Skip to content

Commit

Permalink
Clarified vulnerable driver blocklist behaviors and fixed gaps in dep…
Browse files Browse the repository at this point in the history 
…loyment instructions for some scenarios
  • Loading branch information
@jsuther1974
jsuther1974 committed Oct 6, 2022
1 parent 34f3049 commit 7d60611
Show file tree
Hide file tree
Showing 5 changed files with 70 additions and 37 deletions.
12 changes: 7 additions & 5 deletions ...ows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View file
Expand Up @@ -6,11 +6,11 @@ ms.prod: m365-security
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jogeurte
ms.reviewer: aaroncz
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 03/08/2022
ms.date: 10/06/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
Expand All @@ -27,13 +27,15 @@ ms.localizationpriority: medium
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.

> [!NOTE]
> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
## Deploying policies for Windows 10 version 1903 and above

You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).

1. Initialize the variables to be used by the script.

```powershell
Expand All @@ -49,7 +51,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
```

3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.
3. Repeat steps 1-2 as appropriate to deploy more WDAC policies.
4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.

```powershell
Expand Down Expand Up @@ -82,7 +84,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p

In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.

1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:

```powershell
$MountPoint = 'C:\EFIMount'
Expand Down
18 changes: 11 additions & 7 deletions ...ment/deploy-windows-defender-application-control-policies-using-group-policy.md
View file
Expand Up @@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 06/27/2022
ms.date: 10/06/2022
ms.technology: windows-sec
---

Expand All @@ -31,13 +31,17 @@ ms.technology: windows-sec
>
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy.

You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).

The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.

To deploy and manage a Windows Defender Application Control policy with Group Policy:

1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**

2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**.

> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
Expand All @@ -46,22 +50,22 @@ To deploy and manage a Windows Defender Application Control policy with Group Po

3. Name the new GPO. You can choose any name.

4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**.

5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**.

![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png)

6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.

In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin.
In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b.

> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png)

> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
> You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.
14 changes: 6 additions & 8 deletions ...deployment/deploy-windows-defender-application-control-policies-using-intune.md
View file
Expand Up @@ -6,10 +6,10 @@ ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 06/27/2022
ms.date: 10/06/2022
ms.topic: how-to
---

Expand Down Expand Up @@ -48,19 +48,17 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
> [!NOTE]
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).

### Deploy custom WDAC policies on Windows 10 1903+

Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.

The steps to use Intune's custom OMA-URI functionality are:

1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`

2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.

3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).

4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
Expand Down

0 comments on commit 7d60611

Please sign in to comment.