deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-11 03:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
DocsPreview ce500fde9b
Latest updates for issues content (#379) 
* Updated deployment-vdi-windows-defender-antivirus.md

* Updated deployment-vdi-windows-defender-antivirus.md

* Updated deployment-vdi-windows-defender-antivirus.md

* updates for new vdi stuff

* Adding important note to solve #3493

* Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Typo "&lt;"→"<", "&gt;"→">"

https://docs.microsoft.com/en-us/windows/application-management/manage-windows-mixed-reality

* Issue #2297

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Clarification

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* update troubleshoot-np.md

* update configure-endpoints-gp.md

* Removing a part which is not supported

* Name change

* update troubleshoot-np.md

* removed on-premises added -hello

* Added link into Domain controller guide

* Line corections

* corrected formatting of xml code samples

When viewing the page in Win 10/Edge, the xml code samples stretched across the page, running into the side menu. The lack of line breaks also made it hard to read.

This update adds line breaks and syntax highlighting, replaces curly double quotes with standard double quotes, and adds a closing tag for <appv:appconnectiongroup>for each code sample

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-delivery-optimization-reference.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-delivery-optimization-reference.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* corrected formating of XML examples

The XML samples here present the same formatting problems as in about-the-connection-group-file51.md (see https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847/)

Perhaps we should open an issue to see if we have more versions of this code sample in the docs

* corrected formatting of XML example section

In the XML example on this page, the whitespace had been stripped out, so there were no spaces between adjacent attribute values or keys.

This made it hard to read, though the original formatting allowed for a scroll bar, so the text was not running into the side of the page (compare to https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847 and https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3850, where the uncorrected formatting forced the text to run into the side menu).

* update configure-endpoints-gp.md

* Fixed error in registry path and improved description

* Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Removing extra line in 25 

Suggested by

* update windows-analytics-azure-portal.md

* re: broken links, credential-guard-considerations

Context:
* #3513, MVA is being retired and producing broken links
* #3860 Microsoft Virtual Academy video links

This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists.

I removed the first link, as I could not find a similar video available describing which credentials are covered by credential guard.

I replaced the second link with a video containing similar material, though it is not a "deep dive".

Suggestions on handling this problem, as many pages contain similar links, would be appreciated,.

* removed link to retired video re: #3867

Context:
* #3513, MVA is being retired and producing broken links
* #3867, Microsoft Virtual Academy video links

This page contains a broken link to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course is already retired, and no replacement course exists.

I removed the whole _See Also_ section, as I could not find a video narrowly or deeply addressing how to protect privelaged users with Credential Guard. The most likely candidate is too short and general: https://www.linkedin.com/learning/cism-cert-prep-1-information-security-governance/privileged-account-management

* addressing broken mva links, #3817

Context:
* #3513, MVA is being retired and producing broken links
* #3817, Another broken link

This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists.

I removed the first link, as we no longer have a video with similar content for a similar audience. The most likely candidate is https://www.linkedin.com/learning/programming-foundations-web-security-2/types-of-credential-attacks, which is more general and for a less technical audience. 

I removed the second link and the _See Also_ section, as I could not find a similar video narrowly focused on which credentials are covered by Credential Guard. Most of the related material available now describes how to perform a task.

* Update deployment-vdi-windows-defender-antivirus.md

* typo fix re: #3876; DMSA -> DSMA

* Addressing dead MVA links, #3818

This page, like its fellows in the mva-links label, contains links to a retired video course on a website that is retiring soon.

The links listed by the user in issue #3818 were also on several other pages, related to Credentials Guard. 

These links were addressed in the pull requests #3875, #3872, and #3871

Credentials threat & lateral threat link: removed (see PR #3875 for reasoning) 
Virtualization link: replaced (see #3871 for reasoning)
Credentials protected link: removed (see #3872 for reasoning)

* Adding notes for known issue in script

Solves #3869

* Updated the download link admx files Windows 10

Added link for April 2018 and Oct 2018 ADMX files.

* added event logs path

Referenced : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Suggestions applied.

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update deployment-vdi-windows-defender-antivirus.md

* screenshot update

* Add files via upload

* update 4 scrrenshots

* Update deployment-vdi-windows-defender-antivirus.md

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Re: #3909

Top link is broken, #3909 

> The link here does not work:
> Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

The link to the pdf describing MDATP was broken.

Thankfully, PR #2897 updated the same link in another page some time ago, so I didn't have to go hunting for an equivalent

* CI Update

* Updated as per task 3405344

* Updated author

* Update windows-analytics-azure-portal.md

* added the example query

* Updated author fields

* Update office-csp.md

* update video for testing

* update video

* Update surface-hub-site-readiness-guide.md

line 134 Fixed  video link MD formatting

* fixing video url

* updates from Albert

* Bulk replaced author to manikadhiman

* Bulk replaced ms.author to v-madhi

* Latest content is published (#371)

* Added 1903 policy DDF link and fixed a typo

* Reverted the DDF version

* Latest update (#375)

* Update deployment-vdi-windows-defender-antivirus.md

* Update deployment-vdi-windows-defender-antivirus.md
2019-06-06 15:54:17 -07:00

9.4 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, ms.localizationpriority, author, ms.date, ms.reviewer, manager, ms.author
title description keywords ms.prod ms.mktglfcycl ms.localizationpriority author ms.date ms.reviewer manager ms.author
Planning and getting started on the Windows Defender Application Control deployment process (Windows 10) To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Control, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. virtualization, security, malware w10 deploy medium dansimp 05/16/2018 dansimp dansimp

Planning and getting started on the Windows Defender Application Control deployment process

Applies to

  • Windows 10
  • Windows Server 2016

This topic provides a roadmap for planning and getting started on the Windows Defender Application Control (WDAC) deployment process, with links to topics that provide additional detail. Planning for WDAC deployment involves looking at both the end-user and the IT pro impact of your choices.

Planning

  1. Review requirements, especially hardware requirements for VBS.

  2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
    Deployment is simpler if everything is locked down in the same way, but meeting individual departments needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.

  3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:

    • How standardized is the hardware?
      This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.

    • What software does each department or role need? Should they be able to install and run other departments software?
      If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.

    • Are there departments or roles where unique, restricted software is used?
      If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.

    • Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline WDAC policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).

    • As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? In day-to-day operations, your organizations security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.

      Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.

      For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.

      Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see Microsoft recommended block rules.

  4. Identify LOB applications that are currently unsigned. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them.

Getting started on the deployment process

  1. Optionally, create a signing certificate for Windows Defender Application Control. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate.

  2. Create WDAC policies from reference computers. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each reference computer, you can create a WDAC policy, and decide how to manage that policy. You can merge WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.

  3. Audit the WDAC policy and capture information about applications that are outside the policy. We recommend that you use audit mode to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.

  4. Create a catalog file for unsigned LOB applications. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.

  5. Capture needed policy information from the event log, and merge information into the existing policy as needed. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies.

  6. Deploy WDAC policies and catalog files. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly.

  7. Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control.

Known issues

This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). Test this configuration in your lab before enabling it in production.

MSI Installations are blocked by WDAC

Installing .msi files directly from the internet to a computer protected by WDAC will fail. For example, this command will not work:

msiexec i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi

As a workaround, download the MSI file and run it locally:

msiexec i c:\temp\Windows10_Version_1511_ADMX.msi