deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #7859 from MicrosoftDocs/main

Browse Source 
Publish main to live on 2/9 @ 10:30 am
This commit is contained in:
Stephanie Savell 2023-02-09 12:40:00 -06:00 committed by GitHub
commit f3e5224e52
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 1627 additions and 1231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/index.yml
View File

@ -45,7 +45,7 @@ productDirectory:
text: Azure information protection deployment acceleration guide
- url: /defender-cloud-apps/get-started
text: Microsoft Defender for Cloud Apps
- url: /microsoft-365/compliance/create-test-tune-dlp-policy
- url: /microsoft-365/compliance/information-protection#prevent-data-loss
text: Data loss prevention
- url: /microsoft-365/compliance/
text: Microsoft Purview compliance

7
education/windows/windows-11-se-overview.md
View File

@ -93,6 +93,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
@ -104,7 +105,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
| `Google Chrome` | 109.0.5414.75 | Win32 | `Google` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
@ -137,10 +138,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development`
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -28,9 +28,8 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
## Azure AD Kerberos and cloud Kerberos trust authentication
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\
For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices.
*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs.
*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require a PKI to request TGTs.
With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.

4
windows/security/identity-protection/remote-credential-guard.md
View File

@ -128,7 +128,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on
- Add a new DWORD value named **DisableRestrictedAdmin**.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
3. Close Registry Editor.
@ -189,4 +189,4 @@ mstsc.exe /remoteGuard
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
- The server and client must authenticate using Kerberos.
- The server and client must authenticate using Kerberos.

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -68,6 +68,8 @@
href: wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
href: wdac-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events
href: wdac-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard
href: wdac-wizard-merging-policies.md
- name: WDAC deployment guide

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 165 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

2697
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

File diff suppressed because it is too large Load Diff

2
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jgeurten
ms.reviewer: isbrahm
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual

141
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md Normal file
View File

@ -0,0 +1,141 @@
---
title: Windows Defender Application Control Wizard WDAC Event Parsing
description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events.
keywords: WDAC event parsing, allow listing, block listing, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jgeurten
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual
ms.date: 02/01/2023
ms.technology: itpro-security
---
# Creating WDAC Policy Rules from WDAC Events in the Wizard
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types:
1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing)
2. [Exported WDAC events (EVTX files) from any system](#wdac-event-log-file-parsing)
3. [Exported WDAC events from MDE Advanced Hunting](#mde-advanced-hunting-wdac-event-parsing)
## WDAC Event Viewer Log Parsing
To create rules from the WDAC event logs on the system:
1. Select **Policy Editor** from the WDAC Wizard main page.
2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header.
The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"]
> [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png)
4. Select the Next button to view the audit and block events and create rules.
5. [Generate rules from the events](#creating-policy-rules-from-the-events).
## WDAC Event Log File Parsing
To create rules from the WDAC `.EVTX` event logs files on the system:
1. Select **Policy Editor** from the WDAC Wizard main page.
2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header.
4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"]
> [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png)
5. Select the Next button to view the audit and block events and create rules.
6. [Generate rules from the events](#creating-policy-rules-from-the-events).
## MDE Advanced Hunting WDAC Event Parsing
To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md):
1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export:
```KQL
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName
```
The following Advanced Hunting query is recommended:
```KQL
DeviceEvents
// Take only WDAC events
| where ActionType startswith 'AppControlCodeIntegrity'
// SigningInfo Fields
| extend IssuerName = parsejson(AdditionalFields).IssuerName
| extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash
| extend PublisherName = parsejson(AdditionalFields).PublisherName
| extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash
// Audit/Block Fields
| extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash
| extend PolicyId = parsejson(AdditionalFields).PolicyID
| extend PolicyName = parsejson(AdditionalFields).PolicyName
// Keep only required fields for the WDAC Wizard
| project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName
```
2. Export the WDAC event results by selecting the **Export** button in the results view.
> [!div class="mx-imgBorder"]
> [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png)
3. Select **Policy Editor** from the WDAC Wizard main page.
4. Select **Convert Event Log to a WDAC Policy**.
5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header.
6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"]
> [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png)
7. Select the Next button to view the audit and block events and create rules.
8. [Generate rules from the events](#creating-policy-rules-from-the-events).
## Creating Policy Rules from the Events
On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers.
To create a rule and add it to the WDAC policy:
1. Select an audit or block event in the table by selecting the row of interest.
2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules.
3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type.
4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated.
> [!div class="mx-imgBorder"]
> [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png)
5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies.
> [!WARNING]
> It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens.
## Up next
- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md)