Windows-itpro-docs: Add Windows version and SCCM version that rules were introduced
For each WDEG ASR rule, it would be useful to list which version of Windows 10, Windows Server, and SCCM CB the rule was introduced.
As an example for the "Block persistence through WMI event subscription" rule there could be something like below.
This rule was introduced in:
- Windows 10: 1903
- Windows Server: 1903, LTSC vNext
- SCCM CB: 1902
Could also flatten it too:
This rule was introduced in Windows 10 1903, Windows Server 1903, Windows Server LTSC vNext, SCCM CB 1902
Below are my notes for each rule, but I'm not sure if it is totally accurate. I wasn't sure about some of the versions (denoted with ???):
- Block executable content from email client and webmail - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block Office applications from creating child processes - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block Office applications from creating executable content - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block Office applications from injecting code into other processes - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block JavaScript or VBScript from launching downloaded executable content - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block execution of potentially obfuscated scripts - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block Win32 API calls from Office macro - Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria - Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802???
- Use advanced protection against ransomware - Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
- Block credential stealing from the Windows local security authority subsystem (lsass.exe) - Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
- Block process creations originating from PSExec and WMI commands - Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802???
- Block untrusted and unsigned processes that run from USB - Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
- Block Office communication applications from creating child processes - Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810???
- Block Adobe Reader from creating child processes - Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810???
- Block persistence through WMI event subscription - Windows 10 1903???, Windows Server 1903???, Windows Server LTSC vNext, SCCM CB 1902???
My sources for SCCM versions are:
- https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy
- https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1710#protect-devices
- https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802#protect-devices
My sources for Windows Server and Windows Server LTSC are:
- https://docs.microsoft.com/en-us/windows-server/get-started-19/whats-new-19#security
- https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-1809#additional-features
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: f9de2e9a-c4c1-3763-6160-9427556291f1
- Version Independent ID: 74160e2f-0f99-a37f-7123-81a31a6fab61
- Content: Use attack surface reduction rules to prevent malware infection
- Content Source: windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
- Product: w10
- Technology: windows
- GitHub Login: @andreabichsel
- Microsoft Alias: v-anbic
iadgovuser1
All 11 comments
@officedocsbot assign @e0i
e0i
on 16 May 2019
@iadgovuser1
The issue has been noted and the document will be revised in the light of your feedback.
Thank you.
e0i
on 29 Jun 2019
@e0i this issue is solved by the PR #4430, please review and merge !
ojrb
on 13 Jul 2019
@iadgovuser1 : Please have a look at the commit and recent changes to the Github source page:
Rich text diff view:
https://github.com/MicrosoftDocs/windows-itpro-docs/commit/99331095c18b04e588b1942e30be337bdf6d8dfd?short_path=9467fe2#diff-9467fe25b71e6c0368355a30ce380a89
Github page:
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
illfated
on 16 Jul 2019
@illfated I can double check these tomorrow in my SCCM 1902 instance to try and answer some of these questions below. Here are my comments:
Block process creations originating from PSExec and WMI commands
SCCM name: Not applicable.
Is that correct? Makes sense if that's true because it isn't compatible with SCCM. Might want to remove "SCCM CB 1802" then.
Block Office communication application from creating child processes
SCCM name: Not yet available.
Is that correct? Seems like it should be there. Might want to remove "SCCM CB 1810" then.
Block Adobe Reader from creating child processes
SCCM name: Not applicable
Is that correct? Seems like it should be there. Might want to remove "SCCM CB 1810" then.
Block persistence through WMI event subscription
SCCM name: Not yet available
This might actually be true since it is so new. This one is missing "This rule was introduced in:" phrasing. It should be in Windows 10 1903.
iadgovuser1
on 16 Jul 2019
Thank you for those comments and your suggestions for what else needs to be remediated.
I am confident that this can be resolved too, as soon as any of the other contributors will add it to their work list.
I would have taken the time myself, but I have got too many distractions going on in my life at the moment.
illfated
on 16 Jul 2019
@illfated So it turns out that those 4 rules are not in SCCM CB 1902. I'd remove all mentions of SCCM CB for those rules in their "introduced in" lines. Outside of that, I wonder why the Adobe Reader one is listed as "Not applicable" instead of "Not yet available". It makes sense that "Block process creations originating from PSExec and WMI commands" is Not Applicable because it will break SCCM. I don't think that would be true for the Adobe Reader rule. That's the only other thing that might need to be changed other than what I mentioned already.
iadgovuser1
on 17 Jul 2019
@iadgovuser1
We are closing the issue since the original subject of the issue has been addressed via pull request #4430
Thank you for taking the time to provide feedback and engaging in discussion to improve the documentation. Much appreciated.
e0i
on 18 Jul 2019
@officedocsbot close
e0i
on 18 Jul 2019
@e0i
I will likely open another issue to capture additional changes that may need to be made based on my previous comment.
iadgovuser1
on 18 Jul 2019
Good choice. It will be easier to manage 1 pull request / page change per issue ticket.
illfated
on 18 Jul 2019
Related issues
RAJU2529
·
3Comments
ang216
·
3Comments
LanceMcCarthy
·
3Comments
zjalexander
·
3Comments
thohun
·
3Comments
Most helpful comment
@e0i
I will likely open another issue to capture additional changes that may need to be made based on my previous comment.