deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5126 from MicrosoftDocs/master

Browse Source 
Publish 04/30/2021, 10:30 AM
This commit is contained in:
Diana Hanson 2021-04-30 11:38:43 -06:00 committed by GitHub
commit 1ae3603953
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View File

@ -28,13 +28,12 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
> [!NOTE] > [!NOTE]
> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
## Script-based deployment process for WDAC policy ## Script-based deployment process for Windows 10 version 1903 and above
1. Initialize the variables to be used by the script. 1. Initialize the variables to be used by the script.
```powershell ```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML) # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
# Single policy format binaries should be named as SiPolicy.p7b.
$PolicyBinary = "<Path to policy binary file to deploy>" $PolicyBinary = "<Path to policy binary file to deploy>"
$DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\" $DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
$RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>" $RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"
@ -43,7 +42,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
2. Copy WDAC policy binary to the destination folder. 2. Copy WDAC policy binary to the destination folder.
```powershell ```powershell
cp $PolicyBinary $DestinationFolder Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
``` ```
3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies. 3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.
@ -53,4 +52,24 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool & $RefreshPolicyTool
``` ```
5. If successful, you should see the message **Rebootless ConfigCI Policy Refreshing Succeeded!** ## Script-based deployment process for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
```powershell
# Policy binary files should be named as SiPolicy.p7b for Windows 10 versions earlier than 1903
$PolicyBinary = "<Path to policy binary file to deploy>"
$DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"
```
2. Copy WDAC policy binary to the destination.
```powershell
Copy-Item -Path $PolicyBinary -Destination $DestinationBinary -Force
```
3. Refresh and activate WDAC policy using WMI
```powershell
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
```