deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Addressed feedback

Browse Source
This commit is contained in:
jsuther1974
2023-03-31 10:31:26 -07:00
parent ae14eb41cb
commit f4e982d8b7
3 changed files with 10 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
View File

@ -151,7 +151,7 @@ The rule means trust anything signed by a certificate that chains to this root C
| 0| None |
| 1| Unknown |
| 2 | Self-Signed |
| 3 | Authenticode |
| 3 | Microsoft Authenticode(tm) Root Authority |
| 4 | Microsoft Product Root 1997 |
| 5 | Microsoft Product Root 2001 |
| 6 | Microsoft Product Root 2010 |

6
windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
View File

@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 03/16/2023
ms.date: 03/31/2023
ms.technology: itpro-security
---
@ -23,7 +23,7 @@ ms.technology: itpro-security
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use.
When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use. These example policies are provided "as-is". You should thoroughly test the policies you deploy using safe deployment methods.
| **Example Base Policy** | **Description** | **Where it can be found** |
|-------------------------|---------------------------------------------------------------|--------|
@ -31,7 +31,7 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
| **DenyAllAudit.xml** | ***Warning: May cause boot issues on Windows Server 2019 and earlier.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
| **Microsoft Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml <br>%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml |
| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml |

63
windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
View File

@ -28,10 +28,6 @@ This article describes how to debug and troubleshoot app and script failures whe
Before debugging and troubleshooting WDAC issues, you must collect information from a device exhibiting the problem behavior.
<br>
<details>
<summary><b>Expand here for instructions on collecting WDAC diagnostic data.</b></summary>
Run the following commands from an elevated PowerShell window to collect the diagnostic information you may need:
1. Gather general WDAC diagnostic data and copy it to %userprofile%\AppData\Local\Temp\DiagOutputDir\CiDiag:
@ -43,9 +39,9 @@ Run the following commands from an elevated PowerShell window to collect the dia
If CiDiag.exe isn't present in your version of Windows, gather this information manually:
- WDAC policy binaries from the [Windows and EFI system partitions](known-issues.md#wdac-policy-file-locations)
- WDAC event logs
- AppLocker event logs
- Other event logs that may contain useful information from other Windows apps and services
- [WDAC event logs](#core-wdac-event-logs)
- [AppLocker event logs](#core-wdac-event-logs)
- [Other event logs that may contain useful information](#other-windows-event-logs-that-may-be-useful) from other Windows apps and services
2. Save the device's System Information to the CiDiag folder:
@ -65,6 +61,9 @@ Run the following commands from an elevated PowerShell window to collect the dia
reg.exe query HKLM\Software\Policies\Microsoft\Windows\SrpV2 /s > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt; reg.exe query HKLM\Software\Policies\Microsoft\Windows\AppidPlugins /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt; reg.exe query HKLM\System\CurrentControlSet\Control\Srp\ /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt
```
> [!NOTE]
> You may see an error that the system was unable to find the specified registry key or value. This error doesn't indicate a problem and can be ignored.
5. Copy any AppLocker policy files from %windir%System32\AppLocker to the CiDiag folder:
```powershell
@ -113,16 +112,10 @@ Sometimes, you may be able to supplement the information contained in the core W
- *Windows - Application*
- *Windows - System*
</details>
## 2 - Use the diagnostic and log data to identify problems
Having gathered the necessary diagnostic information from a device, you're ready to begin your analysis of the diagnostic data collected in the previous section.
<br>
<details>
<summary><b>Expand here for steps on analyzing WDAC diagnostic data.</b></summary>
1. Verify the set of WDAC policies that are active and enforced. Confirm that only those policies you expect to be active are currently active. Be aware of the [Windows inbox policies](inbox-wdac-policies.md) that may also be active. You can use either of these methods:
- Review the output from *CiTool.exe -lp*, if applicable, which was saved to the CIDiag output directory as CiToolOutput.json. See [use Microsoft Edge to view the formatted json file](/microsoft-edge/devtools-guide-chromium/json-viewer/json-viewer).
@ -139,10 +132,6 @@ Here's an example of detailed EventData from a typical WDAC enforcement mode blo
#### Event 3077 - WDAC enforcement block event
<br>
<details>
<summary>Expand here to explore an example 3077 WDAC block event.</summary>
![Example 3077 block event for PowerShell.exe.](/windows/security/threat-protection/windows-defender-application-control/images/event-3077.png)
| Element name | Description |
@ -169,14 +158,8 @@ Here's an example of detailed EventData from a typical WDAC enforcement mode blo
| UserWriteable | A boolean value indicating if the file was in a user-writeable location. This information is useful for diagnosing issues when allowing by FilePath rules. |
| PackageFamilyName | The Package Family Name for the packaged app (MSIX) that includes the blocked file. |
</details>
#### Event 3089 - WDAC signature information event
<br>
<details>
<summary>Expand here to explore an example 3089 WDAC signature information event.</summary>
![Example 3089 signature information event for PowerShell.exe.](/windows/security/threat-protection/windows-defender-application-control/images/event-3089.png)
| Element name | Description |
@ -193,8 +176,6 @@ Here's an example of detailed EventData from a typical WDAC enforcement mode blo
| PublisherTBSHash | The TBS hash of the leaf certificate. |
| IssuerTBSHash | The TBS hash of the highest available certificate in the certificate chain. This level is typically one certificate below the root. |
</details>
#### Step-by-step walkthrough of the example 3077 and 3089 events
Now let's walk through how to use the event data in the example 3077 and 3089 events to understand why the WDAC policy blocked this file.
@ -220,27 +201,15 @@ It's important to review the information for each correlated 3089 event as each
>
> In the case of the 3089 event, on the other hand, ValidatedSigningLevel tells us the potential **maximum** level the signature could receive. We must use the VerificationError to understand why the signature was rejected.
</details>
## 3 - Resolve common problems
Having analyzed the WDAC diagnostic data, you can take steps to resolve the issue or do more debugging steps. Following are some common problems and steps you can try to resolve or further isolate the root issue:
<br>
<details>
<summary><b>Issue: A file was blocked that you want to allow.</b></summary>
### Issue: A file was blocked that you want to allow
- Use data from the core WDAC event logs to add rules to allow the blocked file.
- Redeploy the file or app using a managed installer if your policy trusts managed installers.
</details>
<br>
<details>
<summary><b>Issue: A policy is active that is unexpected.</b></summary>
### Issue: A policy is active that is unexpected
This condition may exist if:
@ -253,12 +222,6 @@ This condition may exist if:
To resolve such an issue, follow the instructions to [Remove WDAC policies](/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies) for the identified policy.
</details>
<br>
<details>
<summary><b>Issue: An unhandled app failure is occurring and no WDAC events are observed.</b></summary>
### Issue: An unhandled app failure is occurring and no WDAC events are observed
Some apps alter their behavior when a user mode WDAC policy is active, which can result in unexpected failures. It can also be a side-effect of script enforcement for apps that don't properly handle the enforcement behaviors implemented by the script hosts.
@ -270,12 +233,6 @@ Try to isolate the root cause by doing the following actions:
- Temporarily replace the WDAC policy with another policy that [allows all COM objects](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) and retest.
- Temporarily replace the WDAC policy with another policy that relaxes other [policy rules](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-policy-rules) and retest.
</details>
<br>
<details>
<summary><b>Issue: An app deployed by a managed installer is not working.</b></summary>
### Issue: An app deployed by a managed installer isn't working
To debug issues using managed installer, try these steps:
@ -290,12 +247,6 @@ To debug issues using managed installer, try these steps:
- Add another managed installer to your AppLocker policy and test installation using the other managed installer.
- Check if the app is encountering a [known limitation with managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#known-limitations-with-managed-installer). If so, you must authorize the app using other means.
</details>
<br>
<details>
<summary><b>Issue: An app you expected the ISG to allow is not working.</b></summary>
### Issue: An app you expected the Intelligent Security Graph (ISG) to allow isn't working
To debug issues using ISG, try these steps:
@ -304,5 +255,3 @@ To debug issues using ISG, try these steps:
- Check that the AppLocker services are running. This information is found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created in section 1 of this article.
- [Use fsutil.exe](/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer#using-fsutil-to-query-extended-attributes-for-intelligent-security-graph-isg) to verify files have the ISG origin extended attribute. If not, redeploy the files with the managed installer and check again.
- Check if the app is encountering a [known limitation with ISG](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#known-limitations-with-using-the-isg).
</details>