Change WDAC to App Control (#11486)

Author: sdwheeler

redir/.openpublishing.redirection.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "redirect_document_id": true,
+      "redirect_url": "/powershell/scripting/security/app-control/how-to-use-app-control",
+      "source_path": "../reference/docs-conceptual/security/app-control/how-to-use-wdac.md"
+    },
+    {
+      "redirect_document_id": true,
+      "redirect_url": "/powershell/scripting/security/app-control/how-app-control-works",
+      "source_path": "../reference/docs-conceptual/security/app-control/how-wdac-works.md"
+    },
     {
       "redirect_document_id": true,
       "redirect_url": "/powershell/scripting/security/preventing-script-injection",

reference/docs-conceptual/security/app-control/application-control.md

@@ -1,85 +1,84 @@
 ---
-description: This article explains the features of Windows using Windows Defender Application Control (WDAC) that can be used to secure your PowerShell environment.
-ms.date: 09/19/2024
-title: Use Windows Defender Application Control to secure PowerShell
+description: This article explains the features of Application Control that can be used to secure your PowerShell environment.
+ms.date: 10/21/2024
+title: Use App Control to secure PowerShell
 ---
-# Use Windows Defender Application Control to secure PowerShell
+# Use App Control to secure PowerShell
 
-Windows 10 includes two technologies, [Windows Defender Application Control (WDAC)][04] and
-[AppLocker][01] that you can use to control applications. They allow you to create a lockdown
-experience to help secure your PowerShell environment.
+Windows 10 includes two technologies, [App Control for Business][04] and [AppLocker][01],
+that you can use to control applications. They allow you to create a lockdown experience to help
+secure your PowerShell environment.
 
 **AppLocker** builds on the application control features of Software Restriction Policies. AppLocker
 allows you to create rules to allow or deny apps for specific users or groups. You identify the apps
 based on unique properties of the files.
 
-**WDAC**, introduced with Windows 10, allows you to control which drivers and applications are
-allowed to run on Windows.
+**Application Control for Business**, introduced in Windows 10 as Windows Defender Application
+Control (WDAC), allows you to control which drivers and applications are allowed to run on Windows.
 
 ## Lockdown policy detection
 
-PowerShell detects both AppLocker and WDAC system wide policies. AppLocker doesn't have way to query
-the policy enforcement status. To detect if a system wide application control policy is being
-enforced by AppLocker, PowerShell creates two temporary files and tests if they can be executed. The
-filenames use the following name format:
+PowerShell detects both AppLocker and App Control for Business system wide policies. AppLocker
+doesn't have way to query the policy enforcement status. To detect if a system wide application
+control policy is being enforced by AppLocker, PowerShell creates two temporary files and tests if
+they can be executed. The filenames use the following name format:
 
 - `$env:TEMP/__PSAppLockerTest__<random-8dot3-name>.ps1`
 - `$env:TEMP/__PSAppLockerTest__<random-8dot3-name>.psm1`
 
-WDAC is the preferred application control system for Windows. WDAC provides APIs that allow you to
-discover the policy configuration. WDAC is designed as a security feature under the servicing
-criteria defined by the Microsoft Security Response Center (MSRC).
-
-For more information about AppLocker and WDAC, see [Application Controls for Windows][04] and
-[WDAC and AppLocker feature availability][02].
+App Control for Business is the preferred application control system for Windows. App Control
+provides APIs that allow you to discover the policy configuration. App Control is designed as a
+security feature under the servicing criteria defined by the Microsoft Security Response Center
+(MSRC). For more information, see [Application Controls for Windows][04] and
+[App Control and AppLocker feature availability][02].
 
 > [!NOTE]
-> When [choosing between WDAC or AppLocker][03], we recommend that you implement application control
-> using WDAC rather than AppLocker. Microsoft is continually improving WDAC and Microsoft management
-> platforms are extending their support for WDAC. Although AppLocker may continue to receive
-> security fixes, it won't receive feature enhancements.
+> When [choosing between App Control or AppLocker][03], we recommend that you implement application
+> control using App Control for Business rather than AppLocker. Microsoft is no longer investing in
+> AppLocker. Although AppLocker may continue to receive security fixes, it won't receive feature
+> enhancements.
 
-## WDAC policy enforcement
+## App Control policy enforcement
 
-When PowerShell runs under a WDAC policy, its behavior changes based on the defined security policy.
-Under a WDAC policy, PowerShell runs trusted scripts and modules allowed by the policy in
-`FullLanguage` mode. All other scripts and script blocks are untrusted and run in
+When PowerShell runs under an App Control policy, its behavior changes based on the defined security
+policy. Under an App Control policy, PowerShell runs trusted scripts and modules allowed by the
+policy in `FullLanguage` mode. All other scripts and script blocks are untrusted and run in
 `ConstrainedLanguage` mode. PowerShell throws errors when the untrusted scripts attempt to perform
 actions that aren't allowed in `ConstrainedLanguage` mode. It can be difficult to know why a script
 failed to run correctly in `ConstrainedLanguage` mode.
 
-## WDAC policy auditing
+## App Control policy auditing
 
-PowerShell 7.4 added a new feature to support WDAC policies in **Audit** mode. In audit mode,
+PowerShell 7.4 added a new feature to support App Control policies in **Audit** mode. In audit mode,
 PowerShell runs the untrusted scripts in `ConstrainedLanguage` mode without errors, but logs
 messages to the event log instead. The log messages describe what restrictions would apply if the
 policy were in **Enforce** mode.
 
 ## History of changes
 
-Windows PowerShell 5.1 was the first version of PowerShell to support WDAC. The security features of
-WDAC and AppLocker improve with each new release of PowerShell. The following sections describe how
-this support changed in each version of PowerShell. The changes are cumulative, so the features
-described in the later versions include those from earlier versions.
+Windows PowerShell 5.1 was the first version of PowerShell to support App Control. The security
+features of App Control and AppLocker improve with each new release of PowerShell. The following
+sections describe how this support changed in each version of PowerShell. The changes are
+cumulative, so the features described in the later versions include those from earlier versions.
 
 ### Changes in PowerShell 7.4
 
-On Windows, when PowerShell runs under a Windows Defender Application Control (WDAC) policy, its
-behavior changes based on the defined security policy. Under a WDAC policy, PowerShell runs trusted
-scripts and modules allowed by the policy in `FullLanguage` mode. All other scripts and script
-blocks are untrusted and run in `ConstrainedLanguage` mode. PowerShell throws errors when the
-untrusted scripts attempt to perform disallowed actions. It's difficult to know why a script fails
-to run correctly in `ConstrainedLanguage` mode.
+On Windows, when PowerShell runs under an App Control policy, its behavior changes based on the
+defined security policy. Under an App Control policy, PowerShell runs trusted scripts and modules
+allowed by the policy in `FullLanguage` mode. All other scripts and script blocks are untrusted and
+run in `ConstrainedLanguage` mode. PowerShell throws errors when the untrusted scripts attempt to
+perform disallowed actions. It's difficult to know why a script fails to run correctly in
+`ConstrainedLanguage` mode.
 
-PowerShell 7.4 now supports WDAC policies in **Audit** mode. In audit mode, PowerShell runs the
-untrusted scripts in `ConstrainedLanguage` mode but logs messages to the event log instead of
+PowerShell 7.4 now supports App Control policies in **Audit** mode. In audit mode, PowerShell runs
+the untrusted scripts in `ConstrainedLanguage` mode but logs messages to the event log instead of
 throwing errors. The log messages describe what restrictions would apply if the policy were in
 **Enforce** mode.
 
 ### Changes in PowerShell 7.3
 
-- PowerShell 7.3 now supports the ability to block or allow PowerShell script files via the WDAC
-  API.
+- PowerShell 7.3 now supports the ability to block or allow PowerShell script files via the App
+  Control API.
 
 ### Changes in PowerShell 7.2
 
@@ -96,14 +95,14 @@ throwing errors. The log messages describe what restrictions would apply if the
 
 ## Further reading
 
-- For more information about how WDAC works and what restrictions it enforces, see
-  [How WDAC works with PowerShell][06].
-- For more information about securing PowerShell with WDAC, see [How to use WDAC][05].
+- For more information about how App Control works and what restrictions it enforces, see
+  [How App Control works with PowerShell][06].
+- For more information about securing PowerShell with App Control, see [How to use App Control][05].
 
 <!-- link references -->
-[01]: /windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
-[02]: /windows/security/threat-protection/windows-defender-application-control/feature-availability
-[03]: /windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview#choose-when-to-use-wdac-or-applocker
-[04]: /windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
-[05]: how-to-use-wdac.md
-[06]: how-wdac-works.md
+[01]: /windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker
+[02]: /windows/security/application-security/application-control/app-control-for-business/feature-availability
+[03]: /windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview#choose-when-to-use-app-control-or-applocker
+[04]: /windows/security/application-security/application-control/app-control-for-business/appcontrol
+[05]: how-to-use-app-control.md
+[06]: how-app-control-works.md

reference/docs-conceptual/security/app-control/how-wdac-works.md renamed to reference/docs-conceptual/security/app-control/how-app-control-works.md

@@ -1,31 +1,31 @@
 ---
-description: This article explains how to configure and use WDAC to secure PowerShell.
-ms.date: 09/19/2024
-title: How to use WDAC to secure PowerShell
+description: This article explains how to configure and use App Control to secure PowerShell.
+ms.date: 10/21/2024
+title: How to use App Control to secure PowerShell
 ---
-# How to use WDAC to secure PowerShell
+# How to use App Control to secure PowerShell
 
-This article describes how to set up a **Windows Defender Application Control** (WDAC) policy. You
-can configure the policy to enforce or audit the policy's rule. In audit mode, PowerShell behavior
-doesn't change but it logs Event ID 16387 messages to the `PowerShellCore/Analytic` event log. In
-enforcement mode, PowerShell applies the policy's restrictions.
+This article describes how to set up a **App Control for Business** policy. You can configure the
+policy to enforce or audit the policy's rule. In audit mode, PowerShell behavior doesn't change but
+it logs Event ID 16387 messages to the `PowerShellCore/Analytic` event log. In enforcement mode,
+PowerShell applies the policy's restrictions.
 
 This article assumes you're using a test machine so that you can test PowerShell behavior under a
-machine wide WDAC policy before you deploy the policy in your environment.
+machine wide App Control policy before you deploy the policy in your environment.
 
-## Create a WDAC policy
+## Create an App Control policy
 
-A WDAC policy is described in an XML file, which contains information about policy options, files
-allowed, and signing certificates recognized by the policy. When the policy is applied, only
+An App Control policy is described in an XML file, which contains information about policy options,
+files allowed, and signing certificates recognized by the policy. When the policy is applied, only
 approved files are allowed to load and run. PowerShell either blocks unapproved script files from
 running or runs them in `ConstrainedLanguage` mode, depending on policy options.
 
-You create and manipulate WDAC policy using the **ConfigCI** module, which is available on all
-supported Windows versions. This Windows PowerShell module can be used in Windows PowerShell 5.1 or
-in PowerShell 7 through the **Windows Compatibility** layer. It's easier to use this module in
+You create and manipulate App Control policy using the **ConfigCI** module, which is available on
+all supported Windows versions. This Windows PowerShell module can be used in Windows PowerShell 5.1
+or in PowerShell 7 through the **Windows Compatibility** layer. It's easier to use this module in
 Windows PowerShell. The policy you create can be applied to any version of PowerShell.
 
-## Steps to create a WDAC policy
+## Steps to create an App Control policy
 
 For testing, you just need to create a default policy and a self signed code signing certificate.
 
@@ -85,23 +85,23 @@ For testing, you just need to create a default policy and a self signed code sig
 
 1. Convert the XML policy file to a policy enforcement binary file
 
-   Finally, you need to convert the XML file to a binary file used by WDAC to apply a policy.
+   Finally, you need to convert the XML file to a binary file used by App Control to apply a policy.
 
    ```powershell
    ConvertFrom-CIPolicy -XmlFilePath .\SystemCIPolicy.xml -BinaryFilePath .\SIPolicy.p7b
    ```
 
-1. Apply the WDAC policy
+1. Apply the App Control policy
 
    To apply the policy to your test machine, copy the `SIPolicy.p7b` file to the required system
    location, `C:\Windows\System32\CodeIntegrity`.
 
    > [!NOTE]
    > Some policies definition must be copied to a subfolder such as
    > `C:\Windows\System32\CodeIntegrity\CiPolicies`. For more information, see
-   > [WDAC Admin Tips & Known Issues][01].
+   > [App Control Admin Tips & Known Issues][01].
 
-1. Disable the WDAC policy
+1. Disable the App Control policy
 
    To disable the policy, rename the `SIPolicy.p7b` file. If you need to do more testing, you can
    change the name back to reenable the policy.
@@ -110,9 +110,9 @@ For testing, you just need to create a default policy and a self signed code sig
    Rename-Item -Path .\SIPolicy.p7b -NewName .\SIPolicy.p7b.off
    ```
 
-## Test using WDAC policy auditing
+## Test using App Control policy auditing
 
-PowerShell 7.4 added a new feature to support WDAC policies in **Audit** mode. In audit mode,
+PowerShell 7.4 added a new feature to support App Control policies in **Audit** mode. In audit mode,
 PowerShell runs the untrusted scripts in `ConstrainedLanguage` mode without errors, but logs
 messages to the event log instead. The log messages describe what restrictions would apply if the
 policy were in **Enforce** mode.
@@ -141,7 +141,7 @@ Get-WinEvent -LogName PowerShellCore/Analytic -Oldest |
 TimeCreated  : 4/19/2023 10:11:07 AM
 ProviderName : PowerShellCore
 Id           : 16387
-Message      : WDAC Audit.
+Message      : App Control Audit.
 
     Title: Method or Property Invocation
     Message: Method or Property 'WriteLine' on type 'System.Console' invocation will not
@@ -153,7 +153,7 @@ Message      : WDAC Audit.
 ```
 
 The event message includes the script position where the restriction would be applied. This
-information helps you understand where you need to change your script so that it runs under the WDAC
+information helps you understand where you need to change your script so that it runs under the App Control
 policy.
 
 > [!IMPORTANT]
@@ -168,4 +168,4 @@ the audit event occurred. The breakpoint allows you to debug your code and inspe
 of the script in real time.
 
 <!-- link references -->
-[01]: /windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues
+[01]: /windows/security/application-security/application-control/app-control-for-business/operations/known-issues

reference/docs-conceptual/security/app-control/how-to-use-wdac.md renamed to reference/docs-conceptual/security/app-control/how-to-use-app-control.md

@@ -20,7 +20,7 @@ landingContent:
         links:
           - text: PowerShell security features
             url: security-features.md
-          - text: Using Windows Defender Application Control
+          - text: Using App Control for Business
             url: application-control.md
       - linkListType: how-to-guide
         links:
@@ -74,18 +74,18 @@ landingContent:
             url: remoting/jea/audit-and-report.md
 
   # Card
-  - title: Using WDAC
+  - title: Using App Control
     linkLists:
       - linkListType: overview
         links:
-          - text: Using Windows Defender Application Control
+          - text: Using App Control for Business
             url: app-control/application-control.md
-          - text: How WDAC works with PowerShell
-            url: app-control/how-wdac-works.md
+          - text: How App Control works with PowerShell
+            url: app-control/how-app-control-works.md
       - linkListType: how-to-guide
         links:
-          - text: How to use WDAC to secure PowerShell
-            url: app-control/how-to-use-wdac.md
+          - text: How to use App Control to secure PowerShell
+            url: app-control/how-to-use-app-control.md
 
   # Card
   - title: Managing secrets

reference/docs-conceptual/security/overview.yml

@@ -64,17 +64,17 @@ a PowerShell session. For a full description, see [about_Language_Modes][04].
 
 ## Application Control
 
-Windows 10 includes two technologies, [Windows Defender Application Control (WDAC)][08] and
-[AppLocker][07] that you can use to control applications. PowerShell detects if a system wide
-application control policy is being enforced. The policy applies certain behaviors when running
-script blocks, script files, or loading module files to prevent arbitrary code execution on the
-system.
+Windows 10 includes two technologies, [App Control for Business][08] and [AppLocker][07] that you
+can use to control applications. PowerShell detects if a system wide application control policy is
+being enforced. The policy applies certain behaviors when running script blocks, script files, or
+loading module files to prevent arbitrary code execution on the system.
 
-WDAC is designed as a security feature under the servicing criteria defined by the Microsoft
-Security Response Center (MSRC). WDAC is the preferred application control system for Windows.
+App Control for Business is designed as a security feature under the servicing criteria defined by
+the Microsoft Security Response Center (MSRC). App Control is the preferred application control
+system for Windows.
 
-For more information about how PowerShell supports AppLocker and WDAC, see
-[Using Windows Defender Application Control][10].
+For more information about how PowerShell supports AppLocker and App Control, see
+[Use App Control to secure PowerShell][10].
 
 ## Software Bill of Materials (SBOM)
 
@@ -98,8 +98,8 @@ features meet the criteria for servicing.
 
 Security features
 
-- System Lockdown with WDAC
-- Constrained language mode with WDAC
+- System Lockdown with App Control for Business
+- Constrained language mode with App Control for Business
 
 Defense in depth features
 
@@ -114,8 +114,8 @@ Defense in depth features
 [04]: /powershell/module/microsoft.powershell.core/about/about_language_modes
 [05]: /powershell/module/microsoft.powershell.core/about/about_logging_non-windows
 [06]: /powershell/module/microsoft.powershell.core/about/about_logging_windows
-[07]: /windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
-[08]: /windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
+[07]: /windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker
+[08]: /windows/security/application-security/application-control/app-control-for-business/appcontrol
 [09]: /windows/win32/amsi/how-amsi-helps
 [10]: app-control/application-control.md
 [11]: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/