deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 09:13:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Task ID 23142312 and 29028100

Browse Source 
Made cosmetic changes to the certificate section in event-tags-explanation, and added a line break before the Figure 1 image in audit-and-enforce.
This commit is contained in:
Kim Klein
2021-05-27 09:37:24 -07:00
parent 6136ddc0d5
commit faee789b26
2 changed files with 23 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
View File

@ -41,7 +41,8 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
**Figure 1. Exceptions to the deployed WDAC policy**
**Figure 1. Exceptions to the deployed WDAC policy** <br>
![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.

42
windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
View File

@ -94,28 +94,28 @@ Represents why verification failed, or if it succeeded.
## Microsoft Root CAs trusted by Windows
The rule means trust anything signed by a cert that chains to this root CA.
The rule means trust anything signed by a certificate that chains to this root CA.
| Root ID | Root Name |
|---|----------|
|0| None |
|1| Unknown |
|2 | Self-Signed |
|3 | Authenticode |
|4 | Microsoft Product Root 1997 |
|5 | Microsoft Product Root 2001 |
|6 | Microsoft Product Root 2010 |
|7 | Microsoft Standard Root 2011 |
|8 | Microsoft Code Verification Root 2006 |
|9 | Microsoft Test Root 1999 |
|10 | Microsoft Test Root 2010 |
|11 | Microsoft DMD Test Root 2005 |
|12 | Microsoft DMDRoot 2005 |
|13 | Microsoft DMD Preview Root 2005 |
|14 | Microsoft Flight Root 2014 |
|15 | Microsoft Third Party Marketplace Root |
|16 | Microsoft ECC Testing Root CA 2017 |
|17 | Microsoft ECC Development Root CA 2018 |
|18 | Microsoft ECC Product Root CA 2018 |
|19 | Microsoft ECC Devices Root CA 2017 |
| 0| None |
| 1| Unknown |
| 2 | Self-Signed |
| 3 | Authenticode |
| 4 | Microsoft Product Root 1997 |
| 5 | Microsoft Product Root 2001 |
| 6 | Microsoft Product Root 2010 |
| 7 | Microsoft Standard Root 2011 |
| 8 | Microsoft Code Verification Root 2006 |
| 9 | Microsoft Test Root 1999 |
| 10 | Microsoft Test Root 2010 |
| 11 | Microsoft DMD Test Root 2005 |
| 12 | Microsoft DMDRoot 2005 |
| 13 | Microsoft DMD Preview Root 2005 |
| 14 | Microsoft Flight Root 2014 |
| 15 | Microsoft Third Party Marketplace Root |
| 16 | Microsoft ECC Testing Root CA 2017 |
| 17 | Microsoft ECC Development Root CA 2018 |
| 18 | Microsoft ECC Product Root CA 2018 |
| 19 | Microsoft ECC Devices Root CA 2017 |
For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they dont need to be listed as TBS hashes in the policy file.