From 75809ac5aab94a007e9185a63db2601cfecbc7de Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 11 Feb 2021 17:57:04 +0530
Subject: [PATCH 01/97] typo correction : make to manufacturer
as per user report #9103 , so i changed **Make** to **Manufacturer**
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 5c8972471b..17c923be2d 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -339,7 +339,7 @@ On **MDT01**:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
- 3. Value: Windows 10 x64\\%Make%\\%Model%
+ 3. Value: Windows 10 x64\\%Manufacturer%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
1. Choose a selection profile: Nothing
2. Install all drivers from the selection profile
From e7fce2daf65480282bb7adea84fb892ccb35093b Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Tue, 9 Mar 2021 23:43:16 +0530
Subject: [PATCH 02/97] Update
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
accepted
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 901e211995..aec9e43f39 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -372,7 +372,6 @@ On **MDT01**:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Manufacturer%\\%Model%
-
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
- Install all drivers from the selection profile
From 14a27c2044882159fd35327751247ac9c156330c Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Tue, 9 Mar 2021 23:55:11 +0530
Subject: [PATCH 03/97] Update
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
accepted
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index aec9e43f39..05f4eb980c 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -372,6 +372,7 @@ On **MDT01**:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Manufacturer%\\%Model%
+
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
- Install all drivers from the selection profile
From c3662db20df84dde7f7b89434c6161c10d7d1378 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 12 Apr 2021 22:01:26 +0500
Subject: [PATCH 04/97] Update deploy-a-windows-10-image-using-mdt.md
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index ebe98a9061..02c7c46f5e 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -50,7 +50,7 @@ On **DC01**:
2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
- New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+ New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
```
3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
@@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine.
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
+[Configure MDT settings](configure-mdt-settings.md)
From aa2b2bb21c6282298361130c8960ea6c283a9099 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 3 May 2021 14:31:48 -0700
Subject: [PATCH 05/97] Creating Test TOC
This is a test to see how the landing page will look without having changed the original landing page.
---
.../TOC2.yml | 113 ++++++++++++++++++
1 file changed, 113 insertions(+)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/TOC2.yml
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
new file mode 100644
index 0000000000..cbd308449b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -0,0 +1,113 @@
+
+### WDAC:Landing
+title: Application Control for Windows
+metadata:
+ title: Application Control for Windows
+ description: Landing page for Windows Defender Application Control
+# services: service
+# ms.service: microsoft-WDAC-AppLocker
+# ms.subservice: Application-Control
+# ms.topic: landing-page
+# author: Kim Klein
+# ms.author: Jordan Geurten
+# manager: Jeffrey Sutherland
+# ms.update: 04/30/2021
+# linkListType: overview | how-to-guide | tutorial | video
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: Learn about Application Control
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What is WDAC (WDAC Overview)?
+ url: wdac-and-applocker-overview.md
+ - text: What is AppLocker?
+ url: applocker\applocker-overview.md
+ - text: WDAC and AppLocker feature availability
+ url: feature-availability.md
+ # Card
+ - title: Learn about the Design Guide
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Using code signing to simplify application control
+ url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ - text: Merging Policies
+ url: wdac-wizard-merging-policies.md
+ - text: Recommended blocks
+ url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link?
+ - text: Example policies
+ url: example-wdac-base-policies.md
+ - text: LOB Win32 apps on S Mode
+ url: LOB-win32-apps-on-s.md
+ - linkListType: how-to-guide
+ links:
+ - text: Create a WDAC policy for a lightly managed device
+ url: cardreate-wdac-policy-for-lightly-managed-devices.md
+ - text: Create a WDAC policy for a fully managed device
+ url: create-wdac-policy-for-fully-managed-devices.md
+ - text: Create a WDAC policy for a fixed-workload
+ url: create-initial-default-policy.md
+ - text: Using catalog files
+ url: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - text: WDAC Wizard tool
+ url: wdac-wizard.md
+ - linkListType: Tutorial (videos)
+ links:
+ - text: Using the WDAC Wizard
+ url: video md
+ - text: Specifying custom values
+ url: video md
+ # Card
+ - title: Learn about Policy Configuration
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Understanding policy rules
+ url:
+ - text: Understanding File rules
+ url:
+ - linkListType: how-to-guide (written)
+ links:
+ - text: Allow managed installer and configure managed installer rules
+ url: use-windows-defender-application-control-with-managed-installer.md
+ - text: Allow reputable apps with ISG
+ url: use-windows-defender-application-control-with-intelligent-security-graph.md
+ # Card
+ - title: Learn how to deploy WDAC Policies
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Signed policies
+ url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - text: Audit and enforce policies
+ url: audit-windows-defender-application-control-policies.md #(merge with enforce-windows-defender-application-control-policies.md)
+ - text: Disabling WDAC policies
+ url: disable-windows-defender-application-control-policies.md
+ - linkListType: tutorial
+ links:
+ - text: Deployment with MDM
+ url: deploy-windows-defender-application-control-policies-using-intune.md
+ - text: Deployment with MEMCM
+ url: deployment/deploy-wdac-policies-with-memcm.md
+ - text: Deployment with script and refresh policy
+ url: deployment/deploy-wdac-policies-with-script.md
+ # Card
+ - title: Learn how to monitor and reiterate WDAC Policies (operational)
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Event logs (tags, IDs)
+ url: event-id-explanations.md #(merge with event-tag-explanations.md)
+ - text: Advanced hunting
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #same as below
+ - linkListType: how-to-guide
+ links:
+ - text: Querying using advanced hunting
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
+ - linkListType: tutorial
+ links:
+ - text: Creating a policy from event logs
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
\ No newline at end of file
From 722f7ee58d424e1ab7068d71d9d1bca4b93a9a8a Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 5 May 2021 16:27:20 -0700
Subject: [PATCH 06/97] Update TOC2.yml
Made a small update.
---
.../windows-defender-application-control/TOC2.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index cbd308449b..e8a04d9f6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -27,7 +27,7 @@ landingContent:
url: applocker\applocker-overview.md
- text: WDAC and AppLocker feature availability
url: feature-availability.md
- # Card
+ # Card
- title: Learn about the Design Guide
linkLists:
- linkListType: overview
@@ -37,7 +37,7 @@ landingContent:
- text: Merging Policies
url: wdac-wizard-merging-policies.md
- text: Recommended blocks
- url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link?
+ url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? Add both, actually.
- text: Example policies
url: example-wdac-base-policies.md
- text: LOB Win32 apps on S Mode
From 1afb27049feb753e6f137b00a05964f9ec70caa8 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Fri, 7 May 2021 11:48:38 -0700
Subject: [PATCH 07/97] Created new page for Audit and Enforce WDAC
Merged Audit Events and Enforce WDAC policy pages, as well as updated the TOC2.
---
.../TOC2.yml | 12 +-
...s-defender-application-control-policies.md | 163 ++++++++++++++++++
2 files changed, 169 insertions(+), 6 deletions(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index e8a04d9f6b..6643f8980b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -37,7 +37,9 @@ landingContent:
- text: Merging Policies
url: wdac-wizard-merging-policies.md
- text: Recommended blocks
- url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? Add both, actually.
+ url: microsoft-recommended-block-rules.md
+ - text: Recommended driver blocks
+ url: microsoft-recommended-driver-block-rules.md
- text: Example policies
url: example-wdac-base-policies.md
- text: LOB Win32 apps on S Mode
@@ -83,7 +85,7 @@ landingContent:
- text: Signed policies
url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- text: Audit and enforce policies
- url: audit-windows-defender-application-control-policies.md #(merge with enforce-windows-defender-application-control-policies.md)
+ url: audit-and-enforce-windows-defender-application-control-policies.md
- text: Disabling WDAC policies
url: disable-windows-defender-application-control-policies.md
- linkListType: tutorial
@@ -101,13 +103,11 @@ landingContent:
links:
- text: Event logs (tags, IDs)
url: event-id-explanations.md #(merge with event-tag-explanations.md)
- - text: Advanced hunting
- url: querying-application-control-events-centrally-using-advanced-hunting.md #same as below
- linkListType: how-to-guide
links:
- text: Querying using advanced hunting
url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
- linkListType: tutorial
links:
- - text: Creating a policy from event logs
- url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
\ No newline at end of file
+ - text: Creating a policy from event logs (video)
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #Jordan will create a video for this
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..c10855446f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -0,0 +1,163 @@
+---
+title: Use audit events to create then enforce WDAC policy rules (Windows 10)
+description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.reviewer: v-kikl
+ms.author: dansimp
+manager: dansimp
+ms.date: 05/03/2021
+ms.technology: mde
+---
+
+# Use audit events to create WDAC policy rules
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
+
+While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
+
+## Overview of the process to create WDAC policy to allow apps using audit events
+
+> [!Note]
+> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
+
+To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
+
+1. Install and run an application not allowed by the WDAC policy but that you want to allow.
+
+2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
+
+ **Figure 1. Exceptions to the deployed WDAC policy**
+ 
+
+3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
+
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
+ $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
+ ```
+
+4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
+
+ ```powershell
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ ```
+
+ > [!NOTE]
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+
+5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
+
+6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
+
+ > [!NOTE]
+ > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
+
+7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
+
+ For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
+
+8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
+
+
+
+## Convert WDAC **base** policy from audit to enforced
+
+As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
+
+Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
+
+1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
+
+ ```powershell
+ $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced"
+ $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml"
+ $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml"
+ cp $AuditPolicyXML $EnforcedPolicyXML
+ ```
+
+2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
+
+ ```powershell
+ $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
+ $EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
+ ```
+
+ > [!NOTE]
+ > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
+
+3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
+
+ ```powershell
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10
+ ```
+
+4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement:
+
+ ```powershell
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
+ ```
+
+5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
+
+ > [!NOTE]
+ > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
+
+ ```powershell
+ $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
+ ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
+ ```
+
+## Make copies of any needed **supplemental** policies to use with the enforced base policy
+
+Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure.
+
+1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used.
+
+ ```powershell
+ $SupplementalPolicyName = "Lamna_Supplemental1"
+ $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml"
+ $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml"
+ ```
+
+2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement.
+
+ ```powershell
+ $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID
+ $SupplementalPolicyID = $SupplementalPolicyID.Substring(11)
+ ```
+
+ > [!NOTE]
+ > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
+
+3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary:
+
+ ```powershell
+ $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
+ ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
+ ```
+4. Repeat the steps above if you have other supplemental policies to update.
+
+## Deploy your enforced policy and supplemental policies
+
+Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
+
From 5fa1ea84d48db26ba375704f49a5763c6c706995 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 11 May 2021 09:47:30 -0700
Subject: [PATCH 08/97] Event ID and Tags explanation
Merged event IDs and tag explanations into one file. Updated TOC with new link.
---
.../TOC2.yml | 2 +-
.../event-id-and-tag-explanations.md | 153 ++++++++++++++++++
2 files changed, 154 insertions(+), 1 deletion(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index 6643f8980b..3db9e8ccd7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -102,7 +102,7 @@ landingContent:
- linkListType: overview
links:
- text: Event logs (tags, IDs)
- url: event-id-explanations.md #(merge with event-tag-explanations.md)
+ url: event-id-and-tag-explanations.md
- linkListType: how-to-guide
links:
- text: Querying using advanced hunting
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
new file mode 100644
index 0000000000..81c7794f17
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
@@ -0,0 +1,153 @@
+---
+title: Understanding Application Control event IDs and tags (Windows 10)
+description: Learn what different Windows Defender Application Control event IDs and tags signify.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.reviewer: v-kikl
+ms.author: dansimp
+manager: dansimp
+ms.date: 5/7/2021
+ms.technology: mde
+---
+
+# Understanding Application Control event IDs and tags
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means.
+
+These events are generated under two locations:
+
+ - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+
+ - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## Microsoft Windows CodeIntegrity Operational log event IDs
+
+| Event ID | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3076 | Audit executable/dll file |
+| 3077 | Block executable/dll file |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3099 | Indicates that a policy has been loaded |
+
+## Microsoft Windows Applocker MSI and Script log event IDs
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
+| 8029 | Block script/MSI file |
+| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
+
+## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
+
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3090 | Allow executable/dll file |
+| 3091 | Audit executable/dll file |
+| 3092 | Block executable/dll file |
+
+3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
+
+### SmartLocker template
+
+Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
+
+| Name | Explanation |
+|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
+| ManagedInstallerEnabled | Policy trusts a MI |
+| PassesManagedInstaller | File originated from a trusted MI |
+| SmartlockerEnabled | Policy trusts the ISG |
+| PassesSmartlocker | File had positive reputation |
+| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
+
+### Enabling ISG and MI diagnostic events
+
+In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
+
+```powershell
+reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
+```
+
+In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+
+```powershell
+reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
+```
+
+
+
+## Event Tags
+
+Below, we have documented the values and meanings for a few useful event tags.
+
+## SignatureType
+
+Represents the type of signature which verified the image.
+
+| SignatureType Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Unsigned or verification has not been attempted |
+| 1 | Embedded signature |
+| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
+| 5 | Successfully verified using an EA that informs CI which catalog to try first |
+|6 | AppX / MSIX package catalog verified |
+| 7 | File was verified |
+
+## ValidatedSigningLevel
+
+Represents the signature level at which the code was verified.
+
+| ValidatedSigningLevel Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Signing level has not yet been checked |
+| 1 | File is unsigned |
+| 2 | Trusted by WDAC policy |
+| 3 | Developer signed code |
+| 4 | Authenticode signed |
+| 5 | Microsoft Store signed app PPL (Protected Process Light) |
+| 6 | Microsoft Store-signed |
+| 7 | Signed by an Antimalware vendor whose product is using AMPPL |
+| 8 | Microsoft signed |
+| 11 | Only used for signing of the .NET NGEN compiler |
+| 12 | Windows signed |
+| 14 | Windows Trusted Computing Base signed |
+
+## VerificationError
+
+Represents why verification failed, or if it succeeded.
+
+| VerificationError Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Successfully verified signature |
+| 2 | File contains shared writable sections |
+| 4 | Revoked signature |
+| 5 | Expired signature |
+| 7 | Invalid root certificate |
+| 8 | Signature was unable to be validated; generic error |
+| 9 | Signing time not trusted |
+| 12 | Not valid for a PPL (Protected Process Light) |
+| 13 | Not valid for a PP (Protected Process) |
+| 15 | Failed WHQL check |
+| 16 | Default policy signing level not met |
+| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
+| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
+| 19 | Binary is revoked by file hash |
+| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
+| 21 | Failed to pass WDAC policy |
+| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
+| 23 | Invalid image hash |
+| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 26 | Explicitly denied by WADC policy |
+| 28 | Resource page hash mismatch |
From b5117aba312c9bedb7d7ea142f6d6abd6cb252d4 Mon Sep 17 00:00:00 2001
From: Denis Gundarev
Date: Thu, 13 May 2021 15:22:03 -0700
Subject: [PATCH 09/97] updated reference to IDD documentation
---
windows/deployment/planning/windows-10-deprecated-features.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 9bb45ca3af..d3cf97f165 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -33,7 +33,7 @@ The features described below are no longer being actively developed, and might b
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
-| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
+| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
@@ -67,4 +67,4 @@ The features described below are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
\ No newline at end of file
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
From ecf67c7cab2e9f64e737f616419f6d2ec482b8ab Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 14 May 2021 19:16:52 +0530
Subject: [PATCH 10/97] removed link
as per user report #9518, so i removed security boundary link
---
.../applocker/applocker-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index b7dcbcddd8..427198ae92 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
-> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a security boundary.[Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
From d2ac95dd42b02c1051e2fe8e938afc1675a10bb3 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 15 May 2021 12:54:39 +0530
Subject: [PATCH 11/97] Update
windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
accepted
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../applocker/applocker-overview.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 427198ae92..0a97c8aeb0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
-> AppLocker is a defense-in-depth security feature and not a security boundary.[Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a security boundary. [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
@@ -143,4 +143,3 @@ For reference in your security planning, the following table identifies the base
| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
-
From 3686a52369a093a6146e752564bfaa3ff5d5b6be Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 17 May 2021 10:15:43 +0300
Subject: [PATCH 12/97] Add info about UPN matching Azure AD domain name
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9386
---
.../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index d867b494ec..298d1d7986 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
+> [!NOTE]
+> User accounts enrolling for Windows Hello for Business in Hybrid Certificate Trust scenario must have UPN matching a verified domain name in Azure AD. More details [here](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
+
> [!NOTE]
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
@@ -152,4 +155,4 @@ If your environment is already federated and supports Azure device registration,
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
From 344f5bb97ccd5ddc8e2c13fab30d4bacf8e7a2d2 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Mon, 17 May 2021 10:00:09 -0700
Subject: [PATCH 13/97] Update
windows/deployment/planning/windows-10-deprecated-features.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
windows/deployment/planning/windows-10-deprecated-features.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index d3cf97f165..492f0d70e7 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -33,7 +33,7 @@ The features described below are no longer being actively developed, and might b
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
-| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
+| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
From c04791063c19a5a607c355d9c9b38f4218006af0 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 17 May 2021 17:56:14 -0700
