From 230b69930c302d863990950d16563fdd685358a7 Mon Sep 17 00:00:00 2001 From: NikTilton <144963694+NikTilton@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:57:10 -0500 Subject: [PATCH] Update wdac.md WDAC documentation incorrectly states that you can disable Smart Application Control by setting the REG_DWORD VerifiedAndReputablePolicyState to a value of 0 and using CiTool.exe -r OR rebooting the device. This is unfortunately not correct, on reboot WDAC/CI DOES NOT notify Defender of the CI policy change (Smart App Control/SmartLocker disabled) so the Defender registry key Smartlockermode never gets updated, leading to Defender never being disabled when 3rd party AV is installed. CSS has multiple cases that span across Windows Devices and Deployment, Escalations to the Windows EEs, Windows Defender for Endpoint, and several ICMs to their PG teams as well. --- .../windows-defender-application-control/wdac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index 2d0145d3bce..73aef3a9e3c 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -33,7 +33,7 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). -Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. +Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------|