Windows-itpro-docs: Clarification on wildcard

@officedocsbot assign @jvsam

Hi @nluck I believe your question is somewhat answered by this note in this doc where it says "AppLocker uses custom path variables for well-known paths, such as Program Files and Windows." And since WDAC now supports path-based rules beginning from 1903, then both now support some wildcards. If you wish to confirm if the support extends to some variables that are not in this documentation, I would recommend contacting Windows 10 Support to get an immediate answer. Apologies, but please be informed that this site is intended to help improve the quality of the technical documentation of Microsoft Docs through user contributions and feedback. If you have suggestions related to this documentation, please let us know here and we will submit them for review. Same goes if you get feedback from Support, please do keep us posted here on the resolution or any relevant information that can be called out in the docs, for example, additional path rules that are currently not available in this documentation. Our main goal is to ensure users have the best Windows 10 experience by providing useful, accurate and up-to-date documentation.

Thanks for being part of the Microsoft Docs community!

Thank you for your reply.

I think there’s some misunderstanding: I know that AppLocker supports path variables.

The WDAC documentation does not say that the wildcard syntax is based on AppLocker, that was just my guess.

My question or recommendation is:

1. Update the documentation to state that the wildcard syntax is based on AppLocker path rules (if that is the case).
2. Expand the list of examples to a list of all supported path variables.

I don’t think this is a question for support (which would be either a problem implementing the documentation or a problem regarding unexpected, undocumented behavior). This is clearly a question or recommendation to improve the documentation available.

I see, thanks for the clarification @nluck ! We appreciate it. I will forward this to the Windows content writing team for review and investigation. Please continue to share your suggestions or ideas to help improve the quality of the technical documentation. Thanks for being part of the Microsoft Docs community!

Agree with comment above. Documentation on this is very unclear. Specifically:
1) The word "FilePath" occurs twice. One is as a parameter "-FilePath", which is the path to the output XML file. One is as an option "FilePath" to the -Level parameter. The section on "New-CIPolicy parameters" refers to the FilePath option, not the -Filepath parameter.
2) The variables listed under "Wildcards" are not examples of wildcards. They are a separate topic of variables. They certainly look like AppLocker variables, which raises the question of whether other AppLocker variables are supported. What does the use of the word "Examples" mean? They are not examples of wildcards. Are they examples of variables? In which case, what are the other variables? And what does the \.. syntax mean? If the %OSDRIVE% is a variable, it is redundant and confusing to add the \..
3) For the wildcard suffix, the documentation says it is "useful". It says that an example of the suffix is C:\foo*. But it does not say how the wildcard is interpreted, or if it is necessary. For example, in a -FilePathRule parameter, what is the difference between C:\foo, C:\foo\, and C:\foo\* ?

@Air-Git thanks for the additional feedback.

Hi @mdsakibMSFT can you please provide more information or confirm/deny some of the assumptions raised here by community users? This way we can assist in submitting a pull request with suggestions to improve this documentation? Thank you so much and we look forward to hearing from you.

Update the documentation to state that the wildcard syntax is based on AppLocker path rules

Looks like it is @nluck as per the the Path-Based Rules MS announcement.

This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.

Hi @mdsakibMSFT can you please confirm? We would also appreciate more information/clarification related to the questions raised by @Air-Git. Thank you.

Hello again @mdsakibMSFT, hoping to get your feedback on the following so we would know how to proceed. For number 1, we need confirmation, although it's already mentioned here - Path-Based Rules MS announcement.

1. Update the documentation to state that the wildcard syntax is based on AppLocker path rules (if that is the case).
2. Expand the list of examples to a list of all supported path variables.

Please see the other questions as well.

Hi @Justinha are you still the main owner of this topic? We would appreciate if you can can provide some insight on the issues/questions raised here. Thank you so much.

Let me follow-up with our dev team on the right answers here and circle back on what the doc updates need to be.

From: Jo notifications@github.com
Sent: Wednesday, July 24, 2019 4:38 PM
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: Nazmus Sakib mdsakib@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Clarification on wildcard (#4261)

Hello again @mdsakibMSFThttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FmdsakibMSFT&data=02%7C01%7Cmdsakib%40microsoft.com%7Cfe33b9ed5ed64378abb408d710900045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636996082978116411&sdata=Jsx25W8tUKk5W0stC5MIle8Xs658AAWezeuL059v2l0%3D&reserved=0, hoping to get your feedback on the following so we would know how to proceed. For number 1, we need confirmation, although it's already mentioned here - Path-Based Rules MS announcementhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fwhats-new%2Fwhats-new-windows-10-version-1903&data=02%7C01%7Cmdsakib%40microsoft.com%7Cfe33b9ed5ed64378abb408d710900045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636996082978126404&sdata=Lhss6Tez5teLDu4NB90vMhiKIb6njdEYZxE2Voi1zLM%3D&reserved=0.

1. Update the documentation to state that the wildcard syntax is based on AppLocker path rules (if that is the case).
2. Expand the list of examples to a list of all supported path variables.

Please see the other questions as well.

Hi @Justinhahttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJustinha&data=02%7C01%7Cmdsakib%40microsoft.com%7Cfe33b9ed5ed64378abb408d710900045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636996082978126404&sdata=KjIOL%2BX9FX458SSVPfNw5ilYCGhTr5cfifxv8zWksxo%3D&reserved=0 are you still the main owner of this topic? We would appreciate if you can can provide some insight on the issues/questions raised here. Thank you so much.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F4261%3Femail_source%3Dnotifications%26email_token%3DAGTW4CAK3N27FRCCZKJS26TQBDRWPA5CNFSM4H3R6LR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2X45PI%23issuecomment-514838205&data=02%7C01%7Cmdsakib%40microsoft.com%7Cfe33b9ed5ed64378abb408d710900045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636996082978126404&sdata=o8yyU1YZZsv6YuuqtSyUV09mtREUwRjwJiQ7OoVckVE%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAGTW4CD74MDMPRHFHI3FUVTQBDRWPANCNFSM4H3R6LRQ&data=02%7C01%7Cmdsakib%40microsoft.com%7Cfe33b9ed5ed64378abb408d710900045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636996082978136400&sdata=XP673%2B2lcZyISWBH%2F9WN3ACScUpgp0rFxeaB6D1AXx8%3D&reserved=0.

That's great! Thank you so much @mdsakibMSFT. We'll just wait for your update.

This is the response I have from the dev team:

We support the following three macros at the beginning of the string:
%OSDRIVE%
%SYSTEM32%
%WINDIR%

As well as a single * at either the beginning OR end of the filepath

So “*\mydir\foo.exe”
Or “%WINDIR%\otherdir*” or even “C:\mydir*”

Obviously we also support using no macros like “C:\mydir\foo.exe”

From: Jo notifications@github.com
Sent: Friday, July 26, 2019 10:13 PM
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: Nazmus Sakib mdsakib@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Clarification on wildcard (#4261)

That's great! Thank you so much @mdsakibMSFThttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FmdsakibMSFT&data=02%7C01%7Cmdsakib%40microsoft.com%7C44b25364079e477659f208d71251219f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998011978705964&sdata=mawWXCOGRlKrcEnL8U%2Bvz5WWybDSXmfaDGHHbDiSqhk%3D&reserved=0. We'll just wait for your update.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F4261%3Femail_source%3Dnotifications%26email_token%3DAGTW4CGH47EODPVM2U3KNC3QBPKOXA5CNFSM4H3R6LR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD26D4QY%23issuecomment-515653187&data=02%7C01%7Cmdsakib%40microsoft.com%7C44b25364079e477659f208d71251219f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998011978705964&sdata=d%2FPVhEoDXj3Y5DFgWeJi6YBgGyBo%2F1MTsQumY73Fv4k%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAGTW4CFC4RPQ5X6UZRKWYC3QBPKOXANCNFSM4H3R6LRQ&data=02%7C01%7Cmdsakib%40microsoft.com%7C44b25364079e477659f208d71251219f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998011978715977&sdata=duXqi3sHnNlmYYpJlOAS7gMmLJ%2BEEBrlWUOGKV7UvXk%3D&reserved=0.

Thanks for the prompt response @mdsakibMSFT. Will there be amendments on the documentation based on the feedback of the Dev team?

Hi @Air-Git and @nluck, updates from the Dev team.

We support the following three macros at the beginning of the string:
%OSDRIVE%
%SYSTEM32%
%WINDIR%

As well as a single * at either the beginning OR end of the filepath

So “*\mydir\foo.exe”
Or “%WINDIR%\otherdir*” or even “C:\mydir*”

Obviously we also support using no macros like “C:\mydir\foo.exe”

Yes we should update the file path doc tonadd this additional info

Get Outlook for Androidhttps://aka.ms/ghei36

From: Jo notifications@github.com
Sent: Friday, July 26, 2019 10:40:08 PM
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: Nazmus Sakib mdsakib@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Clarification on wildcard (#4261)

Thanks for the prompt response @mdsakibMSFThttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FmdsakibMSFT&data=02%7C01%7Cmdsakib%40microsoft.com%7C8638f7b87a8f4b24afd008d71254e2e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998028160572160&sdata=pOzrbBWKdC2jqYajinMpqXtEjqjuykQHWSRqyaZiw7I%3D&reserved=0. Will there be amendments on the documentation based on the feedback of the Dev team?

Hi @Air-Githttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAir-Git&data=02%7C01%7Cmdsakib%40microsoft.com%7C8638f7b87a8f4b24afd008d71254e2e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998028160582156&sdata=b39IWYV%2BGrbjd4EqgjTMxm%2BAfzN%2FKpFu8kYLTpV1Uo0%3D&reserved=0 and @nluckhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnluck&data=02%7C01%7Cmdsakib%40microsoft.com%7C8638f7b87a8f4b24afd008d71254e2e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998028160582156&sdata=GpCtM5D2aRIsZGrpPLS07YZL0QD5PFuPQujSc7CPfAw%3D&reserved=0, updates from the Dev team.