Subject: [PATCH 14/97] Updated existing pages and merged others
1. Added missing event tags from event-tag-explanations.
2. Corrected MD errors in event-tags and event-id files.
3. Added missing event tag to combined event-id-and-tag file and ensured there are no MD errors.
4. Edited WDAC and AppLocker overview file for grammar.
5. Combined audit WDAC policies file with enforce WDAC policies file.
6. Updated TOC2, which will replace the main TOC.
---
.../TOC2.yml | 4 ++--
...s-defender-application-control-policies.md | 6 ++---
.../event-id-and-tag-explanations.md | 23 +++++++++++-------
.../event-id-explanations.md | 12 +++++-----
.../event-tag-explanations.md | 13 ++++++++--
.../wdac-and-applocker-overview.md | 24 +++++++++----------
6 files changed, 48 insertions(+), 34 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index 3db9e8ccd7..474b426029 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -106,8 +106,8 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Querying using advanced hunting
- url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
+ url: querying-application-control-events-centrally-using-advanced-hunting.md
- linkListType: tutorial
links:
- text: Creating a policy from event logs (video)
- url: querying-application-control-events-centrally-using-advanced-hunting.md #Jordan will create a video for this
\ No newline at end of file
+ url: #Jordan will create a video for this
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index c10855446f..31f6314425 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -19,7 +19,7 @@ ms.date: 05/03/2021
ms.technology: mde
---
-# Use audit events to create WDAC policy rules
+## Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
**Applies to:**
@@ -75,8 +75,6 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
-
-
## Convert WDAC **base** policy from audit to enforced
As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
@@ -155,9 +153,9 @@ Since the enforced policy was given a unique PolicyID in the previous procedure,
$EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
```
+
4. Repeat the steps above if you have other supplemental policies to update.
## Deploy your enforced policy and supplemental policies
Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
index 81c7794f17..9b21c840e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
@@ -19,15 +19,15 @@ ms.date: 5/7/2021
ms.technology: mde
---
-# Understanding Application Control event IDs and tags
+## Understanding Application Control event IDs and tags
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means.
These events are generated under two locations:
- - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
- - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
@@ -35,7 +35,7 @@ These events are generated under two locations:
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
@@ -48,7 +48,7 @@ These events are generated under two locations:
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -84,9 +84,7 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
-
-
-
+
## Event Tags
Below, we have documented the values and meanings for a few useful event tags.
@@ -100,6 +98,7 @@ Represents the type of signature which verified the image.
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI which catalog to try first |
|6 | AppX / MSIX package catalog verified |
@@ -131,14 +130,20 @@ Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Successfully verified signature |
+| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
+| 3 | File is not signed|
| 4 | Revoked signature |
| 5 | Expired signature |
+| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
+| 10 | The file must be signed using page hashes for this scenario |
+| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
+| 14 | The signature is missing the required ARM EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
@@ -149,5 +154,7 @@ Represents why verification failed, or if it succeeded.
| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 25 | Anti-cheat policy violation |
| 26 | Explicitly denied by WADC policy |
+| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index b464707f61..8aab0d3c1b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -18,13 +18,13 @@ ms.date: 3/17/2020
ms.technology: mde
---
-# Understanding Application Control events
+## Understanding Application Control events
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
- - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
- - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
@@ -32,7 +32,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
@@ -45,7 +45,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -75,7 +75,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
-
+
In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
```powershell
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 6ee1d70486..e4a1e510ea 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -18,7 +18,7 @@ ms.date: 8/27/2020
ms.technology: mde
---
-# Understanding Application Control event tags
+## Understanding Application Control event tags
Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
@@ -31,9 +31,10 @@ Represents the type of signature which verified the image.
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI which catalog to try first |
-|6 | AppX / MSIX package catalog verified |
+| 6 | AppX / MSIX package catalog verified |
| 7 | File was verified |
## ValidatedSigningLevel
@@ -62,14 +63,20 @@ Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Successfully verified signature |
+| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
+| 3 | File is not signed|
| 4 | Revoked signature |
| 5 | Expired signature |
+| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
+| 10 | The file must be signed using page hashes for this scenario |
+| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
+| 14 | The signature is missing the required ARM EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
@@ -80,5 +87,7 @@ Represents why verification failed, or if it succeeded.
| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 25 | Anti-cheat policy violation |
| 26 | Explicitly denied by WADC policy |
+| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 03f0eb6f0d..0897007f32 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -19,18 +19,18 @@ ms.custom: asr
ms.technology: mde
---
-# Windows Defender Application Control and AppLocker Overview
+## Windows Defender Application Control and AppLocker Overview
**Applies to:**
- Windows 10
- Windows Server 2016 and above
-Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
+Windows 10 includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
## Windows Defender Application Control
-WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
@@ -41,21 +41,21 @@ WDAC policies apply to the managed computer as a whole and affects all users of
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
-Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'.
+Note that prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard."
### WDAC System Requirements
-WDAC policies can be created on any client edition of Windows 10 build 1903+ or on Windows Server 2016 and above.
+WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above.
-WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, e.g. Intune; a management interface, e.g. Configuration Manager; or a script host, e.g. PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
-For more information on which individual WDAC features are available on which WDAC builds, see [WDAC feature availability](feature-availability.md).
+For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
## AppLocker
-AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature.
+AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but does not meet the servicing criteria for being a security feature.
-AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
+AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
@@ -68,13 +68,13 @@ AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use WDAC or AppLocker
-Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
+Generally, it is recommended that customers, who are able to implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
-In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
+However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on shared computers.
- You do not want to enforce application control on application files such as DLLs or drivers.
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps.
+AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it is important to prevent some users from running specific apps.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
From 06e5b4213d600ad1af6bf167737003e6ad30e557 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 18 May 2021 09:23:53 +0300
Subject: [PATCH 15/97] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 298d1d7986..28ff8d49c6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -75,7 +75,7 @@ The two directories used in hybrid deployments must be synchronized. You need A
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
> [!NOTE]
-> User accounts enrolling for Windows Hello for Business in Hybrid Certificate Trust scenario must have UPN matching a verified domain name in Azure AD. More details [here](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
+> User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
> [!NOTE]
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
From 878d041fad0a101b7a29a7470d2e752ec06c76f8 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 15:23:52 -0700
Subject: [PATCH 16/97] updated guidance for signed policy deployment in the
script md file. #9495
---
.../deployment/deploy-wdac-policies-with-script.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 3aed014401..a0308dfadc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -52,6 +52,20 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool
```
+### Deploying signed policies
+
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically.
+
+1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
+```powershell
+mountvol J: /S
+J:
+mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
+```
+
+2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active
+3. Reboot the system.
+
## Script-based deployment process for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
From 8d499af45ea8eaac46d881b2511d7eef6c9fc775 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 15:37:48 -0700
Subject: [PATCH 17/97] Updated the enforcement doc which has the binary in xml
Additionally, removed a note which is directly under the instructions on how to get the PolicyID.
