deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
c19fa00cc3ec2d444be06aec695c70a841f15c40
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
Gary Moore 6a5db08654 Changed "specifed" to "specified"
2019-12-17 14:45:42 -08:00

2.8 KiB
Raw Blame History

title, description, keywords, ms.assetid, ms.reviewer, manager, ms.author, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, ms.collection, author, ms.reviewer, ms.author, manager, ms.date
title description keywords ms.assetid ms.reviewer manager ms.author ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority audience ms.collection author ms.reviewer ms.author manager ms.date
Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows 10) WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps. whitelisting, security, malware 8d6e0474-c475-411b-b095-1c61adb2bdbb dansimp dansimp w10 deploy library security medium ITPro M365-security-compliance jsuther1974 isbrahm dansimp dansimp 05/03/2018

Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules

Applies to:

  • Windows 10
  • Windows Server 2016

As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):

Approach (as of Windows 10, version 1703) Guideline
You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. Use New-CIPolicyRule with the -AppID option.
In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. Use New-CIPolicyRule with the -AppID and -Deny options.

To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your master policy (merging is described in the next section).

For example, to create a WDAC policy that allows addin1.dll and addin2.dll to run in ERP1.exe, your organizations enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, += is used to add a second rule to the $rule variable:

$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs

As another example, to create a WDAC policy that blocks addin3.dll from running in Microsoft Word, run the following command. You must include the -Deny option to block the specified add-ins in the specified application:

$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs