diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 38a2894c80..54589ae7b4 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -80,6 +80,11 @@
"redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md",
+ "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/apps.md",
"redirect_url": "/windows/security/application-security",
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 3b93d81859..b2500d8e36 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/01/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -36,20 +36,8 @@ ms.topic: reference
-
-This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool.
-
-For example:
-
-Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt.
-
-For more information, refer to the DISM documentation on TechNet.
-
-If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time.
-
-If the group policy isn't configured, disabled, or the client machine isn't domain-joined, no default associations will be applied at logon time.
-
-If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.
+
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
@@ -84,54 +72,69 @@ If the policy is enabled, disabled, or not configured, users will still be able
**Example**:
To create the SyncML, follow these steps:
-
-- Install a few apps and change your defaults.
-- From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
-- Take the XML output and put it through your favorite base64 encoder app.
-- Paste the base64 encoded XML into the SyncML
-
-Here's an example output from the dism default association export command:
-```xml
-
-
-
-
-
-
-
-
-```
+1. Install a few apps and change your defaults.
+1. From an elevated prompt, run `dism /online /export-defaultappassociations:C:\appassoc.xml`. Here's an example output from the dism default association export command:
-Here's the base64 encoded result:
+ ```xml
+
+
+
+
+
+
+
+
+ ```
-``` syntax
-PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-```
-Here's the SyncML example:
+ Starting in Windows 11, version 22H2, two new attributes are available for further customization of the policy. These attributes can be used to change how often the policy associations are applied.
-```xml
-
-
-
-
- 101
- -
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
-
- PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-
-
-
-
-
-
-```
+ - **Version** attribute for `DefaultAssociations`. This attribute is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time.
+ - **Suggested** attribute for `Association`. The default value is false. If it's false, the **Association** is applied on every sign-in. If it's true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next sign-in.
+
+ In the following example, the **Association** for `.htm` is applied on first sign-in of the user, and all others are applied on every sign-in. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again:
+
+ ```xml
+
+
+
+
+
+
+
+
+ ```
+
+1. Take the XML output and put it through your favorite base64 encoder app. Here's the base64 encoded result:
+
+ ```text
+ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+ ```
+
+1. Paste the base64 encoded XML into the SyncML. Here's the SyncML example:
+
+ ```xml
+
+
+
+
+ 101
+ -
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
+
+ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+
+
+
+
+
+
+ ```
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
index 70c937a286..3815f2af27 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
@@ -55,8 +55,8 @@
href: design/create-wdac-policy-using-reference-computer.md
- name: Create a WDAC deny list policy
href: design/create-wdac-deny-policy.md
- - name: Microsoft recommended block rules
- href: design/microsoft-recommended-block-rules.md
+ - name: Applications that can bypass WDAC and how to block them
+ href: design/applications-that-can-bypass-wdac.md
- name: Microsoft recommended driver block rules
href: design/microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
similarity index 99%
rename from windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
index ebc63fd06e..bcce7c5578 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
@@ -1,15 +1,15 @@
---
-title: Microsoft recommended block rules
+title: Applications that can bypass WDAC and how to block them
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
ms.localizationpriority: medium
ms.date: 06/14/2023
ms.topic: reference
---
-# Microsoft recommended block rules
+# Applications that can bypass WDAC and how to block them
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/index.yml b/windows/security/application-security/application-control/windows-defender-application-control/index.yml
index 116b217e84..1b1d46e536 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/index.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/index.yml
@@ -33,8 +33,8 @@ landingContent:
links:
- text: Using code signing to simplify application control
url: deployment/use-code-signing-for-better-control-and-protection.md
- - text: Microsoft's Recommended Blocklist
- url: design/microsoft-recommended-block-rules.md
+ - text: Applications that can bypass WDAC and how to block them
+ url: design/applications-that-can-bypass-wdac.md
- text: Microsoft's Recommended Driver Blocklist
url: design/microsoft-recommended-driver-block-rules.md
- text: Example WDAC policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index dee33405bb..7ee7a13013 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -47,7 +47,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 834f56a321..809b88492a 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,19 +1,25 @@
---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections
-description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 09/23/2021
+title: How to configure cryptographic settings for IKEv2 VPN connections
+description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
+ms.date: 06/28/2023
ms.topic: how-to
---
-# How to configure Diffie Hellman protocol over IKEv2 VPN connections
+# How to configure cryptographic settings for IKEv2 VPN connections
-In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
+In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
+
+- Encryption Algorithm : DES3
+- Integrity, Hash Algorithm : SHA1
+- Diffie Hellman Group (Key Size): DH2
+
+These settings aren't secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
## VPN server
-For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
+For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. These settings are effective for all IKEv2 VPN connections.
```powershell
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
@@ -30,7 +36,43 @@ Set-VpnServerIPsecConfiguration -CustomPolicy
For VPN client, you need to configure each VPN connection.
For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:
-
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName
-```
\ No newline at end of file
+```
+
+## IKEv2 Crypto Settings Example
+
+The following commands configure the IKEv2 cryptographic settings to:
+
+- Encryption Algorithm : AES128
+- Integrity, Hash Algorithm : SHA256
+- Diffie Hellman Group (Key Size): DH14
+
+### IKEv2 VPN Server
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
+restart-service RemoteAccess -PassThru
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
+restart-service RemoteAccess -PassThru
+```
+
+### IKEv2 VPN Client
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName -RevertToDefault -Force
+```
+
+> [!TIP]
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.
\ No newline at end of file