diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index ec9b2e4fc1..d63f666cfa 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -2,12 +2,13 @@ title: App-V Prerequisites (Windows 10/11) description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # App-V for Windows client prerequisites diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index bd948491e4..67936bfc06 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -2,12 +2,13 @@ title: How to Publish a Connection Group (Windows 10/11) description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # How to Publish a Connection Group diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index a116987714..3401984dac 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -2,12 +2,13 @@ title: How to publish a package by using the Management console (Windows 10/11) description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # How to publish a package by using the Management console diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 99f10bfe36..0bd4777e42 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -2,11 +2,12 @@ title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11) description: How to Register and Unregister a Publishing Server by Using the Management Console author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # How to Register and Unregister a Publishing Server by Using the Management Console diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index 8ffcdfb10f..5bfd8497af 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -2,11 +2,12 @@ title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11) description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Release Notes for App-V for Windows 10 version 1703 and later diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index 3cdbf4b20c..5c38053e2b 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -2,11 +2,12 @@ title: Release Notes for App-V for Windows 10, version 1607 (Windows 10) description: A list of known issues and workarounds for App-V running on Windows 10, version 1607. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Release Notes for App-V for Windows 10, version 1607 diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 2ca67c8695..5464c1fdcc 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -2,12 +2,13 @@ title: About App-V Reporting (Windows 10/11) description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # About App-V reporting @@ -94,7 +95,7 @@ Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send ## App-V Client reporting -To use App-V reporting,, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting. +To use App-V reporting, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting. ### Configuring App-V client reporting using Windows PowerShell diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index fd51ed04e6..49b68f3ed9 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -2,11 +2,12 @@ title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11) description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 03/08/2018 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 5edc3a1207..23e9dce8a5 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -2,12 +2,13 @@ title: App-V Security Considerations (Windows 10/11) description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # App-V security considerations diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 5a9c710587..7e0b19b428 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -2,12 +2,13 @@ title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 6b99b11b7d..65cccc4561 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -2,11 +2,12 @@ title: How to sequence a package by using Windows PowerShell (Windows 10/11) description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # How to Sequence a Package by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 097a07c1ed..e9168ea779 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -2,12 +2,13 @@ title: App-V Supported Configurations (Windows 10/11) description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article +ms.technology: itpro-apps --- # App-V Supported Configurations diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 786dc0acb1..80859782c4 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -2,11 +2,12 @@ title: Technical Reference for App-V (Windows 10/11) description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Technical Reference for App-V diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 54322edfa1..b0a1c0a587 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -2,11 +2,12 @@ title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11) description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index d5444ae7ab..9bba519134 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -2,11 +2,12 @@ title: Troubleshooting App-V (Windows 10/11) description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Troubleshooting App-V diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index d8687a7cf5..192f9f4b66 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -2,11 +2,12 @@ title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11) description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Upgrading to App-V for Windows client from an existing installation diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index c7ece16ed1..c327a058bb 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -2,11 +2,12 @@ title: Using the App-V Client Management Console (Windows 10/11) description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Using the App-V Client Management Console diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index c3742fa2f9..858f0dcbad 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -2,11 +2,12 @@ title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11) description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index b74ad51647..f5fad71c85 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -2,11 +2,12 @@ title: Viewing App-V Server Publishing Metadata (Windows 10/11) description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. author: aczechowski -ms.prod: w10 +ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: manager: dougeby ms.author: aaroncz +ms.technology: itpro-apps --- # Viewing App-V Server Publishing Metadata diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 60cb9c5b79..f55199f3a5 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,13 +1,14 @@ --- title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -ms.prod: w10 +ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 10/03/2017 ms.reviewer: ms.topic: article +ms.technology: itpro-apps --- # Remove background task resource restrictions diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 7735990889..56381683e9 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,12 +1,13 @@ --- title: Per-user services in Windows 10 and Windows Server description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. -ms.prod: w10 +ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 09/14/2017 ms.reviewer: +ms.technology: itpro-apps --- # Per-user services in Windows 10 and Windows Server @@ -113,7 +114,7 @@ If a per-user service can't be disabled using the security template, you can dis ![Startup Type is Disabled.](media/gpp-svc-disabled.png) -9. To add the other services that can't be managed with a Group Policy templates, edit the policy and repeat steps 5-8. +9. To add the other services that can't be managed with Group Policy templates, edit the policy and repeat steps 5-8. ### Managing Template Services with reg.exe diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index a1337bf7dd..e9d56cf86b 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -5,9 +5,10 @@ author: nicholasswhite ms.author: nwhite manager: aaroncz ms.reviewer: amanh -ms.prod: w11 +ms.prod: windows-client ms.date: 09/15/2021 ms.localizationpriority: medium +ms.technology: itpro-apps --- # Private app repository in Windows 11 diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index 1c99168f4a..c695094f62 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -5,9 +5,10 @@ author: nicholasswhite ms.author: nwhite manager: aaroncz description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. -ms.prod: w10 +ms.prod: windows-client ms.localizationpriority: medium ms.topic: article +ms.technology: itpro-apps --- # Provisioned apps installed with the Windows client OS diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 817364d24a..57b52fce28 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -1,12 +1,13 @@ --- title: How to keep apps removed from Windows 10 from returning during an update description: How to keep provisioned apps that were removed from your machine from returning during an update. -ms.prod: w10 +ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 05/25/2018 ms.reviewer: +ms.technology: itpro-apps --- # How to keep apps removed from Windows 10 from returning during an update diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 466370dcd1..baeae78bd8 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -5,8 +5,9 @@ ms.reviewer: author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.prod: w10 +ms.prod: windows-client ms.localizationpriority: medium +ms.technology: itpro-apps --- # Sideload line of business (LOB) apps in Windows client devices diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 67476d451f..692bae2fe3 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -1,12 +1,13 @@ --- title: Service Host service refactoring in Windows 10 version 1703 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. -ms.prod: w10 +ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 07/20/2017 ms.reviewer: +ms.technology: itpro-apps --- # Changes to Service Host grouping in Windows 10 diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index eef2f72573..0788b793d8 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -5,9 +5,10 @@ author: nicholasswhite ms.author: nwhite manager: aaroncz description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. -ms.prod: w10 +ms.prod: windows-client ms.localizationpriority: medium ms.topic: article +ms.technology: itpro-apps --- # System apps installed with the Windows client OS diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 157e08e8e7..526551ec0e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Disable Windows Defender Application Control policies (Windows) +title: Remove Windows Defender Application Control policies (Windows) description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -11,86 +11,169 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 05/03/2018 +ms.date: 11/04/2022 ms.technology: itpro-security --- -# Disable Windows Defender Application Control policies +# Remove Windows Defender Application Control (WDAC) policies **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This topic covers how to disable unsigned or signed WDAC policies. +## Removing WDAC policies -## Disable unsigned Windows Defender Application Control policies +There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies. -There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: +> [!IMPORTANT] +> **Signed WDAC policy** +> +> If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. +> +> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. +> +> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. +> +> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.