We support the following three macros at the beginning of the string:
%OSDRIVE%
%SYSTEM32%
%WINDIR%

As well as a single * at either the beginning OR end of the filepath

So “\mydir\foo.exe”
Or “%WINDIR%\otherdir” or even “C:\mydir*”

Obviously we also support using no macros like “C:\mydir\foo.exe”

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F4261%3Femail_source%3Dnotifications%26email_token%3DAGTW4CD6IJ4TUPEO56YLVPLQBPNTRA5CNFSM4H3R6LR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD26EG3A%23issuecomment-515654508&data=02%7C01%7Cmdsakib%40microsoft.com%7C8638f7b87a8f4b24afd008d71254e2e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998028160592151&sdata=OgJzGFiJoxK45pZbicf6kf62jy2NrIXumWrB8X01dD0%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAGTW4CHOXDOX4HPBB3EAV2DQBPNTRANCNFSM4H3R6LRQ&data=02%7C01%7Cmdsakib%40microsoft.com%7C8638f7b87a8f4b24afd008d71254e2e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636998028160592151&sdata=TVTIcjMWOQCX2jhtN2LcJSn0HPhnZwf72dI1Rnpk6uM%3D&reserved=0.

@mdsakibMSFT kindly reference the commit or PR to this issue for tracking purposes, if that's possible please. If you want, I can also find someone who can create a pull request and suggest the updates (_although not sure if that's all of it_). Thank you again.

Thanks, but it also needs clarification of the "FilePath" and "FilePathRule". Here's why:
"New-CIPolicy parameters"
Filepath is NOT a new parameter. It is a new value to the Level parameter. -ScanPath is the standard parameter for the path to scan. It does NOT require a wildcard. See New-CIPolicy. Some explanation is needed for what a filepath level scan achieves. I think what it does is to enumerate each individual file, so that only named files are allowed. -OmitPath can be used to exclude named subfolders from the scan.
FilePathRule IS a new parameter. The mention of wildcards here suggests that the path value DOES require a wildcard, to capture subfolders and files So we assume that C:\foo or C:\foo\ allows all files in the folder (but not subfolders and files) while C:\foo\*allows all files, and all files in subfolders. But that's only my guess. It's not clear, but since the Dev team have confirmed it supports a wildcard, I suppose we have to assume that it requires one.

@mdsakibMSFT kindly check the pending questions. If you can also assist in clarifying them, much appreciated. Thank you.

@brbrahm might be able to help too.

Hi @mdsakibMSFT, I'd like to follow-up on the pending questions from the community. Thank you again.

@brbrahm if you can please provide some insight as well, much appreciated. And thanks for updating the doc to clarify the supported macros.

Thanks everyone for the feedback and suggestions! @mdsakibMSFT is transitioning to a new team and away from Application Control, so I'll be working with @jsuther1974 over the next few days to address the following questions:

1. Further clarification of wildcard syntax relationship to AppLocker path rules
2. How are wildcards interpreted, and are they required to include all subfolders? For example, in a -FilePathRule parameter, what is the difference between C:\foo, C:\foo\, and C:\foo*
3. FilePath option vs. -FilePath parameter (e.g. what does a filepath level scan achieve)

Let me know if I'm missing any of the other questions mentioned in this thread.

I believe that's everything, thank you @brbrahm! Kindly keep us updated and when those questions are addressed (and this doc is updated), we can close this issue.

Hi again @brbrahm, how are you? I just want to follow up if there will be forthcoming updates to this documentation? Looking forward to your feedback. Thank you.

1. Further clarification of wildcard syntax relationship to AppLocker path rules
2. How are wildcards interpreted, and are they required to include all subfolders? For example, in a -FilePathRule parameter, what is the difference between C:\foo, C:\foo, and C:\foo*
3. FilePath option vs. -FilePath parameter (e.g. what does a filepath level scan achieve)

Hello @brbrahm, hope all is well. Do you have any updates regarding the pending questions? Thank you.

Hi @brbrahm, how are you? Do you have any update on this? If you have the information/answers related to the pending questions, we can create a pull request and submit it to you for review. Let us know, thank you.

Hi there-- sincere apologies for the delay. We have a lot of documentation updates to do, and this one slipped through the cracks.

1. Wildcard syntax for WDAC should not be assumed to be the same as AppLocker path rules
2. Refer to PR #5200
3. FilePath option vs. -FilePath parameter. The new 19H1 addition was the -Level FilePath option, not the -FilePath parameter. The given example was misleading and incorrect.
   -FilePath specifies the path for the Code Integrity policy .xml file
   -Level FilePath creates path rules under path for anything not user-writeable (at the individual file level). This should also be clearer in the above PR.

This is great @brbrahm. I've read the updates, really appreciate the assistance. Thank you!

Hi @isbrahm, again thank you so much for updating the docs.

To everyone, including @nluck who originally opened this issue, I believe we can consider this issue resolved. The latest updates are displayed on the Deploy Windows Defender Application Control policy rules and file rules doc with additional details related to the file rule levels.

We will now close this issue. Thank you everyone for being part of the Microsoft Docs community!

@officedocsbot close