From 682393c28ca5b7e8389ab26ecf8e7e0be2a8af1e Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Wed, 9 Oct 2024 19:59:45 -0500 Subject: [PATCH 1/2] Add note about temp files created to detect AppLocker --- .../security/app-control/application-control.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/reference/docs-conceptual/security/app-control/application-control.md b/reference/docs-conceptual/security/app-control/application-control.md index b784de2e52c5..a4b5e469f145 100644 --- a/reference/docs-conceptual/security/app-control/application-control.md +++ b/reference/docs-conceptual/security/app-control/application-control.md @@ -16,9 +16,19 @@ based on unique properties of the files. **WDAC**, introduced with Windows 10, allows you to control which drivers and applications are allowed to run on Windows. -PowerShell detects both AppLocker and WDAC system wide policies. AppLocker is deprecated. WDAC is -the preferred application control system for Windows. WDAC is designed as a security feature under -the servicing criteria defined by the Microsoft Security Response Center (MSRC). +## Lockdown policy detection + +PowerShell detects both AppLocker and WDAC system wide policies. AppLocker doesn't have way to query +the policy enforcement status. To detect if a system wide application control policy is being +enforced by AppLocker, PowerShell creates two temporary files and tests if they can be executed. The +files use the following name format: + +- `$env:TEMP/__PSAppLockerTest__.ps1` +- `$env:TEMP/__PSAppLockerTest__.psm1` + +WDAC is the preferred application control system for Windows. WDAC provides APIs that allow you to +discover the policy configuration. WDAC is designed as a security feature under the servicing +criteria defined by the Microsoft Security Response Center (MSRC). For more information about AppLocker and WDAC, see [Application Controls for Windows][04] and [WDAC and AppLocker feature availability][02]. From 11b1cfbc7a2081043ab10e1f98b681be8930eb98 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Wed, 9 Oct 2024 20:03:53 -0500 Subject: [PATCH 2/2] fix typo --- .../docs-conceptual/security/app-control/application-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/docs-conceptual/security/app-control/application-control.md b/reference/docs-conceptual/security/app-control/application-control.md index a4b5e469f145..cdf619174997 100644 --- a/reference/docs-conceptual/security/app-control/application-control.md +++ b/reference/docs-conceptual/security/app-control/application-control.md @@ -21,7 +21,7 @@ allowed to run on Windows. PowerShell detects both AppLocker and WDAC system wide policies. AppLocker doesn't have way to query the policy enforcement status. To detect if a system wide application control policy is being enforced by AppLocker, PowerShell creates two temporary files and tests if they can be executed. The -files use the following name format: +filenames use the following name format: - `$env:TEMP/__PSAppLockerTest__.ps1` - `$env:TEMP/__PSAppLockerTest__.psm1`