---
.../enforce-windows-defender-application-control-policies.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
index 784baf06c2..6c3b04eb5a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -52,8 +52,6 @@ Alice previously created and deployed a policy for the organization's [fully man
$EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
```
- > [!NOTE]
- > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
@@ -74,7 +72,7 @@ Alice previously created and deployed a policy for the organization's [fully man
> If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
```powershell
- $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
+ $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyID+".cip"
ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
```
From 5e1be4d679c6dc264b91e186d0a62361400eced1 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 16:02:45 -0700
Subject: [PATCH 18/97] Updated steps for a signed wdac policy and noted the
nuance for uefi lock
---
...r-application-control-against-tampering.md | 46 +++++++++++++------
1 file changed, 31 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index a654d57870..be2010c6e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options
To sign a WDAC policy with SignTool.exe, you need the following components:
-- SignTool.exe, found in the Windows SDK (Windows 7 or later)
+- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created
@@ -47,26 +47,29 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
1. Initialize the variables that will be used:
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
- `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+ ```powershell
+ $CIPolicyPath=$env:userprofile+"\Desktop\"
+ $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
+ ```
> [!NOTE]
- > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+ > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
-
- `cd $env:USERPROFILE\Desktop`
+
+ ```powershell
+ cd $env:USERPROFILE\Desktop
+ ```
5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
- `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
+ ```powershell
+ Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update
+ ```
> [!NOTE]
> *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3.
@@ -74,17 +77,30 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
- `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
+ ```powershell
+ Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete
+ ```
-7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
+7. Reset the policy ID and use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
- `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+ ```powershell
+ $PolicyID= Set-CIPolicyIdInfo -FilePath $InitialCIPolicy -ResetPolicyID
+ $PolicyID = $PolicyID.Substring(11)
+ $CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip"
+ ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+ ```
8. Sign the WDAC policy by using SignTool.exe:
- ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
+ ```powershell
+ sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
+ ```
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
\ No newline at end of file
+9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+
+
+> [!NOTE]
+ > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
\ No newline at end of file
From 1a5cbd6c594ef58a03da6744c434c1727661105e Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 16:05:43 -0700
Subject: [PATCH 19/97] Small edit of the final binary filename/extension
---
...ct-windows-defender-application-control-against-tampering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index be2010c6e5..7b136fa662 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -99,7 +99,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
From 315eb8726f7b7a8d5348921730f7f0d1f7dc6ac2 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 19 May 2021 16:33:06 +0500
Subject: [PATCH 20/97] Addition of note
As this tool PCPTool is a visual studio solution so users need to build it before running the tool. Updated this informaiton.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9425
---
.../bitlocker/ts-bitlocker-decode-measured-boot-logs.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index 6424a91e8b..fc64b1cfee 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file.
## Use PCPTool to decode Measured Boot logs
+> [!NOTE]
+> PCPTool is a visual studio solution and need to build the executeable before using this tool.
+
PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
@@ -111,4 +114,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
-
\ No newline at end of file
+
From 8eb663502c57c6ed3a5a3d7db50d904f07d0809f Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Wed, 19 May 2021 08:43:49 -0700
Subject: [PATCH 21/97] Update
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...-windows-defender-application-control-against-tampering.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 7b136fa662..e2566ae779 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options
To sign a WDAC policy with SignTool.exe, you need the following components:
-- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk/) (Windows 7 or later)
+- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created
@@ -103,4 +103,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
- > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
\ No newline at end of file
+ > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
From cd644020c1802336d263881896eda53d04437d85 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Wed, 19 May 2021 09:15:56 -0700
Subject: [PATCH 22/97] Update
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...ct-windows-defender-application-control-against-tampering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index e2566ae779..498c736696 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -103,4 +103,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
- > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
+> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
From 4d86080190cda85fa0532af5f4eb69e95ad2c561 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 19 May 2021 21:47:56 +0500
Subject: [PATCH 23/97] Update
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../bitlocker/ts-bitlocker-decode-measured-boot-logs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index fc64b1cfee..bab9c21e3e 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -95,7 +95,7 @@ To find the PCR information, go to the end of the file.
## Use PCPTool to decode Measured Boot logs
> [!NOTE]
-> PCPTool is a visual studio solution and need to build the executeable before using this tool.
+> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool.
PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
From 44a1e12b9d5208b4b18861fc3b064e0e59653abf Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Wed, 19 May 2021 17:32:36 -0500
Subject: [PATCH 24/97] Update security-compliance-toolkit-10.md
Updating versions supported.
---
.../security-compliance-toolkit-10.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 3662667af2..2a578d07ab 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -28,13 +28,13 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- - Windows 10 Version 20H2 (October 2020 Update)
- - Windows 10 Version 2004 (May 2020 Update)
- - Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1809 (October 2018 Update)
- - Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1507
+ - Windows 10, Version 21H1 (May 2021 Update)
+ - Windows 10, Version 20H2 (October 2020 Update)
+ - Windows 10, Version 2004 (May 2020 Update)
+ - Windows 10, Version 1909 (November 2019 Update)
+ - Windows 10, Version 1809 (October 2018 Update)
+ - Windows 10, Version 1607 (Anniversary Update)
+ - Windows 10, Version 1507
- Windows Server security baselines
- Windows Server 2019
@@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Microsoft 365 Apps for enterprise (Sept 2019)
+ - Microsoft 365 Apps for enterprise, Version 2104
- Microsoft Edge security baseline
- Version 88
From 6ae73515243ffa2be999d1be9c910e70fed145f2 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 20 May 2021 11:15:00 -0700
Subject: [PATCH 25/97] authorized apps merged configure managed installer
1. Created new page that merged "Authorize apps installed by a managed installer" with Configure a WDAC managed installer.
2. Updated TOC2 with merged file name.
---
.../TOC2.yml | 2 +-
...-apps-deployed-with-a-managed-installer.md | 194 ++++++++++++++++++
2 files changed, 195 insertions(+), 1 deletion(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index 474b426029..bb66da245a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -74,7 +74,7 @@ landingContent:
- linkListType: how-to-guide (written)
links:
- text: Allow managed installer and configure managed installer rules
- url: use-windows-defender-application-control-with-managed-installer.md
+ url: configure-authorized-apps-deployed-with-a-managed-installer.md
- text: Allow reputable apps with ISG
url: use-windows-defender-application-control-with-intelligent-security-graph.md
# Card
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
new file mode 100644
index 0000000000..3922be1e3b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -0,0 +1,194 @@
+---
+title: Configure authorized apps deployed with a WDAC managed installer (Windows 10)
+description: Explains how to configure a custom Manged Installer.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 08/14/2020
+ms.technology: mde
+---
+
+## Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2019
+
+Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
+
+## How does a managed installer work?
+
+A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
+
+Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
+
+You should ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
+
+## Security considerations with managed installer
+
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
+It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
+
+Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
+
+If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+
+Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation.
+
+## Known limitations with managed installer
+
+- Application control, based on managed installer, does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information, and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+
+- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
+
+- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+
+- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
+
+## Configuring the managed installer
+
+Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled.
+There are three primary steps to keep in mind:
+
+- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy.
+- Enable service enforcement in AppLocker policy.
+- Enable the managed installer option in a WDAC policy.
+
+## Specify managed installers using the Managed Installer rule collection in AppLocker policy
+
+The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection.
+
+### Create Managed Installer rule collection
+
+Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the simple changes needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
+
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
+
+ ```powershell
+ Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
+ ```
+
+2. Manually rename the rule collection to ManagedInstaller
+
+ Change
+
+ ```powershell
+
+ ```
+
+ to
+
+ ```powershell
+
+ ```
+
+An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### Enable service enforcement in AppLocker policy
+
+Since many installation processes rely on services, it is typically necessary to enable tracking of services.
+Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit only rule will suffice. This can be added to the policy created above, which specifies your managed installer rule collection.
+
+For example:
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Enable the managed installer option in WDAC policy
+
+In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy.
+This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
+
+Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option.
+
+1. Copy the DefaultWindows_Audit policy into your working folder from "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml"
+
+2. Reset the policy ID to ensure it is in multiple policy format, and give it a different GUID from the example policies. Also, give it a friendly name to help with identification.
+
+ For example:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID
+ ```
+
+3. Set Option 13 (Enabled:Managed Installer)
+
+ ```powershell
+ Set-RuleOption -FilePath -Option 13
+ ```
+
+## Set the AppLocker filter driver to autostart
+
+To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it.
+
+To do so, run the following command as an Administrator:
+
+```console
+appidtel.exe start [-mionly]
+```
+
+Specify "-mionly" if you will not use the Intelligent Security Graph (ISG).
