deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
Justin Hall 4739a22778 edits from Sakib
2019-05-17 10:07:04 -07:00

2.0 KiB
Raw Blame History

title, description, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.date
title description ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author ms.date
Windows Defender Application Control path-based rules (Windows 10) Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. w10 deploy library security medium mdsakibMSFT 05/17/2019

Create Windows Defender Application Control path-based rules

Applies to:

  • Windows 10
  • Windows Server 2016

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.

  • New-CIPolicy parameters

    • FilePath: create path rules under path <path to scan> for anything not user-writeable (at the individual file level)

      New-CIPolicy -f .\mypolicy.xml -l FilePath -s <path to scan> -u

      Optionally, add -UserWriteablePaths to ignore user writeability

    • FilePathRule: create a rule where filepath string is directly set to value of <any path string>

      New-CIPolicyRule -FilePathRule <any path string>

      Useful for wildcards like C:\foo\*

  • Usage follows the same flow as per-app rules:

    $rules = New-CIPolicyRule 
$rules += New-CIPolicyRule 

New-CIPolicyRule -f .\mypolicy.xml -u

  • Wildcards supported

    • Suffix (ex. C:\foo\*) OR Prefix (ex. *\foo\bar.exe)
      • One or the other, not both at the same time
      • Does not support wildcard in the middle (ex. C:\*\foo.exe)
    • Examples:
      • %WINDIR%\...
      • %SYSTEM32%\...
      • %OSDRIVE%\...

  • Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:

    Set-RuleOption -o 18 .\policy.xml