deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
3947b93f48b3a5789e39dd914010bf66f937e334
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
brbrahm 4da03265ac WDAC correct ms.reviewer 
Updating to MSFT alias instead of Git username
2019-10-25 11:01:50 -07:00

2.2 KiB
Raw Blame History

title, description, keywords, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, ms.collection, author, ms.reviewer, ms.author, manager, ms.date
title description keywords ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority audience ms.collection author ms.reviewer ms.author manager ms.date
Windows Defender Application Control path-based rules (Windows 10) Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. whitelisting, security, malware 8d6e0474-c475-411b-b095-1c61adb2bdbb w10 deploy library security medium ITPro M365-security-compliance jsuther1974 isbrahm dansimp dansimp 05/17/2019

Create Windows Defender Application Control path-based rules

Applies to:

  • Windows 10
  • Windows Server 2016

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.

  • New-CIPolicy parameters

    • FilePath: create path rules under path <path to scan> for anything not user-writeable (at the individual file level)

      New-CIPolicy -f .\mypolicy.xml -l FilePath -s <path to scan> -u

      Optionally, add -UserWriteablePaths to ignore user writeability

    • FilePathRule: create a rule where filepath string is directly set to value of <any path string>

      New-CIPolicyRule -FilePathRule <any path string>

      Useful for wildcards like C:\foo\*

  • Usage follows the same flow as per-app rules:

    $rules = New-CIPolicyRule 
$rules += New-CIPolicyRule 

New-CIPolicyRule -f .\mypolicy.xml -u

  • Wildcards supported

    • Suffix (ex. C:\foo\*) OR Prefix (ex. *\foo\bar.exe)
      • One or the other, not both at the same time
      • Does not support wildcard in the middle (ex. C:\*\foo.exe)

  • Supported Macros:

    • %WINDIR%\...
    • %SYSTEM32%\...
    • %OSDRIVE%\...

  • Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:

    Set-RuleOption -o 18 .\policy.xml