*** -- <EFI System Partition>\\Microsoft\\Boot\\ -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\ +Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer. ->[!NOTE] -> As of the Windows 10 May 2019 Update (1903), Windows Defender Application Control allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory. +To make a policy effectively inactive before removing it, you can first replace the policy with a new one that includes the following changes: -## Disable signed Windows Defender Application Control policies within Windows +1. Replace the policy rules with "Allow *" rules; +2. Set option **3 Enabled:Audit Mode** to change the policy to audit mode only; +3. Set option **11 Disabled:Script Enforcement**; +4. Allow all COM objects. See [Allow COM object registration in a WDAC policy](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy#examples); +5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only. -Signed policies protect Windows from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. +> [!IMPORTANT] +> After a policy has been removed, you must restart the computer for it to take effect. You can't remove WDAC policies rebootlessly. + +### Remove WDAC policies using CiTool.exe + +Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove: + +```powershell + CiTool.exe -rp "{PolicyId GUID}" -json +``` + +Then restart the computer. + +### Remove WDAC policies using MDM solutions like Intune + +You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). + + +Consult your MDM solution provider for specific information on using the ApplicationControl CSP. -1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. +Then restart the computer. - > [!NOTE] - > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. +### Remove WDAC policies using script -2. Restart the client computer. +To remove WDAC policies using script, your script must delete the policy file(s) from the computer. For **multiple policy format (1903+) WDAC policies**, look for the policy files in the following locations. Be sure to replace the *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove. -3. Verify that the new signed policy exists on the client. +- <EFI System Partition>\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip +- <OS Volume>\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip - > [!NOTE] - > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. +For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations: -4. Delete the new policy. +- <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b +- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b -5. Restart the client computer. +Then restart the computer. -If the signed Windows Defender Application Control policy has been deployed by using Group Policy, you must complete the following steps: +#### Sample script -1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. +
+ Expand this section to see a sample script to delete a single WDAC policy - > [!NOTE] - > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. +```powershell + # Set PolicyId GUID to the PolicyId from your WDAC policy XML + $PolicyId = "{PolicyId GUID}" -2. Restart the client computer. + # Initialize variables + $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" + $SinglePolicyFormatFileName = "\SiPolicy.p7b" + $MountPoint = $env:SystemDrive+"\EFIMount" + $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity" + $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot" + $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip" -3. Verify that the new signed policy exists on the client. + # Mount the EFI partition + $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] + if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } + mountvol $MountPoint $EFIPartition - > [!NOTE] - > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. + # Check if the PolicyId to be removed is the system reserved GUID for single policy format. + # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as + # {GUID}.cip in the CiPolicies\Active subdirectory + if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} + + $Count = 1 + while ($Count -le $NumFilesToDelete) + { + + # Set the $PolicyPath to the file to be deleted, if exists + Switch ($Count) + { + 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName} + 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName} + } -4. Set the GPO to disabled. + # Delete the policy file from the current $PolicyPath + Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan + if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue} -5. Delete the new policy. + $Count = $Count + 1 + } -6. Restart the client computer. + # Dismount the EFI partition + mountvol $MountPoint /D +``` -## Disable signed Windows Defender Application Control policies within the BIOS +
-There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it's important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: +> [!NOTE] +> You must run the script as administrator to remove WDAC policies on your computer. -- <EFI System Partition>\\Microsoft\\Boot\\ -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\ +## Remove WDAC policies causing boot stop failures + +A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur. + +To remove a policy that is causing boot stop failures: + +1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM). +2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session. +3. Start Windows normally and sign in. Then, [remove WDAC policies using script](#remove-wdac-policies-using-script). +4. If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, [suspend BitLocker protection](/troubleshoot/windows-client/windows-security/suspend-bitlocker-protection-non-microsoft-updates) then turn on Secure Boot from your UEFI BIOS menu. +5. Restart the computer. + +> [!NOTE] +> If your drive is protected by Bitlocker, you may need your Bitlocker recovery keys to perform steps 1-2 above. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index e752db3d0d..ca5b20ff1f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/15/2022 +ms.date: 11/04/2022 ms.technology: itpro-security --- @@ -42,10 +42,10 @@ Signed Windows Defender Application Control (WDAC) policies give organizations t Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. -Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. +Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. -Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). +Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options **Enabled:Advanced Boot Options Menu** and **10 Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components: @@ -85,7 +85,7 @@ If you don't have a code signing certificate, see [Optional: Create a code signi > [!NOTE] > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows). + Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Remove WDAC policies](disable-windows-defender-application-control-policies.md). 6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: