deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
c2b51fd098d94214f07b10dd1d54c7393c7681e8
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
Alekhya Jupudi b3ef0445f1 Defender App Guard Link text correction-02 
Change to Learn more about the Windows Defender Application Control feature availability
2021-09-30 11:30:16 +05:30

3.0 KiB
Raw Blame History

title, description, keywords, ms.assetid, manager, ms.author, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, ms.collection, author, ms.reviewer, ms.date, ms.technology
title description keywords ms.assetid manager ms.author ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority audience ms.collection author ms.reviewer ms.date ms.technology
Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows) WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps. security, malware 8d6e0474-c475-411b-b095-1c61adb2bdbb dansimp dansimp m365-security deploy library security medium ITPro M365-security-compliance jsuther1974 isbrahm 08/12/2021 mde

Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules

Applies to:

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

Note

Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.

As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):

Approach (as of Windows 10, version 1703) Guideline
You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. Use New-CIPolicyRule with the -AppID option.
In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. Use New-CIPolicyRule with the -AppID and -Deny options.

To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section).

For example, to create a WDAC policy allowing addin1.dll and addin2.dll to run in ERP1.exe, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, += is used to add a second rule to the $rule variable:

$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs

As another example, to create a WDAC policy that blocks addin3.dll from running in Microsoft Word, run the following command. You must include the -Deny option to block the specified add-ins in the specified application:

$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs