deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into updatefinal2

Browse Source
This commit is contained in:
Angela Fleischmann
2022-11-04 14:37:53 -06:00
committed by GitHub
parent 4b919267fa 3a24d051ee
commit f09b1033f8
29 changed files with 187 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/application-management/app-v/appv-prerequisites.md
View File

@ -2,12 +2,13 @@
title: App-V Prerequisites (Windows 10/11)
description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# App-V for Windows client prerequisites

3
windows/application-management/app-v/appv-publish-a-connection-group.md
View File

@ -2,12 +2,13 @@
title: How to Publish a Connection Group (Windows 10/11)
description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# How to Publish a Connection Group

3
windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
View File

@ -2,12 +2,13 @@
title: How to publish a package by using the Management console (Windows 10/11)
description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# How to publish a package by using the Management console

3
windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
View File

@ -2,11 +2,12 @@
title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11)
description: How to Register and Unregister a Publishing Server by Using the Management Console
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# How to Register and Unregister a Publishing Server by Using the Management Console

3
windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
View File

@ -2,11 +2,12 @@
title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11)
description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Release Notes for App-V for Windows 10 version 1703 and later

3
windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
View File

@ -2,11 +2,12 @@
title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Release Notes for App-V for Windows 10, version 1607

5
windows/application-management/app-v/appv-reporting.md
View File

@ -2,12 +2,13 @@
title: About App-V Reporting (Windows 10/11)
description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# About App-V reporting
@ -94,7 +95,7 @@ Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send
## App-V Client reporting
To use App-V reporting,, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting.
To use App-V reporting, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting.
### Configuring App-V client reporting using Windows PowerShell

3
windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
View File

@ -2,11 +2,12 @@
title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11)
description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 03/08/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications

3
windows/application-management/app-v/appv-security-considerations.md
View File

@ -2,12 +2,13 @@
title: App-V Security Considerations (Windows 10/11)
description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# App-V security considerations

3
windows/application-management/app-v/appv-sequence-a-new-application.md
View File

@ -2,12 +2,13 @@
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer)

3
windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
View File

@ -2,11 +2,12 @@
title: How to sequence a package by using Windows PowerShell (Windows 10/11)
description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# How to Sequence a Package by using Windows PowerShell

3
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -2,12 +2,13 @@
title: App-V Supported Configurations (Windows 10/11)
description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
ms.technology: itpro-apps
---
# App-V Supported Configurations

3
windows/application-management/app-v/appv-technical-reference.md
View File

@ -2,11 +2,12 @@
title: Technical Reference for App-V (Windows 10/11)
description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V).
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Technical Reference for App-V

3
windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
View File

@ -2,11 +2,12 @@
title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11)
description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console

3
windows/application-management/app-v/appv-troubleshooting.md
View File

@ -2,11 +2,12 @@
title: Troubleshooting App-V (Windows 10/11)
description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Troubleshooting App-V

3
windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
View File

@ -2,11 +2,12 @@
title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11)
description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Upgrading to App-V for Windows client from an existing installation

3
windows/application-management/app-v/appv-using-the-client-management-console.md
View File

@ -2,11 +2,12 @@
title: Using the App-V Client Management Console (Windows 10/11)
description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Using the App-V Client Management Console

3
windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
View File

@ -2,11 +2,12 @@
title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11)
description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console

3
windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
View File

@ -2,11 +2,12 @@
title: Viewing App-V Server Publishing Metadata (Windows 10/11)
description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: aczechowski
ms.prod: w10
ms.prod: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.technology: itpro-apps
---
# Viewing App-V Server Publishing Metadata

3
windows/application-management/enterprise-background-activity-controls.md
View File

@ -1,13 +1,14 @@
---
title: Remove background task resource restrictions
description: Allow enterprise background tasks unrestricted access to computer resources.
ms.prod: w10
ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 10/03/2017
ms.reviewer:
ms.topic: article
ms.technology: itpro-apps
---
# Remove background task resource restrictions

5
windows/application-management/per-user-services-in-windows.md
View File

@ -1,12 +1,13 @@
---
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
ms.prod: w10
ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/14/2017
ms.reviewer:
ms.technology: itpro-apps
---
# Per-user services in Windows 10 and Windows Server
@ -113,7 +114,7 @@ If a per-user service can't be disabled using the security template, you can dis
![Startup Type is Disabled.](media/gpp-svc-disabled.png)
9. To add the other services that can't be managed with a Group Policy templates, edit the policy and repeat steps 5-8.
9. To add the other services that can't be managed with Group Policy templates, edit the policy and repeat steps 5-8.
### Managing Template Services with reg.exe

3
windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
View File

@ -5,9 +5,10 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.reviewer: amanh
ms.prod: w11
ms.prod: windows-client
ms.date: 09/15/2021
ms.localizationpriority: medium
ms.technology: itpro-apps
---
# Private app repository in Windows 11

3
windows/application-management/provisioned-apps-windows-client-os.md
View File

@ -5,9 +5,10 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: w10
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-apps
---
# Provisioned apps installed with the Windows client OS

3
windows/application-management/remove-provisioned-apps-during-update.md
View File

@ -1,12 +1,13 @@
---
title: How to keep apps removed from Windows 10 from returning during an update
description: How to keep provisioned apps that were removed from your machine from returning during an update.
ms.prod: w10
ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 05/25/2018
ms.reviewer:
ms.technology: itpro-apps
---
# How to keep apps removed from Windows 10 from returning during an update

3
windows/application-management/sideload-apps-in-windows-10.md
View File

@ -5,8 +5,9 @@ ms.reviewer:
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.prod: w10
ms.prod: windows-client
ms.localizationpriority: medium
ms.technology: itpro-apps
---
# Sideload line of business (LOB) apps in Windows client devices

