From f1d87391beaa1719b1994ad1475321f0a81cb4e5 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 23 Sep 2024 13:32:52 -0600 Subject: [PATCH] More changes --- .../design-create-appid-tagging-policies.md | 4 +- .../app-control-for-business/TOC.yml | 4 +- .../applocker/administer-applocker.md | 4 +- .../applocker/applocker-overview.md | 4 +- .../deployment/appcontrol-deployment-guide.md | 2 +- .../deployment/audit-appcontrol-policies.md | 4 +- .../deployment/enforce-appcontrol-policies.md | 2 +- .../design/appcontrol-design-guide.md | 12 +-- .../appcontrol-wizard-create-base-policy.md | 8 +- ...ntrol-wizard-create-supplemental-policy.md | 6 +- .../appcontrol-wizard-merging-policies.md | 2 +- .../design/appcontrol-wizard.md | 8 +- ...applications-that-can-bypass-appcontrol.md | 2 +- .../design/common-appcontrol-use-cases.md | 2 +- ...-apps-deployed-with-a-managed-installer.md | 4 +- ...ontrol-policy-for-fully-managed-devices.md | 2 +- ...trol-policy-for-lightly-managed-devices.md | 6 +- ...control-policy-using-reference-computer.md | 2 +- .../manage-packaged-apps-with-appcontrol.md | 4 +- .../design/plan-appcontrol-management.md | 6 +- .../design/script-enforcement.md | 2 +- ...tand-appcontrol-policy-design-decisions.md | 14 +-- ...control-with-intelligent-security-graph.md | 6 +- .../app-control-for-business/index.yml | 2 +- .../appcontrol-operational-guide.md | 4 +- .../configure-appcontrol-managed-installer.md | 2 +- .../operations/event-id-explanations.md | 94 +++++++++---------- .../operations/event-tag-explanations.md | 6 +- ...events-centrally-using-advanced-hunting.md | 12 +-- 29 files changed, 115 insertions(+), 115 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md index 714c740613..26940bd0e3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md @@ -2,7 +2,7 @@ title: Create your App Control for Business AppId Tagging Policies description: Create your App Control for Business AppId tagging policies for Windows devices. ms.localizationpriority: medium -ms.date: 09/11/2024 +ms.date: 09/23/2024 ms.topic: conceptual --- @@ -12,7 +12,7 @@ ms.topic: conceptual ## Create the policy using the App Control Wizard -You can use the App Control for Business Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The App Control Wizard is available for download at the [App Control Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). +You can use the App Control for Business Wizard and the PowerShell commands to create an App Control policy and convert it to an AppIdTagging policy. The App Control Wizard is available for download at the [App Control Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). 1. Create a new base policy using the templates: diff --git a/windows/security/application-security/application-control/app-control-for-business/TOC.yml b/windows/security/application-security/application-control/app-control-for-business/TOC.yml index f2cf8c651c..b5ff7c1588 100644 --- a/windows/security/application-security/application-control/app-control-for-business/TOC.yml +++ b/windows/security/application-security/application-control/app-control-for-business/TOC.yml @@ -105,9 +105,9 @@ items: - name: App Control debugging and troubleshooting href: operations/appcontrol-debugging-and-troubleshooting.md - - name: Understanding Application Control event IDs + - name: Understanding App Control event IDs href: operations/event-id-explanations.md - - name: Understanding Application Control event tags + - name: Understanding App Control event tags href: operations/event-tag-explanations.md - name: Query App Control events with Advanced hunting href: operations/querying-application-control-events-centrally-using-advanced-hunting.md diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md index bf972f7779..d2e0c1da1e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md @@ -27,11 +27,11 @@ AppLocker helps administrators control how users can access and use files, such | [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. | | [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. | | [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. | -| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. | +| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker policies. | | [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. | | [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. | | [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. | -| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. | +| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your policies. | | [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. | ## Using the MMC snap-ins to administer AppLocker diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md index 0786cd7b73..1af7a371bb 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md @@ -1,6 +1,6 @@ --- title: AppLocker -description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. +description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies. ms.collection: - tier3 - must-keep @@ -11,7 +11,7 @@ ms.date: 09/11/2024 # AppLocker -This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of App Control for Business. +This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of App Control for Business. > [!NOTE] > AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [App Control for Business](../appcontrol-and-applocker-overview.md) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md index ef04dc6447..b3ba7121e7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md @@ -36,7 +36,7 @@ Before you deploy your App Control policies, you must first convert the XML to i ## Plan your deployment -As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with App Control and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. +As with any significant change to your environment, implementing App Control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with App Control and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. All App Control for Business policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor App Control-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md index d6a2075e5c..59a910aa0f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md @@ -10,7 +10,7 @@ ms.topic: conceptual [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your App Control policy but should be included. +Running App Control in audit mode lets you discover applications, binaries, and scripts that are missing from your App Control policy but should be included. While an App Control policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new App Control policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. @@ -23,7 +23,7 @@ To familiarize yourself with creating App Control rules from audit events, follo 1. Install and run an application not allowed by the App Control policy but that you want to allow. -2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](../operations/event-id-explanations.md). +2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding App Control events](../operations/event-id-explanations.md). **Figure 1. Exceptions to the deployed App Control policy** ![Event showing exception to App Control policy.](../images/dg-fig23-exceptionstocode.png) diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/enforce-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/enforce-appcontrol-policies.md index 2cdc475a62..41a77beb33 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/enforce-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/enforce-appcontrol-policies.md @@ -18,7 +18,7 @@ You should now have one or more App Control for Business policies broadly deploy ## Convert App Control **base** policy from audit to enforced -As described in [common App Control for Business deployment scenarios](../design/common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common App Control for Business deployment scenarios](../design/common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead responsible for Lamna's App Control rollout. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md index c0f8a3ac86..73bbde562c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md @@ -10,16 +10,16 @@ ms.date: 09/11/2024 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This guide covers design and planning for App Control for Business. It's intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. +This guide covers design and planning for App Control for Business. It's intended to help security architects, security administrators, and system administrators create a plan that addresses specific App Control requirements for different departments or business groups within an organization. ## Plan for success -A common refrain you may hear about application control is that it is "too hard." While it's true that application control isn't as simple as flipping a switch, organizations can be successful, if they're methodical when carefully planning their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning: +A common refrain you may hear about App Control is that it is "too hard." While it's true that App Control isn't as simple as flipping a switch, organizations can be successful, if they're methodical when carefully planning their approach. In reality, the issues that lead to failure with App Control often arise from business issues rather than technology challenges. Organizations that have successfully deployed App Control have ensured the following before starting their planning: - Executive sponsorship and organizational buy-in is in place. -- There's a clear **business** objective for using application control, and it's not being planned as a purely technical problem from IT. +- There's a clear **business** objective for using App Control, and it's not being planned as a purely technical problem from IT. - The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps. -- The organization has considered where application control can be most useful (for example, securing sensitive workloads or business functions) and also where it may be difficult to achieve (for example, developer workstations). +- The organization has considered where App Control can be most useful (for example, securing sensitive workloads or business functions) and also where it may be difficult to achieve (for example, developer workstations). Once these business factors are in place, you're ready to begin planning your App Control for Business deployment. The following topics can help guide you through your planning process. @@ -28,8 +28,8 @@ Once these business factors are in place, you're ready to begin planning your Ap | Topic | Description | | - | - | | [Plan for App Control policy management](plan-appcontrol-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining App Control policies. | -| [Understand App Control policy design decisions](understand-appcontrol-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions, when you plan a deployment of application control policies. | -| [Understand App Control policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using App Control. | +| [Understand App Control policy design decisions](understand-appcontrol-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions, when you plan a deployment of App Control policies. | +| [Understand App Control policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your policy rules by using App Control. | | [Policy creation for common App Control usage scenarios](common-appcontrol-use-cases.md) | This set of topics outlines common use case scenarios, and helps you begin to develop a plan for deploying App Control in your organization. | | [Policy creation using the App Control Wizard tool](appcontrol-wizard.md) | This set of topics describes how to use the App Control Wizard desktop app to easily create, edit, and merge App Control policies. | diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md index 047765f59e..5de28ef21c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md @@ -1,6 +1,6 @@ --- title: App Control for Business Wizard Base Policy Creation -description: Creating new base application control policies with the Microsoft Windows Defender Application (App Control) Wizard. +description: Creating new base App Control policies with the App Control Wizard. ms.localizationpriority: medium ms.topic: conceptual ms.date: 09/11/2024 @@ -10,7 +10,7 @@ ms.date: 09/11/2024 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -When creating policies for use with App Control for Business, it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the App Control Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. +When creating policies for use with App Control for Business, it's recommended to start with a template policy, and then add or remove rules to suit your App Control scenario. For this reason, the App Control Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a new App Control policy from a template, configure the policy options, and the signer and file rules. ## Template Base Policies @@ -28,7 +28,7 @@ More information about the Default Windows Mode and Allow Microsoft Mode policie ![Selecting a base template for the policy.](../images/appcontrol-wizard-template-selection.png) -Once the base template is selected, give the policy a name and choose where to save the application control policy on disk. +Once the base template is selected, give the policy a name and choose where to save the App Control policy on disk. ## Configuring Policy Rules @@ -74,7 +74,7 @@ Selecting the **+ Advanced Options** label shows another column of policy rules, ## Creating custom file rules -[File rules](select-types-of-rules-to-create.md#app-control-for-business-file-rule-levels) in an application control policy specify the level at which applications are identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting **+ Custom Rules** opens the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules: +[File rules](select-types-of-rules-to-create.md#app-control-for-business-file-rule-levels) in an App Control policy specify the level at which applications are identified and trusted. File rules are the main mechanism for defining trust in the App Control policy. Selecting **+ Custom Rules** opens the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules: ### Publisher Rules diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md index c9c5d9e5dd..03c7231e74 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md @@ -1,6 +1,6 @@ --- title: App Control for Business Wizard Supplemental Policy Creation -description: Creating supplemental application control policies with the App Control Wizard. +description: Creating supplemental App Control policies with the App Control Wizard. ms.localizationpriority: medium ms.topic: conceptual ms.date: 09/11/2024 @@ -12,7 +12,7 @@ ms.date: 09/11/2024 Beginning in Windows 10 version 1903, App Control for Business supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [App Control base policy](appcontrol-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are used, applications allowed by the base or any of its supplemental policies are allowed to run. -Prerequisite information about application control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules. +Prerequisite information about App Control can be accessed through the [App Control design guide](appcontrol-design-guide.md). This page outlines the steps to create a supplemental App Control policy, configure the policy options, and the signer and file rules. ## Expanding a Base Policy @@ -48,7 +48,7 @@ Supplemental policies can only configure three policy rules. The following table ## Creating custom file rules -File rules in an application control policy specify the level at which applications are identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting **+ Custom Rules** opens the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules: +File rules in an App Control policy specify the level at which applications are identified and trusted. File rules are the main mechanism for defining trust in the App Control policy. Selecting **+ Custom Rules** opens the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules: ### Publisher Rules diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md index 552575d966..a7099a7c32 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md @@ -1,6 +1,6 @@ --- title: App Control for Business Wizard Policy Merging Operation -description: Merging multiple policies into a single application control policy with the Microsoft App Control Wizard. +description: Merging multiple policies into a single App Control policy with the App Control Wizard. ms.localizationpriority: medium ms.topic: conceptual ms.date: 09/11/2024 diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md index 98e2dce79c..823095e953 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md @@ -1,6 +1,6 @@ --- title: App Control for Business Wizard -description: The App Control for Business policy wizard tool allows you to create, edit, and merge application control policies in a simple to use Windows application. +description: The App Control for Business policy wizard tool allows you to create, edit, and merge App Control policies in a simple to use Windows application. ms.localizationpriority: medium ms.topic: conceptual ms.date: 09/11/2024 @@ -10,7 +10,7 @@ ms.date: 09/11/2024 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -The App Control for Business policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. It was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge Application Control policies. This tool uses the [ConfigCI PowerShell cmdlets](/powershell/module/configci) in the backend so the output policy of the tool and PowerShell cmdlets is identical. +The App Control for Business policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. It was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge App Control policies. This tool uses the [ConfigCI PowerShell cmdlets](/powershell/module/configci) in the backend so the output policy of the tool and PowerShell cmdlets is identical. ## Downloading the application @@ -18,7 +18,7 @@ Download the tool from the official [App Control for Business Policy Wizard webs ### Supported clients -As the tool uses the cmdlets in the background, it's functional on clients only where the cmdlets are supported. For more information, see [Application Control feature availability](../feature-availability.md). Specifically, the tool verifies that the client meets one of the following requirements: +As the tool uses the cmdlets in the background, it's functional on clients only where the cmdlets are supported. For more information, see [App Control feature availability](../feature-availability.md). Specifically, the tool verifies that the client meets one of the following requirements: - Windows 10, version 1909 or later - For pre-1909 builds, the Enterprise SKU of Windows is installed @@ -32,4 +32,4 @@ If neither requirement is satisfied, it throws an error as the cmdlets aren't av | [Creating a new base policy](appcontrol-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. | | [Creating a new supplemental policy](appcontrol-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. | | [Editing a base or supplemental policy](appcontrol-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the tool's editing capabilities. | -| [Merging policies](appcontrol-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. | +| [Merging policies](appcontrol-wizard-merging-policies.md) | This article describes how to merge policies into a single App Control policy. | diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md index 4c1fa978de..23d40c8440 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md @@ -87,7 +87,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you > [!NOTE] > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. -Certain software applications may allow other code to run by design. Unless these applications are business critical, you should block them in your App Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential App Control bypass, add *deny* rules to your application control policies for that application's previous, less secure versions. +Certain software applications may allow other code to run by design. Unless these applications are business critical, you should block them in your App Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential App Control bypass, add *deny* rules to your App Control policies for that application's previous, less secure versions. Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass App Control. These modules can be blocked by their corresponding hashes. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md index 47518989bc..4ba40200b3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md @@ -29,7 +29,7 @@ Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the Lamna uses [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Intune to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response. -Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized many new security IT responses, including tightening policies for application use and introducing application control. +Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an App Control policy. In response, Lamna's executive board has authorized many new security IT responses, including tightening policies for application use and introducing App Control. ## Up next diff --git a/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer.md index 481ca558a2..4e7dac4f2e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -10,7 +10,7 @@ ms.topic: how-to [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -App Control for Business includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune. +App Control for Business includes an option called **managed installer** that helps balance security and manageability when enforcing App Control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune. ## How does a managed installer work? @@ -30,7 +30,7 @@ Some application installers may automatically run the application at the end of ## Known limitations with managed installer -- Application control, based on managed installer, doesn't support applications that self-update. If an application that was deployed by a managed installer later updates itself, the updated application files won't include the origin information from the managed installer, and they might not be able to run. When you rely on managed installers, you must deploy and install all application updates by using a managed installer, or include rules to authorize the app in the App Control policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. +- App Control, based on managed installer, doesn't support applications that self-update. If an application that was deployed by a managed installer later updates itself, the updated application files won't include the origin information from the managed installer, and they might not be able to run. When you rely on managed installers, you must deploy and install all application updates by using a managed installer, or include rules to authorize the app in the App Control policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. - Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md index 7d072cd15c..978a986c90 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md @@ -15,7 +15,7 @@ This section outlines the process to create an App Control for Business policy f > [!NOTE] > Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of App Control. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 462985011f..b7c6837954 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -10,14 +10,14 @@ ms.date: 09/11/2024 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This section outlines the process to create an App Control for Business policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their App Control-managed devices as described in later articles. +This section outlines the process to create an App Control for Business policy for **lightly managed devices** within an organization. Typically, organizations that are new to App Control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their App Control-managed devices as described in later articles. > [!NOTE] > Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As in [App Control for Business deployment in different scenarios: types of devices](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and use different policies for different workloads. For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-using-reference-computer.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-using-reference-computer.md index aabf7e392f..0b066ce364 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-using-reference-computer.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-using-reference-computer.md @@ -15,7 +15,7 @@ This section outlines the process to create an App Control for Business policy * > [!NOTE] > Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of App Control. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/manage-packaged-apps-with-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/manage-packaged-apps-with-appcontrol.md index c9bf48a7fe..ce393a2e65 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/manage-packaged-apps-with-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/manage-packaged-apps-with-appcontrol.md @@ -10,11 +10,11 @@ ms.topic: how-to [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with App Control for Business as part of your overall application control strategy. +This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with App Control for Business as part of your overall App Control strategy. ## Comparing classic Windows Apps and Packaged Apps -The biggest challenge in adopting application control is the lack of a strong app identity for classic Windows apps, also known as win32 apps. A typical win32 app consists of multiple components, including the installer that is used to install the app, and one or more exes, dlls, or scripts. An app can consist of hundreds or even thousands of individual binaries that work together to deliver the functionality that your users understand as the app. Some of that code may be signed by the software publisher, some may be signed by other companies, and some of it may not be signed at all. Much of the code may be written to disk by a common set of installers, but some may already be installed and some downloaded on demand. Some of the binaries have common resource header metadata, such as product name and product version, but other files won't share that information. So while you want to be able to express rules like "allow app Foo", that isn't something Windows inherently understands for classic Windows apps. Instead, you may have to create many App Control rules to allow all the files that comprise the app. +The biggest challenge in adopting App Control is the lack of a strong app identity for classic Windows apps, also known as win32 apps. A typical win32 app consists of multiple components, including the installer that is used to install the app, and one or more exes, dlls, or scripts. An app can consist of hundreds or even thousands of individual binaries that work together to deliver the functionality that your users understand as the app. Some of that code may be signed by the software publisher, some may be signed by other companies, and some of it may not be signed at all. Much of the code may be written to disk by a common set of installers, but some may already be installed and some downloaded on demand. Some of the binaries have common resource header metadata, such as product name and product version, but other files won't share that information. So while you want to be able to express rules like "allow app Foo", that isn't something Windows inherently understands for classic Windows apps. Instead, you may have to create many App Control rules to allow all the files that comprise the app. Packaged apps on the other hand, also known as [MSIX](/windows/msix/overview), ensure that all the files that make up an app share the same identity and have a common signature. Therefore, with packaged apps, it's possible to control the entire app with a single App Control rule. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md index 80d643ea68..ff41a98da8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md @@ -14,7 +14,7 @@ This article describes the decisions you need to make to establish the processes ## Policy XML lifecycle management -The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing App Control for Business policies helps ensure that App Control continues to effectively control how applications are allowed to run in your organization. +The first step in implementing App Control is to consider how your policies will be managed and maintained over time. Developing a process for managing App Control for Business policies helps ensure that App Control continues to effectively control how applications are allowed to run in your organization. Most App Control for Business policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include: @@ -68,9 +68,9 @@ Considerations include: If your organization has an established help desk support department in place, consider the following points when deploying App Control for Business policies: - What documentation does your support department require for new policy deployments? -- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? +- What are the critical processes in each business group both in work flow and timing that will be affected by App Control policies and how could they affect your support department's workload? - Who are the contacts in the support department? -- How will the support department resolve application control issues between the end user and those resources who maintain the App Control for Business rules? +- How will the support department resolve App Control issues between the end user and those resources who maintain the App Control for Business rules? ### End-user support diff --git a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md index 69698bb2b3..16b4739600 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md @@ -20,7 +20,7 @@ By default, script enforcement is enabled for all App Control policies unless th Validation for signed scripts is done using the [WinVerifyTrust API](/windows/win32/api/wintrust/nf-wintrust-winverifytrust). To pass validation, the signature root must be present in the trusted root store on the device and your App Control policy must allow it. This behavior is different from App Control validation for executable files, which doesn't require installation of the root certificate. -App Control shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks App Control if a script should be allowed, an event is logged with the answer App Control returned to the script host. For more information on App Control script enforcement events, see [Understanding Application Control events](../operations/event-id-explanations.md#app-control-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects). +App Control shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks App Control if a script should be allowed, an event is logged with the answer App Control returned to the script host. For more information on App Control script enforcement events, see [Understanding App Control events](../operations/event-id-explanations.md#app-control-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects). > [!NOTE] > When a script runs that is not allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md index 823efa79de..f808763724 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md @@ -10,11 +10,11 @@ ms.topic: conceptual [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This article is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using App Control for Business, within a Windows operating system environment. +This article is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning App Control policies deployment using App Control for Business, within a Windows operating system environment. -When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance. +When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent App Control policy maintenance. -You should consider using App Control for Business as part of your organization's application control policies if the following are true: +You should consider using App Control for Business as part of your organization's App Control policies if the following are true: - You have deployed or plan to deploy the supported versions of Windows in your organization. - You need improved control over the access to your organization's applications and the data your users access. @@ -43,7 +43,7 @@ Organizations with well-defined, centrally managed app management and deployment | Possible answers | Design considerations| | - | - | -| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. App Control for Business options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | +| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for App Control. App Control for Business options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | | Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-appcontrol-policies.md) can be used to allow team-specific exceptions to your core organization-wide App Control for Business policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. | | Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | App Control for Business can integrate with Microsoft's [Intelligent Security Graph](use-appcontrol-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | | Users and teams are free to download and install apps without restriction. | App Control for Business policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| @@ -57,9 +57,9 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p | All apps used in your organization must be signed. | Organizations that enforce [codesigning](../deployment/use-code-signing-for-better-control-and-protection.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. App Control for Business rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | | Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](../deployment/deploy-catalog-files-to-support-appcontrol.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. | -### Are there specific groups in your organization that need customized application control policies? +### Are there specific groups in your organization that need customized App Control policies? -Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group's priorities before you deploy application control policies for the entire organization. There's overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. +Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group's priorities before you deploy App Control policies for the entire organization. There's overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. | Possible answers | Design considerations | | - | - | @@ -72,7 +72,7 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as possible.| +| Yes | Invest the time to analyze your organization's App Control requirements, and plan a complete deployment that uses rules that are constructed as possible.| | No | Consider a focused and phased deployment for specific groups by using few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | ### Does your organization have Help Desk support? diff --git a/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph.md b/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph.md index a7acc2735e..14ebfd9259 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph.md @@ -10,9 +10,9 @@ ms.topic: how-to [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. +App Control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective App Control policy. -To reduce end-user friction and helpdesk calls, you can set App Control for Business to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services). +To reduce end-user friction and helpdesk calls, you can set App Control for Business to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement App Control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services). > [!WARNING] > Binaries that are critical to boot the system must be allowed using explicit rules in your App Control policy. Do not rely on the ISG to authorize these files. @@ -93,4 +93,4 @@ Packaged apps aren't supported with the ISG and will need to be separately autho The ISG doesn't authorize kernel mode drivers. The App Control policy must have rules that allow the necessary drivers to run. > [!NOTE] -> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in App Control support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom App Control policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-app-control-policies-with-custom-oma-uri). +> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in App Control support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using App Control will need to deploy a custom App Control policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-app-control-policies-with-custom-oma-uri). diff --git a/windows/security/application-security/application-control/app-control-for-business/index.yml b/windows/security/application-security/application-control/app-control-for-business/index.yml index c9c90173d3..576efefff8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/index.yml +++ b/windows/security/application-security/application-control/app-control-for-business/index.yml @@ -29,7 +29,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Using code signing to simplify application control + - text: Using code signing to simplify app control url: deployment/use-code-signing-for-better-control-and-protection.md - text: Applications that can bypass App Control and how to block them url: design/applications-that-can-bypass-appcontrol.md diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/appcontrol-operational-guide.md b/windows/security/application-security/application-control/app-control-for-business/operations/appcontrol-operational-guide.md index 15621fd0ff..755488b5a3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/appcontrol-operational-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/appcontrol-operational-guide.md @@ -17,8 +17,8 @@ You now understand how to design and deploy your App Control for Business polici | Article | Description | | - | - | | [Debugging and troubleshooting](appcontrol-debugging-and-troubleshooting.md) | This article explains how to debug app and script failures with App Control. | -| [Understanding Application Control event IDs](event-id-explanations.md) | This article explains the meaning of different App Control event IDs. | -| [Understanding Application Control event tags](event-tag-explanations.md) | This article explains the meaning of different App Control event tags. | +| [Understanding App Control event IDs](event-id-explanations.md) | This article explains the meaning of different App Control event IDs. | +| [Understanding App Control event tags](event-tag-explanations.md) | This article explains the meaning of different App Control event tags. | | [Query App Control events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This article covers how to view App Control events centrally from all systems that are connected to Microsoft Defender for Endpoint. | | [Admin Tips & Known Issues](known-issues.md) | This article describes some App Control Admin Tips & Known Issues. | | [Managed installer and ISG technical reference and troubleshooting guide](configure-appcontrol-managed-installer.md) | This article provides technical details and debugging steps for managed installer and ISG. | diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/configure-appcontrol-managed-installer.md b/windows/security/application-security/application-control/app-control-for-business/operations/configure-appcontrol-managed-installer.md index 05c8f6b852..d75a2df983 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/configure-appcontrol-managed-installer.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/configure-appcontrol-managed-installer.md @@ -12,7 +12,7 @@ ms.topic: troubleshooting ## Enabling managed installer and Intelligent Security Graph (ISG) logging events -Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events. +Refer to [Understanding App Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events. ## Using fsutil to query extended attributes for Managed Installer (MI) diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations.md index 862bf39d1a..ceaac2953b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations.md @@ -1,12 +1,12 @@ --- -title: Understanding Application Control event IDs +title: Understanding App Control event IDs description: Learn what different App Control for Business event IDs signify. ms.localizationpriority: medium ms.date: 09/11/2024 ms.topic: reference --- -# Understanding Application Control events +# Understanding App Control events ## App Control Events Overview @@ -16,10 +16,10 @@ App Control logs events when a policy is loaded, when a file is blocked, or when App Control events are generated under two locations in the Windows Event Viewer: -- **Applications and Services logs - Microsoft - Windows - CodeIntegrity - Operational** includes events about Application Control policy activation and the control of executables, dlls, and drivers. +- **Applications and Services logs - Microsoft - Windows - CodeIntegrity - Operational** includes events about App Control policy activation and the control of executables, dlls, and drivers. - **Applications and Services logs - Microsoft - Windows - AppLocker - MSI and Script** includes events about the control of MSI installers, scripts, and COM objects. -Most app and script failures that occur when App Control is active can be diagnosed using these two event logs. This article describes in greater detail the events that exist in these logs. To understand the meaning of different data elements, or tags, found in the details of these events, see [Understanding Application Control event tags](event-tag-explanations.md). +Most app and script failures that occur when App Control is active can be diagnosed using these two event logs. This article describes in greater detail the events that exist in these logs. To understand the meaning of different data elements, or tags, found in the details of these events, see [Understanding App Control event tags](event-tag-explanations.md). > [!NOTE] > **Applications and Services logs - Microsoft - Windows - AppLocker - MSI and Script** events are not included on Windows Server Core edition. @@ -30,12 +30,12 @@ These events are found in the **CodeIntegrity - Operational** event log. | Event ID | Explanation | |--------|-----------| -| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.

This event is also seen for kernel- or user-mode code that the developer opted-in to [/INTEGRITYCHECK](/cpp/build/reference/integritycheck-require-signature-check) but isn't signed correctly. | -| 3033 | This event may occur with or without an Application Control policy present and should occur alongside a 3077 event if caused by App Control policy. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. Presence of the Lifetime Signing EKU is the only case where App Control blocks files due to an expired signature. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a rule (for example, hash) that doesn't rely on the revoked or expired cert.

This event also occurs if code compiled with [Code Integrity Guard (CIG)](/microsoft-365/security/defender-endpoint/exploit-protection-reference#code-integrity-guard) tries to load other code that doesn't meet the CIG requirements. | +| 3004 | This event isn't common and may occur with or without an App Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.

This event is also seen for kernel- or user-mode code that the developer opted-in to [/INTEGRITYCHECK](/cpp/build/reference/integritycheck-require-signature-check) but isn't signed correctly. | +| 3033 | This event may occur with or without an App Control policy present and should occur alongside a 3077 event if caused by App Control policy. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. Presence of the Lifetime Signing EKU is the only case where App Control blocks files due to an expired signature. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a rule (for example, hash) that doesn't rely on the revoked or expired cert.

This event also occurs if code compiled with [Code Integrity Guard (CIG)](/microsoft-365/security/defender-endpoint/exploit-protection-reference#code-integrity-guard) tries to load other code that doesn't meet the CIG requirements. | | 3034 | This event isn't common. It's the audit mode equivalent of event 3033. | -| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. | -| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. | -| 3089 | This event contains signature information for files that were blocked or audit blocked by Application Control. One of these events is created for each signature of a file. Each event shows the total number of signatures found and an index value to identify the current signature. Unsigned files generate a single one of these events with TotalSignatureCount of 0. These events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. | +| 3076 | This event is the main App Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. | +| 3077 | This event is the main App Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. | +| 3089 | This event contains signature information for files that were blocked or audit blocked by App Control. One of these events is created for each signature of a file. Each event shows the total number of signatures found and an index value to identify the current signature. Unsigned files generate a single one of these events with TotalSignatureCount of 0. These events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. | ## App Control block events for packaged apps, MSI installers, scripts, and COM objects @@ -43,7 +43,7 @@ These events are found in the **AppLocker - MSI and Script** event log. | Event ID | Explanation | |--------|-----------| -| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run, but wouldn't have passed the App Control policy if it was enforced. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. | +| 8028 | This event indicates that a script host, such as PowerShell, queried App Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run, but wouldn't have passed the App Control policy if it was enforced. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with App Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. | | 8029 | This event is the enforcement mode equivalent of event 8028. Note: While this event says that a script was blocked, the script hosts control the actual script enforcement behavior. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell runs script not allowed by your App Control policy in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). | | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in an App Control for Business policy](../design/allow-com-object-registration-in-appcontrol-policy.md). | | 8037 | This event indicates that a script host checked whether to allow a script to run, and the file passed the App Control policy. | @@ -57,15 +57,15 @@ These events are found in the **CodeIntegrity - Operational** event log. | Event ID | Explanation | |--------|-----------| -| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. | -| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. This event's Details includes useful information about the policy, such as its policy options. | -| 3097 | The Application Control policy can't be refreshed. | -| 3099 | Indicates that a policy has been loaded. This event's Details includes useful information about the Application Control policy, such as its policy options. | -| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | -| 3101 | Application Control policy refresh started for *N* policies. | -| 3102 | Application Control policy refresh finished for *N* policies. | -| 3103 | The system is ignoring the Application Control policy refresh. For example, an inbox Windows policy that doesn't meet the conditions for activation. | -| 3105 | The system is attempting to refresh the Application Control policy with the specified ID. | +| 3095 | The App Control policy can't be refreshed and must be rebooted instead. | +| 3096 | The App Control policy wasn't refreshed since it's already up-to-date. This event's Details includes useful information about the policy, such as its policy options. | +| 3097 | The App Control policy can't be refreshed. | +| 3099 | Indicates that a policy has been loaded. This event's Details includes useful information about the App Control policy, such as its policy options. | +| 3100 | The App Control policy was refreshed but was unsuccessfully activated. Retry. | +| 3101 | App Control policy refresh started for *N* policies. | +| 3102 | App Control policy refresh finished for *N* policies. | +| 3103 | The system is ignoring the App Control policy refresh. For example, an inbox Windows policy that doesn't meet the conditions for activation. | +| 3105 | The system is attempting to refresh the App Control policy with the specified ID. | ## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI) @@ -79,7 +79,7 @@ Unless otherwise noted, these events are found in either the **CodeIntegrity - O | Event ID | Explanation | |--------|---------| | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. | -| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. | +| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the App Control policy is in audit mode. | | 3092 | This event is the enforcement mode equivalent of 3091. | | 8002 | This event is found in the **AppLocker - EXE and DLL** event log. When a process launches that matches a managed installer rule, this event is raised with PolicyName = MANAGEDINSTALLER found in the event Details. Events with PolicyName = EXE or DLL aren't related to App Control. | @@ -95,8 +95,8 @@ The following information is found in the details for 3090, 3091, and 3092 event | PassesManagedInstaller | Indicates whether the file originated from a MI | | SmartlockerEnabled | Indicates whether the specified policy enables ISG trust | | PassesSmartlocker | Indicates whether the file had positive reputation according to the ISG | -| AuditEnabled | True if the Application Control policy is in audit mode, otherwise it is in enforce mode | -| PolicyName | The name of the Application Control policy to which the event applies | +| AuditEnabled | True if the App Control policy is in audit mode, otherwise it is in enforce mode | +| PolicyName | The name of the App Control policy to which the event applies | ### Enabling ISG and MI diagnostic events @@ -120,42 +120,42 @@ A list of other relevant event IDs and their corresponding description. | 3010 | The catalog containing the signature for the file under validation is invalid. | | 3011 | Code Integrity finished loading the signature catalog. | | 3012 | Code Integrity started loading the signature catalog. | -| 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. | -| 3024 | Windows application control was unable to refresh the boot catalog file. | +| 3023 | The driver file under validation didn't meet the requirements to pass the App Control policy. | +| 3024 | Windows App Control was unable to refresh the boot catalog file. | | 3026 | Microsoft or the certificate issuing authority revoked the certificate that signed the catalog. | | 3032 | The file under validation is revoked or the file has a signature that is revoked. -| 3033 | The file under validation didn't meet the requirements to pass the application control policy. | -| 3034 | The file under validation wouldn't meet the requirements to pass the Application Control policy if it was enforced. The file was allowed since the policy is in audit mode. | +| 3033 | The file under validation didn't meet the requirements to pass the App Control policy. | +| 3034 | The file under validation wouldn't meet the requirements to pass the App Control policy if it was enforced. The file was allowed since the policy is in audit mode. | | 3036 | Microsoft or the certificate issuing authority revoked the certificate that signed the file being validated. | -| 3064 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. | -| 3065 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. | +| 3064 | If the App Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the App Control policy. The DLL was allowed since the policy is in audit mode. | +| 3065 | If the App Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the App Control policy. | | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | -| 3075 | This event measures the performance of the Application Control policy check during file validation. | -| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. | -| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. | -| 3079 | The file under validation didn't meet the requirements to pass the application control policy. | -| 3080 | If the Application Control policy was in enforced mode, the file under validation wouldn't have met the requirements to pass the application control policy. | -| 3081 | The file under validation didn't meet the requirements to pass the application control policy. | -| 3082 | If the Application Control policy was enforced, the policy would have blocked this non-WHQL driver. | +| 3075 | This event measures the performance of the App Control policy check during file validation. | +| 3076 | This event is the main App Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. | +| 3077 | This event is the main App Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. | +| 3079 | The file under validation didn't meet the requirements to pass the App Control policy. | +| 3080 | If the App Control policy was in enforced mode, the file under validation wouldn't have met the requirements to pass the App Control policy. | +| 3081 | The file under validation didn't meet the requirements to pass the App Control policy. | +| 3082 | If the App Control policy was enforced, the policy would have blocked this non-WHQL driver. | | 3084 | Code Integrity is enforcing WHQL driver signing requirements on this boot session. | | 3085 | Code Integrity isn't enforcing WHQL driver signing requirements on this boot session. | | 3086 | The file under validation doesn't meet the signing requirements for an isolated user mode (IUM) process. | -| 3089 | This event contains signature information for files that were blocked or audit blocked by Application Control. One 3089 event is created for each signature of a file. | +| 3089 | This event contains signature information for files that were blocked or audit blocked by App Control. One 3089 event is created for each signature of a file. | | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. | -| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. | +| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the App Control policy is in audit mode. | | 3092 | This event is the enforcement mode equivalent of 3091. | -| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. | -| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. | -| 3097 | The Application Control policy can't be refreshed. | -| 3099 | Indicates that a policy has been loaded. This event also includes information about the options set by the Application Control policy. | -| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | -| 3101 | The system started refreshing the Application Control policy. | -| 3102 | The system finished refreshing the Application Control policy. | -| 3103 | The system is ignoring the Application Control policy refresh. | +| 3095 | The App Control policy can't be refreshed and must be rebooted instead. | +| 3096 | The App Control policy wasn't refreshed since it's already up-to-date. | +| 3097 | The App Control policy can't be refreshed. | +| 3099 | Indicates that a policy has been loaded. This event also includes information about the options set by the App Control policy. | +| 3100 | The App Control policy was refreshed but was unsuccessfully activated. Retry. | +| 3101 | The system started refreshing the App Control policy. | +| 3102 | The system finished refreshing the App Control policy. | +| 3103 | The system is ignoring the App Control policy refresh. | | 3104 | The file under validation doesn't meet the signing requirements for a PPL (protected process light) process. | -| 3105 | The system is attempting to refresh the Application Control policy. | +| 3105 | The system is attempting to refresh the App Control policy. | | 3108 | Windows mode change event was successful. | | 3110 | Windows mode change event was unsuccessful. | | 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. | | 3112 | Windows has revoked the certificate that signed the file being validated. | -| 3114 | Dynamic Code Security opted the .NET app or DLL into Application Control policy validation. The file under validation didn't pass your policy and was blocked. | +| 3114 | Dynamic Code Security opted the .NET app or DLL into App Control policy validation. The file under validation didn't pass your policy and was blocked. | diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md index 42552c1b23..0f5513efc4 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md @@ -1,12 +1,12 @@ --- -title: Understanding Application Control event tags +title: Understanding App Control event tags description: Learn what different App Control for Business event tags signify. ms.localizationpriority: medium ms.date: 09/11/2024 ms.topic: conceptual --- -# Understanding Application Control event tags +# Understanding App Control event tags App Control for Business events include many fields, which provide helpful troubleshooting information to figure out exactly what an event means. This article describes the values and meanings for a few useful event tags. @@ -82,7 +82,7 @@ Represents why verification failed, or if it succeeded. ## Policy activation event Options -The Application Control policy rule option values can be derived from the "Options" field in the Details section for successful [policy activation events](event-id-explanations.md#app-control-policy-activation-events). To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. +The App Control policy rule option values can be derived from the "Options" field in the Details section for successful [policy activation events](event-id-explanations.md#app-control-policy-activation-events). To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. - Access Event Viewer. - Access the Code integrity 3099 event. diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md index a60c584ba9..d6d7b0bf4d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,12 +1,12 @@ --- -title: Query Application Control events with Advanced Hunting +title: Query App Control events with Advanced Hunting description: Learn how to query App Control for Business events across your entire organization by using Advanced Hunting. ms.localizationpriority: medium ms.date: 09/11/2024 ms.topic: troubleshooting --- -# Querying Application Control events centrally using Advanced hunting +# Querying App Control events centrally using Advanced hunting an App Control for Business policy logs events locally in Windows Event Viewer in either enforced or audit mode. While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems. @@ -20,7 +20,7 @@ This capability is supported beginning with Windows version 1607. | ActionType Name | ETW Source Event ID | Description | | - | - | - | -| AppControlCodeIntegrityDriverRevoked | 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. | +| AppControlCodeIntegrityDriverRevoked | 3023 | The driver file under validation didn't meet the requirements to pass the App Control policy. | | AppControlCodeIntegrityImageRevoked | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | | AppControlCodeIntegrityPolicyAudited | 3076 | This event is the main App Control for Business block event for audit mode policies. It indicates the file would have been blocked if the App Control policy was enforced. | | AppControlCodeIntegrityPolicyBlocked | 3077 | This event is the main App Control for Business block event for enforced policies. It indicates the file didn't pass your App Control policy and was blocked. | @@ -39,11 +39,11 @@ This capability is supported beginning with Windows version 1607. | AppControlCodeIntegritySigningInformation | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. | | AppControlPolicyApplied | 8001 | Indicates the AppLocker policy was successfully applied to the computer. | -Learn more about the [Understanding Application Control event IDs (Windows)](event-id-explanations.md) +Learn more about the [Understanding App Control event IDs (Windows)](event-id-explanations.md) -## Example Advanced Hunting Application Control Queries +## Example Advanced Hunting App Control Queries -Query Example 1: Query the application control action types summarized by type for past seven days +Query Example 1: Query the App Control action types summarized by type for past seven days Here's a simple example query that shows all the App Control for Business events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: