diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md index 369252b993f..8de7b6d9812 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md @@ -16,13 +16,13 @@ This article describes how to deploy App Control for Business policies using scr You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md). > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. +> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. -## Deploying policies for Windows 11 22H2 and above +## Deploying policies for Windows 11 22H2 and above, and Windows Server 2025 and above -You can use the inbox [CiTool](../operations/citool-commands.md) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file. +You can use the inbox [CiTool](../operations/citool-commands.md) to deploy signed and unsigned policies on Windows 11 22H2 and Windows Server 2025 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file. ```powershell # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) @@ -58,7 +58,7 @@ To use this procedure, download and distribute the [App Control policy refresh t ## Deploying policies for all other versions of Windows and Windows Server -Use WMI to apply policies on all other versions of Windows and Windows Server. +Use WMI to deploy policies on all other versions of Windows and Windows Server. 1. Initialize the variables to be used by the script. diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md index c2434abfb47..8e1874bbe36 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md @@ -15,15 +15,17 @@ ms.topic: how-to There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies. > [!IMPORTANT] -> **Signed App Control policy** +> **Signed Base App Control policy** > -> If the policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. +> If the base policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. > > The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. > > To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. > > You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.*** +> +> Signed supplemental App Control policies can be removed in the same manner as unsigned policies, without the need to follow the aforementioned steps Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer. @@ -35,9 +37,6 @@ To make a policy effectively inactive before removing it, you can first replace 4. Allow all COM objects. See [Allow COM object registration in an App Control policy](../design/allow-com-object-registration-in-appcontrol-policy.md#examples); 5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only. -> [!IMPORTANT] -> After you remove a policy, restart the computer for it to take effect. You can't remove App Control policies without restarting the device. - ### Remove App Control policies using CiTool.exe Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove: @@ -46,7 +45,8 @@ Beginning with the Windows 11 2022 Update, you can remove App Control policies u CiTool.exe -rp "{PolicyId GUID}" -json ``` -Then restart the computer. +> [!NOTE] +> Beginning with the Windows 11 2024 update, unsigned policies can be removed using CiTool.exe without requiring a restart. In previous versions of Windows, however, a restart is required to complete the removal process. ### Remove App Control policies using MDM solutions like Intune diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md index e95688f390d..4948af5cf1e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md @@ -76,7 +76,7 @@ Represents why verification failed, or if it succeeded. | 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. | | 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. | | 25 | Anti-cheat policy violation. | -| 26 | Explicitly denied by WADC policy. | +| 26 | Explicitly denied by App Control policy. | | 27 | The signing chain appears to be tampered/invalid. | | 28 | Resource page hash mismatch. |