deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fixed many broken hyperlinks and image links across md and toc pages

Browse Source
This commit is contained in:
Jordan Geurten
2022-04-28 14:29:46 -07:00
parent 9a2cd891f9
commit f195dfe92c
5 changed files with 27 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
View File

@ -27,9 +27,9 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
After deployment of the WDAC AppId Tagging policy, WDAC will fire a 3099 policy deployed event in the [Event Viewer logs](event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
After deployment of the WDAC AppId Tagging policy, WDAC will fire a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
@ -43,14 +43,14 @@ After verifying the policy has been deployed, the next step is to verify that th
Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, I have located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step.
![Using Task Manager to locate the process ID - PID.](images/appid-pid-task-mgr.png)
![Using Task Manager to locate the process ID - PID.](../images/appid-pid-task-mgr.png)
3. Use WinDbg to inspect the process
After opening WinDbg select File followed by "Attach to Process" and select the process with the PID identified in the step prior. Finally, select **Attach** to connect to the process.
![Attach to the process using WinDbg.](images/appid-pid-windbg.png)
![Attach to the process using WinDbg.](../images/appid-pid-windbg.png)
Lastly, in the textbox, type _!token_ and hit enter to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, as well as its corresponding value in the Value[0] field.
![Dump the security attributes on the process using WinDbg.](images/appid-pid-windbg-token.png)
![Dump the security attributes on the process using WinDbg.](../images/appid-pid-windbg-token.png)

8
windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
View File

@ -27,14 +27,14 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you have created your AppId Tagging policy, use one of the following methods to deploy:
1. [Deploy policies with MDM](#Deploy-AppId-Tagging-Policies-with-MDM)
1. [Deploy policies with MEMCM](#Deploy-AppId-Tagging-Policies-with-MEMCM)
1. [Deploy policies using scripting](#Deploy-AppId-Tagging-Policies-via-Scripting)
1. [ApplicationControl CSP](#Deploying-policies-via-ApplicationControl-CSP)
1. [Deploy using the ApplicationControl CSP](#Deploying-policies-via-the-ApplicationControl-CSP)
## Deploy AppId Tagging Policies with MDM
@ -48,9 +48,9 @@ Similar to MDM, policies can only be deployed via MEMCM not created. Using the [
Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy WDAC policies using script topic](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Note that only the method for deploying to version 1903 and above is applicable for AppId Tagging policies.
### Deploying policies via ApplicationControl CSP
### Deploying policies via the ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.

16
windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
View File

@ -27,7 +27,7 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## Create the policy using the WDAC Wizard
@ -37,13 +37,11 @@ Using this method, you will use a hybrid of the WDAC Wizard and the WDAC PowerSh
Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. Our recommendation is to start with [Default Windows Mode](../wdac-wizard-create-base-policy#template-base-policies) and build ontop of these rules.
![Configuring the policy base and template.](images/appid-wdac-wizard-1.png)
![Configuring the policy base and template.](../images/appid-wdac-wizard-1.png)
2. Set the rule-options on the policy:
2. Set the following rule-options using the Wizard toggles:
Set the following rule-options using the Wizard toggles:
![Configuring the policy rule-options.](images/appid-wdac-wizard-2.png)
![Configuring the policy rule-options.](../images/appid-wdac-wizard-2.png)
3. Create custom rules:
@ -56,7 +54,7 @@ Using this method, you will use a hybrid of the WDAC Wizard and the WDAC PowerSh
- Hash rules: Create a rule based off the PE Authenticode hash of a file.
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules).
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../wdac-wizard-create-base-policy#Creating-custom-file-rules).
4. Convert to AppId Tagging Policy:
@ -120,7 +118,7 @@ Using this method, you will create an AppId Tagging policy directly using the WD
6. Optionally, deploy it for local testing:
```powershell
copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
./RefreshPolicy.exe
copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
./RefreshPolicy.exe
```
RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).

8
windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
View File

@ -27,7 +27,7 @@ ms.technology: windows-sec
- Windows Server 2022 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
@ -50,6 +50,6 @@ Server:
| Topic | Description |
| - | - |
| [Designing and Creating AppId Policies](./design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
| [Deploying AppId Policies](./deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
| [Debugging AppId Policies](./debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |
| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |

10
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -115,10 +115,14 @@
- name: Managed installer and ISG technical reference and troubleshooting guide
href: configure-wdac-managed-installer.md
- name: WDAC AppId Tagging guide
href: windows-defender-application-control-appid-tagging-guide.md
href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
items:
- name: Understanding Application Control event tags
href: event-tag-explanations.md
- name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md
- name: Deploying AppId Tagging Policies
href: AppIdTagging/deploy-appid-tagging-policies.md
- name: Testing and Debugging AppId Tagging Policies
href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- name: AppLocker
href: applocker\applocker-overview.md
items: