Update wdac.md #11938
Update wdac.md #11938
Conversation
WDAC documentation incorrectly states that you can disable Smart Application Control by setting the REG_DWORD VerifiedAndReputablePolicyState to a value of 0 and using CiTool.exe -r OR rebooting the device. This is unfortunately not correct, on reboot WDAC/CI DOES NOT notify Defender of the CI policy change (Smart App Control/SmartLocker disabled) so the Defender registry key Smartlockermode never gets updated, leading to Defender never being disabled when 3rd party AV is installed. CSS has multiple cases that span across Windows Devices and Deployment, Escalations to the Windows EEs, Windows Defender for Endpoint, and several ICMs to their PG teams as well.
|
Learn Build status updates of commit 230b699: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
| @@ -33,7 +33,7 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat | |||
|
|
|||
| Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). | |||
|
|
|||
| Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. | |||
| Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. | |||
There was a problem hiding this comment.
I prefer to add a NOTE disclaimer that rebooting will leave Windows Defender in passive mode when a 3P AV product installed and a link to the Defender article describing passive mode.
There was a problem hiding this comment.
I prefer to add a NOTE disclaimer that rebooting will leave Windows Defender in passive mode when a 3P AV product installed and a link to the Defender article describing passive mode.
This works too however, once they come out of sync, there is no-way to get them back in-sync without making changes to the policy, forcing an update, then setting the original policy back and forcing an update.
If the customer follows the guidance to set the regkey and reboot, on reboot, calling 'CiTool.exe -r' alone in the future will not change this behavior.
Is this something else we want to give guidance on and support?
Example of how this would be done:
$Workfolder = "C:\temp"
mkdir $Workfolder -Force
$ActiveFolder = "C:\Windows\System32\CodeIntegrity\CiPolicies\Active"
$ExampleFolder = "C:\Windows\schemas\CodeIntegrity\ExamplePolicies"
$ExamplePolicy = "AllowAll.xml"
$XMLFile = $Workfolder + "" + $ExamplePolicy
Copy-Item $ExampleFolder$ExamplePolicy $XMLFile
Set-CIPolicyIdInfo -ResetPolicyID -FilePath $XMLFile
[xml]$tempXML = Get-Content $XMLFile
$PolicyGUID = $tempXML.SiPolicy.PolicyID
Set-RuleOption -Option 3 -FilePath $XMLFile
Set-RuleOption -Option 14 -FilePath $XMLFile
$ActiveFullPath = $ActiveFolder + "" + $PolicyGUID + ".cip"
ConvertFrom-CIPolicy -XmlFilePath $XMLFile -BinaryFilePath $ActiveFullPath
citool -r -json
Set-RuleOption -Option 14 -FilePath $XMLFile -Delete
ConvertFrom-CIPolicy -XmlFilePath $XMLFile -BinaryFilePath $ActiveFullPath
citool -r -json
Remove-Item $ActiveFullPath -Force
citool -r -json
|
I've implemented the changes and resolved the merge conflict in a PR in the private repo. The changes will be live later today. Closing this PR. |
WDAC documentation incorrectly states that you can disable Smart Application Control by setting the REG_DWORD VerifiedAndReputablePolicyState to a value of 0 and using CiTool.exe -r OR rebooting the device.
This is unfortunately not correct, on reboot WDAC/CI DOES NOT notify Defender of the CI policy change (Smart App Control/SmartLocker disabled) so the Defender registry key Smartlockermode never gets updated, leading to Defender never being disabled when 3rd party AV is installed.
CSS has multiple cases that span across Windows Devices and Deployment, Escalations to the Windows EEs, Windows Defender for Endpoint, and several ICMs to their PG teams as well.
Why
Changes