deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-auto2

Browse Source
This commit is contained in:
Thomas Raya 2023-01-26 12:12:40 -08:00 committed by GitHub
commit f6f044a813
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 92 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -334,7 +334,7 @@ Value type is integer.
Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 0 - Set to 1 when Application Guard is enabled into Windows Isolated environment mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Reserved for Microsoft.
- Bit 3 - Set to 1 when Application Guard is installed on the client machine.

38
windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -111,3 +111,41 @@ listAumids("CustomerAccount")
# Get a list of AUMIDs for all accounts on the device:
listAumids("allusers")
```
## Example
The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu.
```powershell
function Get-AppAUMID {
param (
[string]$AppName
)
$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items()
if ($AppName){
$Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}}
if ($Result){
Return $Result
}
else {"Unable to locate {0}" -f $AppName}
}
else {
$Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}}
Return $Result
}
}
```
The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it.
```powershell
# Get the AUMID for OneDrive
Get-AppAUMID -AppName OneDrive
# Get the AUMID for Microsoft Word
Get-AppAUMID -AppName Word
# List all apps and their AUMID in the Start menu
Get-AppAUMID
```

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -40,7 +40,7 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f, from their device compliance policy using **Select Excluded Cloud Apps**.
> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise

4
windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
View File

@ -30,8 +30,8 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut
| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). |
## Windows feature update releases

4
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update signals
description: This article explains the Windows quality update signals
ms.date: 05/30/2022
ms.date: 01/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -57,5 +57,3 @@ Autopatch monitors the following reliability signals:
| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment.

4
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 12/01/2022
ms.date: 01/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -56,13 +56,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to
- Windows Autopatch - Set MDM to Win Over GPO
- Windows Autopatch - Data Collection
- Windows Autopatch-Window Update Detection Frequency
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-SetMDMtoWinOverGPO | Setsmobile device management (MDM)towinoverGPO<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked |
| Windows Autopatch-DataCollection | AllowsdiagnosticdatafromthisdevicetobeprocessedbyMicrosoftManagedDesktop and TelemetrysettingsforWindows devices.<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)</li><li>[Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)</li><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Enable telemetry change notifications</li><li>Enable Telemetry opt-in Settings</li><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
| Windows Autopatch-WindowsUpdateDetectionFrequency | SetsWindowsupdatedetectionfrequency<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
## Deployment rings for Windows 10 and later

1
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -31,4 +31,5 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
| [MC500889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 Windows Autopatch baseline configuration update |
| [MC494386](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 (2023.01 B) Windows quality update deployment |

2
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -47,7 +47,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning
### Disable Windows Hello for Business using Intune Enrollment policy
The following method explains how to disable Windows Hello for Business enrollment without Intune.
The following method explains how to disable Windows Hello for Business enrollment using Intune.
1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.

10
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -49,13 +49,13 @@ Changes to audit policy that are audited include:
The following events will be enabled with Success auditing in this subcategory:
- 4902(S): The Per-user audit policy table was created.
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
- 4907(S): Auditing settings on object were changed.
- [4907](event-4907.md)(S): Auditing settings on object were changed.
- 4904(S): An attempt was made to register a security event source.
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- 4905(S): An attempt was made to unregister a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
@ -79,4 +79,4 @@ All other events in this subcategory will be logged regardless of the "Audit Pol
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.

4
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -20,6 +20,8 @@ ms.topic: reference
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
**Event volume**: Medium to High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
@ -40,5 +42,3 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
- [4913](event-4913.md)(S): Central Access Policy on the object was changed.
**Event volume**: Medium to High.

10
windows/security/threat-protection/auditing/event-4670.md
View File

@ -235,14 +235,14 @@ Example: D:(A;;FA;;;WD)
| "GR" | GENERIC READ | "SD" | Delete |
| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
| File access rights | "RP" | Read All Properties |
| File access rights | | "RP" | Read All Properties |
| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
| Registry key access rights | "SW" | All Validated Writes |
| "KA" | "LO" | "LO" | List Object |
| "K" | KEY READ | "DT" | Delete Subtree |
| Registry key access rights | | "SW" | Self Write |
| "KA" | KEY ALL ACCESS | "LO" | List Object |
| "KR" | KEY READ | "DT" | Delete Subtree |
| "KW" | KEY WRITE | "CR" | All Extended Rights |
| "KX" | KEY EXECUTE | | |
@ -272,4 +272,4 @@ For file system and registry objects, the following recommendations apply.
- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers<b>.</b> For example, you could monitor the **ntds.dit** file on domain controllers.
- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers<b>.</b> For example, you could monitor the **ntds.dit** file on domain controllers.

15
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View File

@ -9,7 +9,7 @@ ms.reviewer: aaroncz
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
ms.date: 12/03/2022
ms.date: 01/23/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@ -26,13 +26,18 @@ ms.localizationpriority: medium
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The following instructions use PowerShell but can work with any scripting host.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Skip all steps below that use citool.exe, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
## Deploying policies for Windows 11 22H2 and above
You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **&lt;Path to policy binary file to deploy&gt;** in the example below with the actual path to your WDAC policy binary file.
You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **&lt;Path to policy binary file to deploy&gt;** in the following example with the actual path to your WDAC policy binary file.
```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
@ -92,9 +97,9 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
## Deploying signed policies
If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -->
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:
```powershell
$MountPoint = 'C:\EFIMount'

14
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
View File

@ -13,7 +13,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 10/06/2022
ms.date: 01/23/2023
ms.technology: itpro-security
ms.topic: article
---
@ -28,10 +28,16 @@ ms.topic: article
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
>
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy.
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy.
> [!IMPORTANT]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).

7
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 10/06/2022
ms.date: 01/23/2023
ms.topic: how-to
---
@ -25,6 +25,11 @@ ms.topic: how-to
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
## Use Intune's built-in policies
Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run:

4
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -13,7 +13,7 @@ author: jgeurten
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.date: 08/29/2022
ms.date: 01/23/2023
ms.technology: itpro-security
ms.topic: article
---
@ -96,7 +96,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
| **RootCertificate** | This level may produce an overly permissive policy and isn't recommended for most use cases. |
| **WHQL** | Trusts binaries if they've been validated and signed by WHQL. This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This level is primarily for kernel binaries. |

7
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
View File

@ -8,7 +8,7 @@ author: jgeurten
ms.reviewer: aaroncz
ms.author: jogeurte
manager: jsuther
ms.date: 10/06/2022
ms.date: 01/23/2023
ms.topic: overview
---
@ -55,6 +55,11 @@ All Windows Defender Application Control policy changes should be deployed in au
## Choose how to deploy WDAC policies
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune