From 7d606111d22052c9be413b1f89be81338b57a01e Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 6 Oct 2022 10:53:08 -0700 Subject: [PATCH] Clarified vulnerable driver blocklist behaviors and fixed gaps in deployment instructions for some scenarios --- .../deploy-wdac-policies-with-script.md | 12 +++--- ...ion-control-policies-using-group-policy.md | 18 +++++---- ...plication-control-policies-using-intune.md | 14 +++---- ...icrosoft-recommended-driver-block-rules.md | 37 +++++++++++-------- ...er-application-control-deployment-guide.md | 26 ++++++++++++- 5 files changed, 70 insertions(+), 37 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 28a74c5e9f6..aaa72b90984 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -6,11 +6,11 @@ ms.prod: m365-security audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: jogeurte +ms.reviewer: aaroncz ms.author: jogeurte ms.manager: jsuther manager: dansimp -ms.date: 03/08/2022 +ms.date: 10/06/2022 ms.technology: windows-sec ms.topic: article ms.localizationpriority: medium @@ -27,13 +27,15 @@ ms.localizationpriority: medium >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. +This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. > [!NOTE] > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. ## Deploying policies for Windows 10 version 1903 and above +You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + 1. Initialize the variables to be used by the script. ```powershell @@ -49,7 +51,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force ``` -3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies. +3. Repeat steps 1-2 as appropriate to deploy more WDAC policies. 4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint. ```powershell @@ -82,7 +84,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: +1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: ```powershell $MountPoint = 'C:\EFIMount' diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index 5fd44350eed..f110c2ca6a2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 06/27/2022 +ms.date: 10/06/2022 ms.technology: windows-sec --- @@ -31,13 +31,17 @@ ms.technology: windows-sec > > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. -Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. +Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. + +You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + +The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. To deploy and manage a Windows Defender Application Control policy with Group Policy: 1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** -2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**. +2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**. > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md). @@ -46,15 +50,15 @@ To deploy and manage a Windows Defender Application Control policy with Group Po 3. Name the new GPO. You can choose any name. -4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. +4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**. -5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**. +5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**. ![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png) 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. - In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin. + In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b. > [!NOTE] > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. @@ -62,6 +66,6 @@ To deploy and manage a Windows Defender Application Control policy with Group Po ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png) > [!NOTE] - > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + > You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. 7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 9db5920c585..f155922fc33 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -6,10 +6,10 @@ ms.technology: itpro-security ms.localizationpriority: medium ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 06/27/2022 +ms.date: 10/06/2022 ms.topic: how-to --- @@ -48,19 +48,17 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo > [!NOTE] > Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy. +You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + ### Deploy custom WDAC policies on Windows 10 1903+ Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. The steps to use Intune's custom OMA-URI functionality are: -1. Know a generated policy's GUID, which can be found in the policy xml as `` - -2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. - -3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). +1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). -4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: +2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 6382926723c..194852f1d7a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -11,9 +11,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jgeurten -ms.reviewer: isbrahm +ms.reviewer: aaroncz ms.author: dansimp manager: dansimp +ms.date: 10/06/2022 --- # Microsoft recommended driver block rules @@ -27,30 +28,26 @@ manager: dansimp >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center -](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. ## Microsoft vulnerable driver blocklist -Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met: - -| Condition | Windows 10 or 11 | Windows 11 22H2 or later | -|--|:--:|:--:| -| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: | -| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: | -| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: | -| Clean install of Windows | :x: | :heavy_check_mark: | +With Windows 11 2022 update, the vulnerable driver blocklist is enabled by default for all devices, and can be turned on or off via the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app. The vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active. Users can opt in to HVCI using the Windows Security app, and HVCI is on by-default for most new Windows 11 devices. > [!NOTE] -> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist. +> The option to turn Microsoft's vulnerable driver blocklist on or off using the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist. + +The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing. + +Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies. ## Blocking vulnerable drivers using WDAC @@ -401,7 +398,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1800,7 +1797,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -2185,6 +2182,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- > [!NOTE] > The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations). +## Steps to download and apply the vulnerable driver blocklist binary + +If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps: + +1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) +2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList) +3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b +4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity +5. Run the RefreshPolicy(*Arch*).exe you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer + ## More information - [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index e993bb919d9..55a8f663fe4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -9,7 +9,7 @@ author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte manager: jsuther -ms.date: 06/27/2022 +ms.date: 10/06/2022 ms.topic: overview --- @@ -26,9 +26,31 @@ ms.topic: overview You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. +## Convert your WDAC policy XML to binary + +Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $WDACPolicyXMLFile variable to point to your WDAC policy XML file. + + ```powershell + ## Update the path to your WDAC policy XML + $WDACPolicyXMLFile = $env:USERPROFILE"\Desktop\MyWDACPolicy.xml" + [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile + if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) + { + $PolicyID = $WDACPolicy.SiPolicy.PolicyID + $PolicyBinary = $PolicyID+".cip" + } + else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC) + { + $PolicyBinary = "SiPolicy.p7b" + } + + ## Binary file will be written to your desktop + ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary + ``` + ## Plan your deployment -As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you'll manage with Windows Defender Application Control and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. +As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with WDAC and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.