterprise Version 2206
+- Microsoft Edge security baseline
+ - Edge version 114
+- Tools
+ - Policy Analyzer
+ - Local Group Policy Object (LGPO)
+ - Set Object Security
+ - GPO to Policy Rules
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
-- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
-- Highlight the differences between versions or sets of Group Policies
-- Compare GPOs against current local policy and local registry settings
-- Export results to a Microsoft Excel spreadsheet
-Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
+- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+- Highlight the differences between versions or sets of Group Policies
+- Compare GPOs against current local policy and local registry settings
+- Export results to a Microsoft Excel spreadsheet
+
+Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
-LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy.
-Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems.
-LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files.
-It can export local policy to a GPO backup.
-It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
+`LGPO.exe` is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. `LGPO.exe` can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Set Object Security tool?
-SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
+`SetObjectSecurity.exe` enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg file compatible representation of the security descriptor for a REG_BINARY registry value.
Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the GPO to Policy Rules tool?
-Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index b4829615f9..ea73545214 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
ms.author: vinpa
author: vinaypamnani-msft
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
ms.topic: conceptual
@@ -70,12 +70,7 @@ There are several ways to get and use security baselines:
3. MDM security baselines can easily be configured in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
-## Community
-
-[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
-
-
-## See also
+## Related articles
- [Microsoft Security Baselines Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319)
diff --git a/windows/security/TOC.yml b/windows/security/toc.yml
similarity index 100%
rename from windows/security/TOC.yml
rename to windows/security/toc.yml
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index 64a4233745..83f888b82d 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -1,7 +1,7 @@
---
title: Zero Trust and Windows device health
description: Describes the process of Windows device health attestation
-ms.reviewer:
+ms.reviewer:
ms.topic: article
manager: aaroncz
ms.author: paoloma
@@ -13,6 +13,7 @@ ms.date: 12/31/2017
---
# Zero Trust and Windows device health
+
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
@@ -23,15 +24,16 @@ The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) princip
- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
-The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
+The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
+[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
## Device health attestation on Windows
+
Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
- If the device can be trusted
@@ -40,7 +42,7 @@ Attestation helps verify the identity and status of essential components and tha
These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 073c3bf2f2..75692f13ab 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 12/05/2022
+ms.date: 06/08/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| ----------- | --------------------- | ---- |
+| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|