+
+## Enabling managed installer logging events
+
+Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
\ No newline at end of file
From 73521cb17a1c634ad23402cca663010cd41d0464 Mon Sep 17 00:00:00 2001
From: v-dihans
Date: Thu, 20 May 2021 12:27:42 -0600
Subject: [PATCH 26/97] Fixed formatting
---
.../mdm/diagnosticlog-csp.md | 66 +++++++++----------
1 file changed, 33 insertions(+), 33 deletions(-)
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index ef43f3c484..b9bc259616 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -136,45 +136,45 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- - %windir%\\system32\\certutil.exe
- - %windir%\\system32\\dxdiag.exe
- - %windir%\\system32\\gpresult.exe
- - %windir%\\system32\\msinfo32.exe
- - %windir%\\system32\\netsh.exe
- - %windir%\\system32\\nltest.exe
- - %windir%\\system32\\ping.exe
- - %windir%\\system32\\powercfg.exe
- - %windir%\\system32\\w32tm.exe
- - %windir%\\system32\\wpr.exe
- - %windir%\\system32\\dsregcmd.exe
- - %windir%\\system32\\dispdiag.exe
- - %windir%\\system32\\ipconfig.exe
- - %windir%\\system32\\logman.exe
- - %windir%\\system32\\tracelog.exe
- - %programfiles%\\windows defender\\mpcmdrun.exe
- - %windir%\\system32\\MdmDiagnosticsTool.exe
- - %windir%\\system32\\pnputil.exe
+ - %windir%\\system32\\certutil.exe
+ - %windir%\\system32\\dxdiag.exe
+ - %windir%\\system32\\gpresult.exe
+ - %windir%\\system32\\msinfo32.exe
+ - %windir%\\system32\\netsh.exe
+ - %windir%\\system32\\nltest.exe
+ - %windir%\\system32\\ping.exe
+ - %windir%\\system32\\powercfg.exe
+ - %windir%\\system32\\w32tm.exe
+ - %windir%\\system32\\wpr.exe
+ - %windir%\\system32\\dsregcmd.exe
+ - %windir%\\system32\\dispdiag.exe
+ - %windir%\\system32\\ipconfig.exe
+ - %windir%\\system32\\logman.exe
+ - %windir%\\system32\\tracelog.exe
+ - %programfiles%\\windows defender\\mpcmdrun.exe
+ - %windir%\\system32\\MdmDiagnosticsTool.exe
+ - %windir%\\system32\\pnputil.exe
- **FoldersFiles**
- Captures log files from a given path (without recursion).
- Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
- - %PROGRAMFILES%
- - %PROGRAMDATA%
- - %PUBLIC%
- - %WINDIR%
- - %TEMP%
- - %TMP%
+ - %PROGRAMFILES%
+ - %PROGRAMDATA%
+ - %PUBLIC%
+ - %WINDIR%
+ - %TEMP%
+ - %TMP%
- Additionally, only files with the following extensions are captured:
- - .log
- - .txt
- - .dmp
- - .cab
- - .zip
- - .xml
- - .html
- - .evtx
- - .etl
+ - .log
+ - .txt
+ - .dmp
+ - .cab
+ - .zip
+ - .xml
+ - .html
+ - .evtx
+ - .etl
**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
From 1fa08ae6d3d4de95aaa8cd168659243b7e1284b2 Mon Sep 17 00:00:00 2001
From: v-dihans
Date: Thu, 20 May 2021 12:41:17 -0600
Subject: [PATCH 27/97] fix formatting
---
windows/client-management/mdm/diagnosticlog-csp.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index b9bc259616..b8ffe15b74 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -136,8 +136,8 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- - %windir%\\system32\\certutil.exe
- - %windir%\\system32\\dxdiag.exe
+ - %windir%\\system32\\certutil.exe
+ - %windir%\\system32\\dxdiag.exe
- %windir%\\system32\\gpresult.exe
- %windir%\\system32\\msinfo32.exe
- %windir%\\system32\\netsh.exe
From d2a7d0718fe7b8174f044b5ae646f3db717535e7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 20 May 2021 17:15:23 -0700
Subject: [PATCH 28/97] Updated language about explicit allow or deny rules
Clarified language regarding when WDAC calls the cloud to determine a binary's reputation.
---
...der-application-control-with-intelligent-security-graph.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 7ad4a8467b..dcd705cd5b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -31,7 +31,9 @@ Beginning with Windows 10, version 1709, you can set an option to automatically
## How does the integration between WDAC and the Intelligent Security Graph work?
-The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When a binary runs on a system with WDAC enabled with the ISG option, WDAC checks the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the binary runs, it is allowed based on its positive reputation unless there is an explicit deny rule set in the WDAC policy. Conversely, a file that has unknown or known bad reputation will be allowed if your WDAC policy explicitly allows it.
+The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
+
+If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud, rendering ISG reputation information as moot.
If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
From 9de68009d2568d04aaa2e4d87fb5d2345c7a46f7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 20 May 2021 17:36:16 -0700
Subject: [PATCH 29/97] Updated select-types-of-rules-to-create
Created a "More information about hashes," and placed it above the "Windows Defender Application Control filename rules" section.
---
.../select-types-of-rules-to-create.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 1314fa6e21..e91bfb3d64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -126,6 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
+## More information about hashes
+
+### Why does scan create 4 hash rules per XML file?
+
+(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256)
+During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+
+In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+
+### Why does scan create 8 hash rules for certain XML files?
+
+Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
+
## Windows Defender Application Control filename rules
File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
From 9fe1e0eed3b40647b9e5fa3f9bb68222a000ff51 Mon Sep 17 00:00:00 2001
From: Tom Layson <83308464+TomLayson@users.noreply.github.com>
Date: Fri, 21 May 2021 09:26:50 -0700
Subject: [PATCH 30/97] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Minor text change
---
...perating-system-components-to-microsoft-services.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 148b234b8b..66dc780bf0 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
-author: linque1
-ms.author: robsize
-manager: robsize
+author: tomlayson
+ms.author: tomlayson
+manager: riche
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/1/2020
+ms.date: 5/21/2021
---
# Manage connections from Windows 10 operating system components to Microsoft services
@@ -1266,7 +1266,7 @@ In the **Feedback & Diagnostics** area, you can choose how often you're asked fo
To change how frequently **Windows should ask for my feedback**:
> [!NOTE]
-> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
From 33d5c8c5867c7c413574cc96abc6f8d455b54575 Mon Sep 17 00:00:00 2001
From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com>
Date: Fri, 21 May 2021 10:00:18 -0700
Subject: [PATCH 31/97] Update
network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
updated the security considerations section as it does not take Azure AD joined devices into consideration, which are verified and authenticated by Azure AD
---
...requests-to-this-computer-to-use-online-identities.md | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 716b1da171..671eb87720 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -74,17 +74,18 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate.
### Countermeasure
-Set this policy to *Disabled* or don't configure this security policy for domain-joined devices.
+Set this policy to *Disabled* or don't configure this security policy for *on-premises only* environments.
### Potential impact
-If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
+If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
+
+If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
-Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
## Related topics
From a24427dceb743c8aa44a012e4aaf522d8d2f4049 Mon Sep 17 00:00:00 2001
From: Tom Layson <83308464+TomLayson@users.noreply.github.com>
Date: Fri, 21 May 2021 11:03:49 -0700
Subject: [PATCH 32/97] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 66dc780bf0..f1696b311c 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1266,7 +1266,7 @@ In the **Feedback & Diagnostics** area, you can choose how often you're asked fo
To change how frequently **Windows should ask for my feedback**:
> [!NOTE]
-> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
From 96c2855d515c8ed90c706eea8cc752d08156188f Mon Sep 17 00:00:00 2001
From: Tom Layson <83308464+TomLayson@users.noreply.github.com>
Date: Fri, 21 May 2021 11:06:10 -0700
Subject: [PATCH 33/97] Added new Edge policy section
---
...system-components-to-microsoft-services.md | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 66dc780bf0..e0efa7ef4e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -592,6 +592,48 @@ Alternatively, you can configure the following Registry keys as described:
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
+### 13.2 Microsoft Edge Enterprise
+
+For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies).
+
+> [!Important]
+> - The following settings are applicable to Microsoft Edge version 77 or later.
+> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems
+> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows
+> - Devices must be domain joined for some of the policies to take effect.
+
+| Policy | Group Policy Path | Registry Path |
+|----------------------------------|--------------------|---------------------------------------------|
+| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** |
+| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** |
+| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** |
+| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** |
+| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** |
+| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** |
+| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** |
+| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** |
+| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** |
+| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** |
+| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs |
+| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** |
+| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
+| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** |
+| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
+| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** |
+| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
+| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** |
+|||
+
### 14. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the [Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more.
From 7bd22fdeb383508dfc31cac8927c6227d32a57a4 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Fri, 21 May 2021 14:47:28 -0700
Subject: [PATCH 34/97] Delete TOC2.yml
---
.../TOC2.yml | 113 ------------------
1 file changed, 113 deletions(-)
delete mode 100644 windows/security/threat-protection/windows-defender-application-control/TOC2.yml
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
deleted file mode 100644
index bb66da245a..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ /dev/null
@@ -1,113 +0,0 @@
-
-### WDAC:Landing
-title: Application Control for Windows
-metadata:
- title: Application Control for Windows
- description: Landing page for Windows Defender Application Control
-# services: service
-# ms.service: microsoft-WDAC-AppLocker
-# ms.subservice: Application-Control
-# ms.topic: landing-page
-# author: Kim Klein
-# ms.author: Jordan Geurten
-# manager: Jeffrey Sutherland
-# ms.update: 04/30/2021
-# linkListType: overview | how-to-guide | tutorial | video
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card
- - title: Learn about Application Control
- linkLists:
- - linkListType: overview
- links:
- - text: What is WDAC (WDAC Overview)?
- url: wdac-and-applocker-overview.md
- - text: What is AppLocker?
- url: applocker\applocker-overview.md
- - text: WDAC and AppLocker feature availability
- url: feature-availability.md
- # Card
- - title: Learn about the Design Guide
- linkLists:
- - linkListType: overview
- links:
- - text: Using code signing to simplify application control
- url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
- - text: Merging Policies
- url: wdac-wizard-merging-policies.md
- - text: Recommended blocks
- url: microsoft-recommended-block-rules.md
- - text: Recommended driver blocks
- url: microsoft-recommended-driver-block-rules.md
- - text: Example policies
- url: example-wdac-base-policies.md
- - text: LOB Win32 apps on S Mode
- url: LOB-win32-apps-on-s.md
- - linkListType: how-to-guide
- links:
- - text: Create a WDAC policy for a lightly managed device
- url: cardreate-wdac-policy-for-lightly-managed-devices.md
- - text: Create a WDAC policy for a fully managed device
- url: create-wdac-policy-for-fully-managed-devices.md
- - text: Create a WDAC policy for a fixed-workload
- url: create-initial-default-policy.md
- - text: Using catalog files
- url: deploy-catalog-files-to-support-windows-defender-application-control.md
- - text: WDAC Wizard tool
- url: wdac-wizard.md
- - linkListType: Tutorial (videos)
- links:
- - text: Using the WDAC Wizard
- url: video md
- - text: Specifying custom values
- url: video md
- # Card
- - title: Learn about Policy Configuration
- linkLists:
- - linkListType: overview
- links:
- - text: Understanding policy rules
- url:
- - text: Understanding File rules
- url:
- - linkListType: how-to-guide (written)
- links:
- - text: Allow managed installer and configure managed installer rules
- url: configure-authorized-apps-deployed-with-a-managed-installer.md
- - text: Allow reputable apps with ISG
- url: use-windows-defender-application-control-with-intelligent-security-graph.md
- # Card
- - title: Learn how to deploy WDAC Policies
- linkLists:
- - linkListType: overview
- links:
- - text: Signed policies
- url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- - text: Audit and enforce policies
- url: audit-and-enforce-windows-defender-application-control-policies.md
- - text: Disabling WDAC policies
- url: disable-windows-defender-application-control-policies.md
- - linkListType: tutorial
- links:
- - text: Deployment with MDM
- url: deploy-windows-defender-application-control-policies-using-intune.md
- - text: Deployment with MEMCM
- url: deployment/deploy-wdac-policies-with-memcm.md
- - text: Deployment with script and refresh policy
- url: deployment/deploy-wdac-policies-with-script.md
- # Card
- - title: Learn how to monitor and reiterate WDAC Policies (operational)
- linkLists:
- - linkListType: overview
- links:
- - text: Event logs (tags, IDs)
- url: event-id-and-tag-explanations.md
- - linkListType: how-to-guide
- links:
- - text: Querying using advanced hunting
- url: querying-application-control-events-centrally-using-advanced-hunting.md
- - linkListType: tutorial
- links:
- - text: Creating a policy from event logs (video)
- url: #Jordan will create a video for this
\ No newline at end of file
From d8b97435929ea25323d7e1447ccc181ea2b54802 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:09:43 -0700
Subject: [PATCH 35/97] Task ID 29550212
Made recommended edit.
---
.../select-types-of-rules-to-create.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e91bfb3d64..000dc79659 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -126,14 +126,14 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
-## More information about hashes
+## More information about hashes
-### Why does scan create 4 hash rules per XML file?
+### Why does scan create four hash rules per XML file?
-(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256)
-During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
+During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
-In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
### Why does scan create 8 hash rules for certain XML files?
From 5e53adc4effca1e0294803f0385c8ba9c95364af Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:13:53 -0700
Subject: [PATCH 36/97] Task ID 33324832
Made 2 recommended edits.
---
...d-enforce-windows-defender-application-control-policies.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 31f6314425..04664080a7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -32,7 +32,7 @@ While a WDAC policy is running in audit mode, any binary that runs but would hav
## Overview of the process to create WDAC policy to allow apps using audit events
-> [!Note]
+> [!NOTE]
> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
@@ -75,7 +75,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
-## Convert WDAC **base** policy from audit to enforced
+## Convert WDAC **BASE** policy from audit to enforced
As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
From c1ae84c81f44ae1590a5e7830745c0bc1ab65e4e Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:34:24 -0700
Subject: [PATCH 37/97] Task ID 33324832
Fixed primary heading size.
---
...and-enforce-windows-defender-application-control-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 04664080a7..4b1860ea36 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -19,7 +19,7 @@ ms.date: 05/03/2021
ms.technology: mde
---
-## Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
+# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
**Applies to:**
From 75160b732405a061f12a6869ad46e40c3280566b Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:38:02 -0700
Subject: [PATCH 38/97] Task ID 31558721
Removed "rendering ISG reputation as moot"
---
...ender-application-control-with-intelligent-security-graph.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index dcd705cd5b..082eb3a3f1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -33,7 +33,7 @@ Beginning with Windows 10, version 1709, you can set an option to automatically
The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
-If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud, rendering ISG reputation information as moot.
+If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud.
If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
From b9fcf4421627b005f5db5268a4e90486e3260a20 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:40:32 -0700
Subject: [PATCH 39/97] Task ID 33324832
Fixed first heading.
---
...nfigure-authorized-apps-deployed-with-a-managed-installer.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 3922be1e3b..6612e9fbf7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -18,7 +18,7 @@ ms.date: 08/14/2020
ms.technology: mde
---
-## Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
+# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
**Applies to:**
From 84458fe2ffb40b4f2165e5e07ac62cac9e721629 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:46:21 -0700
Subject: [PATCH 40/97] Updated wdac-and-applocker-overview document
Restored first heading size and made suggested text edit to the WDAC System Requirements section.
---
.../wdac-and-applocker-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 0897007f32..2d7ae11177 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -19,7 +19,7 @@ ms.custom: asr
ms.technology: mde
---
-## Windows Defender Application Control and AppLocker Overview
+# Windows Defender Application Control and AppLocker Overview
**Applies to:**
@@ -47,7 +47,7 @@ Note that prior to Windows 10 version 1709, Windows Defender Application Control
WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above.
-WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, e.g. Intune; a management interface, e.g. Configuration Manager; or a script host, e.g. PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
From 087c522d61678843302f41f2abe6140ce448ab95 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 13:15:14 -0700
Subject: [PATCH 41/97] Task ID 29550212
Implemented last suggested edit to the "create eight hash rules" section.
---
.../select-types-of-rules-to-create.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 000dc79659..390b687187 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -135,7 +135,7 @@ During validation CI will choose which hashes to calculate depending on how the
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
-### Why does scan create 8 hash rules for certain XML files?
+### Why does scan create eight hash rules for certain XML files?
Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
From 092c6bfb6c44603217a2f2d34d5d0593872c44d0 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 13:26:23 -0700
Subject: [PATCH 42/97] Task ID 33324832
Updated TOC and all articles that point to old managed installer documents with new combined managed installer link.
---
...lication-control-with-managed-installer.md | 59 -------------------
1 file changed, 59 deletions(-)
delete mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
deleted file mode 100644
index 66afc7f933..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Authorize apps installed by a managed installer (Windows 10)
-description: Explains how to automatically allow applications deployed and installed by a managed installer.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: dansimp
-manager: dansimp
-ms.date: 04/20/2021
-ms.technology: mde
----
-
-# Authorize apps deployed by a managed installer
-
-**Applies to:**
-
-- Windows 10
-- Windows Server 2019
-
-Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
-
-## How does a managed installer work?
-
-A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) and tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
-
-Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the Enabled:Managed Installer option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
-
-You should ensure that the WDAC policy allows the system to boot and any other authorized applications that can't be deployed through a managed installer.
-
-For an example of a managed installer use case, see [Creating a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md).
-
-## Security considerations with managed installer
-
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
-It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
-
-Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
-
-If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
-
-Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation.
-
-## Known limitations with managed installer
-
-- Application control based on managed installer does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
-
-- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
-
-- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
-
-- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
From a85b27f4bfa623752f94ff6cf89c0cf1c50ec8c7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 13:42:46 -0700
Subject: [PATCH 43/97] Task ID 33324832 continued
These are the other files that were updated for this task.
---
.../windows-defender-application-control/TOC.yml | 4 ++--
.../create-wdac-policy-for-fully-managed-devices.md | 2 +-
.../create-wdac-policy-for-lightly-managed-devices.md | 2 +-
.../feature-availability.md | 2 +-
.../plan-windows-defender-application-control-management.md | 2 +-
.../select-types-of-rules-to-create.md | 2 +-
...ws-defender-application-control-policy-design-decisions.md | 2 +-
.../wdac-and-applocker-overview.md | 2 +-
8 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index eaf0d1aa66..8fa33cfe26 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -21,9 +21,9 @@
href: select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
- href: use-windows-defender-application-control-with-managed-installer.md
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Configure managed installer rules
- href: configure-wdac-managed-installer.md
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md
- name: Allow COM object registration
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 8399532bab..cceb8da77d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -149,7 +149,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Existing mitigations applied:
- Limit who can elevate to administrator on the device.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 08e82cbe13..c4dabcde4c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -155,7 +155,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
- **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Possible mitigations:
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 3f411ffb3e..16dd454c61 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -34,7 +34,7 @@ ms.technology: mde
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
-| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available |
+| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 8c0156d01b..5d0dd83466 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -59,7 +59,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
+As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
## WDAC event management
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 390b687187..add268e0ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -63,7 +63,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
-| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) |
+| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 9443134723..9bd69f5bee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -58,7 +58,7 @@ Organizations with well-defined, centrally-managed app management and deployment
| Possible answers | Design considerations|
| - | - |
-| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
+| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 2d7ae11177..ce2acde0e8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -37,7 +37,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
-- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
+- The identity of the process that initiated the installation of the app and its binaries ([managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
From 3b5c9c54df8fa260903c6f57f52ef3381316ea7c Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 10:14:14 +0100
Subject: [PATCH 44/97] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 822869ba60..530d46fc7b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -594,7 +594,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
### 13.2 Microsoft Edge Enterprise
-For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies).
+For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
> [!Important]
> - The following settings are applicable to Microsoft Edge version 77 or later.
From dc5cfe6608337b409aa0175f461ab0db15e4e01d Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 10:14:34 +0100
Subject: [PATCH 45/97] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 530d46fc7b..76ca00f7c5 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -597,7 +597,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
> [!Important]
-> - The following settings are applicable to Microsoft Edge version 77 or later.
+> - The following settings are applicable to Microsoft Edge version 77 or later.
> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows
> - Devices must be domain joined for some of the policies to take effect.
From 1c85fc9836474ee1e41fc3c244f24ccaa306cd39 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 10:14:55 +0100
Subject: [PATCH 46/97] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 76ca00f7c5..686300049e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -599,7 +599,7 @@ For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile
> [!Important]
> - The following settings are applicable to Microsoft Edge version 77 or later.
> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems
-> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows
+> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
> - Devices must be domain joined for some of the policies to take effect.
| Policy | Group Policy Path | Registry Path |
From f1ffa4ff38e3c6c7eed16d700e53b7d2b7e60e53 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 10:15:07 +0100
Subject: [PATCH 47/97] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 686300049e..c546a733d7 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -600,7 +600,7 @@ For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile
> - The following settings are applicable to Microsoft Edge version 77 or later.
> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
-> - Devices must be domain joined for some of the policies to take effect.
+> - Devices must be domain joined for some of the policies to take effect.
| Policy | Group Policy Path | Registry Path |
|----------------------------------|--------------------|---------------------------------------------|
From da8cc9c6504f7fcb51844b98a6cbb05ed5bca1fc Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 10:15:18 +0100
Subject: [PATCH 48/97] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c546a733d7..434a191b14 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -598,7 +598,7 @@ For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile
> [!Important]
> - The following settings are applicable to Microsoft Edge version 77 or later.
-> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems
+> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems).
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
> - Devices must be domain joined for some of the policies to take effect.
From 3f303e1e27542a1e3fe28a34fa6d832f4ff520f3 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 11:28:21 +0100
Subject: [PATCH 49/97] Update policy-csp-system.md
---
.../mdm/policy-csp-system.md | 20 ++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 3615cb2e3f..cf6bdc3ff3 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -736,13 +736,22 @@ The following list shows the supported values for Windows 8.1:
-->
-In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10:
+In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
+
+The following list shows the supported values for Windows 10 version 1809 and older:
+
- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
**Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
+The following list shows the supported values for Windows 10 version 19H1 and later:
+
+- Diagnostic data off - No Windows diagnostic data sent.
+- Required (Basic) - Minimum data required to keep the device secure, up to date, and performing as expected.
+- Optional (Full) - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
+
-
-> [!IMPORTANT]
-> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
-
-
-Most restricted value is 0.
-
ADMX Info:
@@ -1609,7 +1611,7 @@ This policy setting, in combination with the System/AllowTelemetry
To enable this behavior, you must complete two steps:
- Enable this policy setting
-- Set Allow Telemetry to level 2 (Enhanced)
+- Set Allow Telemetry to Optional (Full)
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics.
From ca4eb87ea2af18c18f1c77b0bcf7ee9c5ecdc005 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Tue, 25 May 2021 11:38:48 +0100
Subject: [PATCH 50/97] Update policy-csp-system.md
---
windows/client-management/mdm/policy-csp-system.md | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index cf6bdc3ff3..f8b011b8b0 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -740,17 +740,19 @@ In Windows 10, you can configure this policy setting to decide what level of dia
The following list shows the supported values for Windows 10 version 1809 and older:
-- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
+- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
**Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
+Most restricted value is 0.
+
The following list shows the supported values for Windows 10 version 19H1 and later:
-- Diagnostic data off - No Windows diagnostic data sent.
-- Required (Basic) - Minimum data required to keep the device secure, up to date, and performing as expected.
-- Optional (Full) - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
+- **Diagnostic data off** - No Windows diagnostic data sent.
+- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
+- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
[Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
+ - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
+
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
@@ -211,6 +213,8 @@ Requirements:
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
+ - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
+
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
@@ -294,7 +298,7 @@ To collect Event Viewer logs:
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
### Useful Links
-
+- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
From 449e810755a7e99b1fa03eb630c27d98aa731e3b Mon Sep 17 00:00:00 2001
From: Peter Lewis <820394+peterlewis@users.noreply.github.com>
Date: Wed, 2 Jun 2021 15:06:54 +0100
Subject: [PATCH 89/97] Fix mistakes
- TamperProetection > TamperProtection
- EnableFileHashcomputation > EnableFileHashComputation
- Windows defender > Windows Defender
---
windows/client-management/mdm/defender-csp.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index fbdd7913a0..d39fc86f23 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -56,8 +56,8 @@ Defender
--------TamperProtectionEnabled (Added in Windows 10, version 1903)
--------IsVirtualMachine (Added in Windows 10, version 1903)
----Configuration (Added in Windows 10, version 1903)
---------TamperProetection (Added in Windows 10, version 1903)
---------EnableFileHashcomputation (Added in Windows 10, version 1903)
+--------TamperProtection (Added in Windows 10, version 1903)
+--------EnableFileHashComputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
----Scan
----UpdateSignature
@@ -491,7 +491,7 @@ Supported operations are Add, Delete, Get, Replace.