3
windows/application-management/svchost-service-refactoring.md
View File

@ -1,12 +1,13 @@
---
title: Service Host service refactoring in Windows 10 version 1703
description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
ms.prod: w10
ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 07/20/2017
ms.reviewer:
ms.technology: itpro-apps
---
# Changes to Service Host grouping in Windows 10

3
windows/application-management/system-apps-windows-client-os.md
View File

@ -5,9 +5,10 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: w10
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-apps
---
# System apps installed with the Windows client OS

171
windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
View File

@ -1,5 +1,5 @@
---
title: Disable Windows Defender Application Control policies (Windows)
title: Remove Windows Defender Application Control policies (Windows)
description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@ -11,86 +11,169 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 05/03/2018
ms.date: 11/04/2022
ms.technology: itpro-security
---
# Disable Windows Defender Application Control policies
# Remove Windows Defender Application Control (WDAC) policies
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic covers how to disable unsigned or signed WDAC policies.
## Removing WDAC policies
## Disable unsigned Windows Defender Application Control policies
There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies.
There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart:
> [!IMPORTANT]
> **Signed WDAC policy**
>
> If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
>
> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \<UpdatePolicySigners\>.
>
> To take effect, this policy must be signed with a certificate included in the \<UpdatePolicySigners\> section of the original policy you want to replace.
>
> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.***
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer.
>[!NOTE]
> As of the Windows 10 May 2019 Update (1903), Windows Defender Application Control allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory.
To make a policy effectively inactive before removing it, you can first replace the policy with a new one that includes the following changes:
## Disable signed Windows Defender Application Control policies within Windows
1. Replace the policy rules with "Allow *" rules;
2. Set option **3 Enabled:Audit Mode** to change the policy to audit mode only;
3. Set option **11 Disabled:Script Enforcement**;
4. Allow all COM objects. See [Allow COM object registration in a WDAC policy](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy#examples);
5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only.
Signed policies protect Windows from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
> [!IMPORTANT]
> After a policy has been removed, you must restart the computer for it to take effect. You can't remove WDAC policies rebootlessly.
### Remove WDAC policies using CiTool.exe
Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove:
```powershell
CiTool.exe -rp "{PolicyId GUID}" -json
```
Then restart the computer.
### Remove WDAC policies using MDM solutions like Intune
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
<!-- Waiting for information from Intune team on specific steps...
The steps to use Intune's custom OMA-URI functionality to remove a WDAC policy are:
1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_PolicyId GUID_/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)
> [!NOTE]
> For reference, signed WDAC policies should be replaced and removed from the following locations:
>
> * &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
> * &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
> For the _Policy GUID_ value, do not include the curly brackets.
-->
Consult your MDM solution provider for specific information on using the ApplicationControl CSP.
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
Then restart the computer.
> [!NOTE]
> To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
### Remove WDAC policies using script
2. Restart the client computer.
To remove WDAC policies using script, your script must delete the policy file(s) from the computer. For **multiple policy format (1903+) WDAC policies**, look for the policy files in the following locations. Be sure to replace the *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove.
3. Verify that the new signed policy exists on the client.
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
> [!NOTE]
> If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
4. Delete the new policy.
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\SiPolicy.p7b
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
5. Restart the client computer.
Then restart the computer.
If the signed Windows Defender Application Control policy has been deployed by using Group Policy, you must complete the following steps:
#### Sample script
1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
<details>
<summary>Expand this section to see a sample script to delete a single WDAC policy</summary>
> [!NOTE]
> To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
```powershell
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
$PolicyId = "{PolicyId GUID}"
2. Restart the client computer.
# Initialize variables
$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
$SinglePolicyFormatFileName = "\SiPolicy.p7b"
$MountPoint = $env:SystemDrive+"\EFIMount"
$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
3. Verify that the new signed policy exists on the client.
# Mount the EFI partition
$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
mountvol $MountPoint $EFIPartition
> [!NOTE]
> If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
# Check if the PolicyId to be removed is the system reserved GUID for single policy format.
# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
# {GUID}.cip in the CiPolicies\Active subdirectory
if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
4. Set the GPO to disabled.
$Count = 1
while ($Count -le $NumFilesToDelete)
{
5. Delete the new policy.
# Set the $PolicyPath to the file to be deleted, if exists
Switch ($Count)
{
1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
}
6. Restart the client computer.
# Delete the policy file from the current $PolicyPath
Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}
## Disable signed Windows Defender Application Control policies within the BIOS
$Count = $Count + 1
}
There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it's important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
# Dismount the EFI partition
mountvol $MountPoint /D
```
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
</Details>
> [!NOTE]
> You must run the script as administrator to remove WDAC policies on your computer.
## Remove WDAC policies causing boot stop failures
A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur.
To remove a policy that is causing boot stop failures:
1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM).
2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session.
3. Start Windows normally and sign in. Then, [remove WDAC policies using script](#remove-wdac-policies-using-script).
4. If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, [suspend BitLocker protection](/troubleshoot/windows-client/windows-security/suspend-bitlocker-protection-non-microsoft-updates) then turn on Secure Boot from your UEFI BIOS menu.
5. Restart the computer.
> [!NOTE]
> If your drive is protected by Bitlocker, you may need your Bitlocker recovery keys to perform steps 1-2 above.

6
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 08/15/2022
ms.date: 11/04/2022
ms.technology: itpro-security
---
@ -45,7 +45,7 @@ Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options **Enabled:Advanced Boot Options Menu** and **10 Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components:
@ -85,7 +85,7 @@ If you don't have a code signing certificate, see [Optional: Create a code signi
> [!NOTE]
> *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows).
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Remove WDAC policies](disable-windows-defender-application-control-policies.md).
6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: