Update deploy-wdac-policies-with-script.md #11931
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removed a stipulation which implies that signed WDAC policies have to be placed within System32 and EFI locations. In many cases they should ONLY be placed in the EFI partition. (NOT the System32 location.) This updated wording matches the behavior of the CiTool (when using `CiTool --update-policies` to deploy a new signed policy). NOTE: It's recommended that the wording be refined even further to emphasize that you **SHOULDN'T** place a signed policy in both locations. We are aware of blue-screens affecting Windows 11 devices which have signed policies in both locations. (Affected models: Dell Precision 3680, Dell Precision 3650 Tower, Dell OptiPlex Micro 7010, Dell Inspiron 15 3511.) It's possible others could be affected.
|
Learn Build status updates of commit 2cd9238: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
jsuther1974
approved these changes
Aug 14, 2024
| @@ -83,7 +83,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server. | |||
|
|
|||
| ## Deploying signed policies | |||
|
|
|||
| If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. --> | |||
| If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. --> | |||
There was a problem hiding this comment.
@jgeurten - Should we actually say that the unsigned policies should not be copied to EFI although it should be benign (modulo bugs which used to exist causing them to be enforced if present)?
| @@ -83,7 +83,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server. | |||
|
|
|||
| ## Deploying signed policies | |||
|
|
|||
| If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. --> | |||
| If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. --> | |||
There was a problem hiding this comment.
We should also include citool in the list of deployment methods that do all the work for you.
|
@jgeurten is there any further edit needed on this contribution or good to accept? See Jeffrey's review comments. |
jgeurten
approved these changes
Oct 25, 2024
|
I've implemented the changes and resolved the merge conflict in a PR in the private repo. The changes will be live later today. Closing this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Removed a stipulation which implies that signed WDAC policies have to be placed within System32 and EFI locations. In some cases they should ONLY be placed in the EFI partition. (NOT the System32 location.) This updated wording matches the real behavior of the CiTool (when using
CiTool --update-policiesto deploy a new signed policy).Additionally, for devices without the CiTool, (e.g. running Windows 10), you can put signed policies in the EFI partition and not the System32 folder with 0 consequence (correct me if I'm wrong on this.)
Additionally, I haven't put this in the pull request, but the wording of the article should be updated in the section "Deploying policies for Windows 11 22H2 and above" to state that a signed WDAC policy should not be placed in both locations (as this will cause a blue-screen! We've verified this on at least 4 different models of Dell running Windows 11.)
The reason this should be put in is there is an implied wording of the article that one can use either the CiTool on 22H2 devices and above (i.e., "You can use the inbox CiTool to apply policies on Windows 11 22H2") or copy it to both locations -- which is not true, so the wording will have to be updated either way.
Description
Removed the "in addition to [previous] locations..." so that it wouldn't imply that you always have to place a signed policy in the System32 location.
Why
The proposed changes bring this article in-line with the behavior of Microsoft's CiTool.
Changes
Clarifies wording of where signed WDAC policies should be placed (when copying signed policies.)