**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
-When this feature is enabled Windows defender will compute hashes for files it scans.
+When this feature is enabled Windows Defender will compute hashes for files it scans.
The data type is integer.
From 4600f55268ff98ca3c207ed874307c40da51298b Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Wed, 2 Jun 2021 08:21:24 -0700
Subject: [PATCH 90/97] Update
required-windows-diagnostic-data-events-and-fields-2004.md
fix absolute links, description suggestions
---
...windows-diagnostic-data-events-and-fields-2004.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 7a756bffcb..3eff840483 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what required Windows diagnostic data is gathered.
+description: Learn what required Windows diagnostic data is gathered.
title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
@@ -4130,7 +4130,7 @@ The following fields are available:
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4162,7 +4162,7 @@ The following fields are available:
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4195,7 +4195,7 @@ The following fields are available:
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See (experimentationandconfigurationservicecontrol)[/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol] for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4228,7 +4228,7 @@ The following fields are available:
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [#experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4342,7 +4342,7 @@ The following fields are available:
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
From 89ddf1049f76bbb5ba606c49945d20d469ca5f2f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 2 Jun 2021 09:27:44 -0700
Subject: [PATCH 91/97] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index d39fc86f23..2c20894dcf 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -8,9 +8,9 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
+author: dansimp
ms.localizationpriority: medium
-ms.date: 08/11/2020
+ms.date: 06/02/2021
---
# Defender CSP
From 34365d7308682badf2553c2aa024894dad93aaed Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 2 Jun 2021 09:30:11 -0700
Subject: [PATCH 92/97] Update
enroll-a-windows-10-device-automatically-using-group-policy.md
---
...-a-windows-10-device-automatically-using-group-policy.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 939ecd1a60..9e1150cd20 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date:
+ms.date: 06/02/2021
ms.reviewer:
manager: dansimp
---
@@ -18,9 +18,9 @@ Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements:
-- AD-joined PC running Windows 10, version 1709 or later
+- Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service
-- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
+- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
From 650157521e9df48c2067c009c4a1ad6b585ee98f Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 2 Jun 2021 11:00:44 -0700
Subject: [PATCH 93/97] Updated line item 3086 in the Appendix section.
---
.../event-id-explanations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index d12d89b766..1a7b70e7b5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -108,7 +108,7 @@ A list of other relevant event IDs and their corresponding description.
| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
-| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. |
+| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
| 3097 | The Code Integrity policy cannot be refreshed. |
| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
From c032b2068ad8a27752e1ee48080c2e0a52c32dc3 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 2 Jun 2021 11:45:25 -0700
Subject: [PATCH 94/97] Update event-id-explanations.md
---
.../event-id-explanations.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 1a7b70e7b5..2e5b97dc75 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 3/17/2020
+ms.date: 06/02/2021
ms.technology: mde
---
@@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
-| -------- | ----------- |
+|--------|---------|
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
@@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
-| -------- | ----------- |
+|------|------|
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
@@ -85,7 +85,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
## Appendix
A list of other relevant event IDs and their corresponding description.
| Event ID | Description |
-| -------- | ----------- |
+|-------|------|
| 3001 | An unsigned driver was attempted to load on the system. |
| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
@@ -119,4 +119,4 @@ A list of other relevant event IDs and their corresponding description.
| 3105 | Code Integrity is attempting to refresh the policy. |
| 3108 | Windows mode change event was successful. |
| 3110 | Windows mode change event was unsuccessful. |
-| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |
\ No newline at end of file
+| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |
From b29b9ac9cd466b108897a5c1e83aa093ef131f06 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 2 Jun 2021 11:48:00 -0700
Subject: [PATCH 95/97] Update event-id-explanations.md
---
.../event-id-explanations.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 2e5b97dc75..eb711a6db2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -22,9 +22,9 @@ ms.technology: mde
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
-- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
+- Event IDs beginning with 30 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
-- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
+- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
## Microsoft Windows CodeIntegrity Operational log event IDs
From 44e67b448d4d27042c780f46c5b59038531ea188 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Wed, 2 Jun 2021 11:52:31 -0700
Subject: [PATCH 96/97] Update
required-windows-diagnostic-data-events-and-fields-2004.md
Quick fix
---
...-diagnostic-data-events-and-fields-2004.md | 91 -------------------
1 file changed, 91 deletions(-)
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 3eff840483..fdaf967827 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -64,10 +64,6 @@ The following fields are available:
- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CU22H2Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -81,10 +77,6 @@ The following fields are available:
- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CU22H2Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -100,10 +92,6 @@ The following fields are available:
- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CU22H2Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -119,10 +107,6 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -136,10 +120,6 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -153,10 +133,6 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -170,10 +146,6 @@ The following fields are available:
- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CU22H2Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device.
@@ -189,10 +161,6 @@ The following fields are available:
- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -206,10 +174,6 @@ The following fields are available:
- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -225,10 +189,6 @@ The following fields are available:
- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -244,10 +204,6 @@ The following fields are available:
- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -261,10 +217,6 @@ The following fields are available:
- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -278,10 +230,6 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -295,10 +243,6 @@ The following fields are available:
- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device.
@@ -306,19 +250,12 @@ The following fields are available:
- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device.
- **DecisionMediaCenter_TH1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_TH2** The total number of objects of this type present on this device.
-- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSModeState_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_19H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H2** The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemBios_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS1** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS2** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS3** The total number of objects of this type present on this device.
@@ -328,29 +265,11 @@ The following fields are available:
- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_TH1** The total number of objects of this type present on this device.
- **DecisionSystemBios_TH2** The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CU22H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CU22H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CU22H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CU22H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionTest_19H1** The total number of objects of this type present on this device.
- **DecisionTest_20H1** The total number of objects of this type present on this device.
- **DecisionTest_20H1Setup** The total number of objects of this type present on this device.
- **DecisionTest_21H1** The total number of objects of this type present on this device.
- **DecisionTest_21H1Setup** The total number of objects of this type present on this device.
-- **DecisionTest_21H2** The total number of objects of this type present on this device.
-- **DecisionTest_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionTest_CU22H2Setup** The total number of objects of this type present on this device.
- **DecisionTest_RS1** The total number of objects of this type present on this device.
- **DecisionTest_RS2** The total number of objects of this type present on this device.
- **DecisionTest_RS3** The total number of objects of this type present on this device.
@@ -358,12 +277,6 @@ The following fields are available:
- **DecisionTest_RS5** The total number of objects of this type present on this device.
- **DecisionTest_TH1** The total number of objects of this type present on this device.
- **DecisionTest_TH2** The total number of objects of this type present on this device.
-- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CU22H2Setup** The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CU22H2Setup** The total number of objects of this type present on this device.
- **InventoryApplicationFile** The total number of objects of this type present on this device.
- **InventoryLanguagePack** The total number of objects of this type present on this device.
- **InventoryMediaCenter** The total number of objects of this type present on this device.
@@ -387,10 +300,6 @@ The following fields are available:
- **Wmdrm_20H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_21H1** The total number of objects of this type present on this device.
- **Wmdrm_21H1Setup** The total number of objects of this type present on this device.
-- **Wmdrm_21H2** The total number of objects of this type present on this device.
-- **Wmdrm_21H2Setup** The total number of objects of this type present on this device.
-- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device.
-- **Wmdrm_CU22H2Setup** The total number of objects of this type present on this device.
- **Wmdrm_RS1** The total number of objects of this type present on this device.
- **Wmdrm_RS2** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total number of objects of this type present on this device.
From aa141093e3fd295cf7beeabb8d3130fa372c5606 Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Wed, 2 Jun 2021 12:02:42 -0700
Subject: [PATCH 97/97] Update event-id-explanations.md
fix table formatting (needed line before)
---
.../event-id-explanations.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 849d3ce821..c97df0f805 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -84,6 +84,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
## Appendix
A list of other relevant event IDs and their corresponding description.
+
| Event ID | Description |
|-------|------|
| 3001 | An unsigned driver was attempted to load on the system. |