From 9ef8369bd4345e58705fb5aca1e9e7ab0f031761 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 17 Oct 2024 10:34:38 +0300 Subject: [PATCH 1/5] Fixed typo and policy name There was a typo "WADC". It was previously correctly set to "WDAC". Instead of setting it to "WDAC", i set it to "App Control for Business" to follow the new naming convention. --- .../operations/event-tag-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md index 0f5513efc40..f31dad2a3b8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md @@ -76,7 +76,7 @@ Represents why verification failed, or if it succeeded. | 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. | | 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. | | 25 | Anti-cheat policy violation. | -| 26 | Explicitly denied by WADC policy. | +| 26 | Explicitly denied by App Control for Business policy. | | 27 | The signing chain appears to be tampered/invalid. | | 28 | Resource page hash mismatch. | From 4ee0c07f775085359ede4af9182308b534c36a0a Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 17 Oct 2024 11:31:55 +0300 Subject: [PATCH 2/5] Update about rebootless removal of unsigned policies Update about rebootless removal of unsigned policies --- .../deployment/disable-appcontrol-policies.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md index c2434abfb47..4f1e0f58fe5 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md @@ -35,9 +35,6 @@ To make a policy effectively inactive before removing it, you can first replace 4. Allow all COM objects. See [Allow COM object registration in an App Control policy](../design/allow-com-object-registration-in-appcontrol-policy.md#examples); 5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only. -> [!IMPORTANT] -> After you remove a policy, restart the computer for it to take effect. You can't remove App Control policies without restarting the device. - ### Remove App Control policies using CiTool.exe Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove: @@ -46,7 +43,8 @@ Beginning with the Windows 11 2022 Update, you can remove App Control policies u CiTool.exe -rp "{PolicyId GUID}" -json ``` -Then restart the computer. +> [!NOTE] +> Beginning with the Windows 11 2024 update, unsigned policies can be removed using CiTool.exe without requiring a restart. In previous versions of Windows, however, a restart is required to complete the removal process. ### Remove App Control policies using MDM solutions like Intune From 02f8176973922f3565eade7f3f0c2f6e4f918370 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 17 Oct 2024 11:48:54 +0300 Subject: [PATCH 3/5] Added more details about Supplemental policy removal Added more details about Supplemental policy removal --- .../deployment/disable-appcontrol-policies.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md index 4f1e0f58fe5..8e1874bbe36 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md @@ -15,15 +15,17 @@ ms.topic: how-to There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies. > [!IMPORTANT] -> **Signed App Control policy** +> **Signed Base App Control policy** > -> If the policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. +> If the base policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. > > The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. > > To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. > > You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.*** +> +> Signed supplemental App Control policies can be removed in the same manner as unsigned policies, without the need to follow the aforementioned steps Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer. From 0ccf65b69d71b6291b29a449b12be01fd355c163 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 17 Oct 2024 12:07:52 +0300 Subject: [PATCH 4/5] CiTool in Windows Server, improved wording and updated notice Windows Server 2025 has the inbox CiTool.exe. Updated wording to be consistent, changed apply to deploy. Apply was only used in 2 places while everywhere else the word "Deploy" was used. Added a note to the known issue notice. --- .../deployment/deploy-appcontrol-policies-with-script.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md index 369252b993f..8de7b6d9812 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md @@ -16,13 +16,13 @@ This article describes how to deploy App Control for Business policies using scr You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md). > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. +> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. -## Deploying policies for Windows 11 22H2 and above +## Deploying policies for Windows 11 22H2 and above, and Windows Server 2025 and above -You can use the inbox [CiTool](../operations/citool-commands.md) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file. +You can use the inbox [CiTool](../operations/citool-commands.md) to deploy signed and unsigned policies on Windows 11 22H2 and Windows Server 2025 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file. ```powershell # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) @@ -58,7 +58,7 @@ To use this procedure, download and distribute the [App Control policy refresh t ## Deploying policies for all other versions of Windows and Windows Server -Use WMI to apply policies on all other versions of Windows and Windows Server. +Use WMI to deploy policies on all other versions of Windows and Windows Server. 1. Initialize the variables to be used by the script. From 8ee6b80fc71fa6ffaa8ed6c9e0666cb14ac25c50 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 21 Oct 2024 10:24:13 -0700 Subject: [PATCH 5/5] editor revision --- .../operations/event-tag-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md index f31dad2a3b8..d3c222c7c14 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md @@ -76,7 +76,7 @@ Represents why verification failed, or if it succeeded. | 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. | | 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. | | 25 | Anti-cheat policy violation. | -| 26 | Explicitly denied by App Control for Business policy. | +| 26 | Explicitly denied by App Control policy. | | 27 | The signing chain appears to be tampered/invalid. | | 28 | Resource page hash mismatch. |