deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Updated structure to be consistent with other CSPs

Browse Source
This commit is contained in:
ManikaDhiman 2019-11-18 16:35:56 -08:00
parent fc04e0b2d0
commit 1bc31fe1a0
1 changed files with 147 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
windows/client-management/mdm/applocker-csp.md
View File

@ -21,10 +21,10 @@ The following diagram shows the AppLocker configuration service provider in tree
![applocker csp](images/provisioning-csp-applocker.png) ![applocker csp](images/provisioning-csp-applocker.png)
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/AppLocker** <a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/AppLocker**
Defines the root node for the AppLocker configuration service provider. Defines the root node for the AppLocker configuration service provider.
<a href="" id="applicationlaunchrestrictions"></a>**ApplicationLaunchRestrictions** <a href="" id="applocker-applicationlaunchrestrictions"></a>**AppLocker/ApplicationLaunchRestrictions**
Defines restrictions for applications. Defines restrictions for applications.
> [!NOTE] > [!NOTE]
@ -40,7 +40,133 @@ Additional information:
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps. - [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
- [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed. - [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed.
<a href="" id="enterprisedataprotection"></a>**EnterpriseDataProtection** <a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE**
Defines restrictions for launching executable applications.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-noninteractiveprocessenforcement"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/NonInteractiveProcessEnforcement**
The data type is a string.
Supported operations are Add, Delete, Get, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI**
Defines restrictions for executing Windows Installer files.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-script"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script**
Defines restrictions for running scripts.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-script-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-script-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps**
Defines restrictions for running apps from the Microsoft Store.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL**
Defines restrictions for processing DLL files.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-noninteractiveprocessenforcement"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/NonInteractiveProcessEnforcement**
The data type is a string.
Supported operations are Add, Delete, Get, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-codeintegrity"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity**
This node is only supported on the desktop.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-codeintegrity-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is Base64.
Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP.
<a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
@ -61,115 +187,35 @@ Additional information:
- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. - [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
Each of the previously listed nodes contains a **Grouping** node. <a href="" id="applocker-enterprisedataprotection-grouping"></a>**AppLocker/EnterpriseDataProtection/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
<table> Supported operations are Get, Add, Delete, and Replace.
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Grouping</strong></p></td>
<td><p>Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.</p>
<p>Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.</p>
<p>Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
</tbody>
</table>
<a href="" id="applocker-enterprisedataprotection-grouping-exe"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/EXE**
Defines restrictions for launching executable applications.
Supported operations are Get, Add, Delete, and Replace.
In addition, each **Grouping** node contains one or more of the following nodes: <a href="" id="applocker-enterprisedataprotection-grouping-exe-policy"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
<table> Data type is string.
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>EXE</strong></p></td>
<td><p>Defines restrictions for launching executable applications.</p>
<p>Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="even">
<td><p><strong>MSI</strong></p></td>
<td><p>Defines restrictions for executing Windows Installer files.</p>
<p>Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Script</strong></p></td>
<td><p>Defines restrictions for running scripts.</p>
<p>Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="even">
<td><p><strong>StoreApps</strong></p></td>
<td><p>Defines restrictions for running apps from the Microsoft Store.</p>
<p>Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="odd">
<td><p><strong>DLL</strong></p></td>
<td><p>Defines restrictions for processing DLL files.</p>
<p>Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="even">
<td><p><strong>CodeIntegrity</strong></p></td>
<td><p>This node is only supported on the desktop. Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
</tbody>
</table>
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-enterprisedataprotection-grouping-storeapps"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps**
Defines restrictions for running apps from the Microsoft Store.
Each of the previous nodes contains one or more of the following leaf nodes: Supported operations are Get, Add, Delete, and Replace.
<table> <a href="" id="applocker-enterprisedataprotection-grouping-exe-storeapps"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy**
<colgroup> Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Policy</strong></p></td>
<td><p>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</p>
<p>For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.</p>
<p>For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.</td>
</tr>
<tr class="even">
<td><p><strong>EnforcementMode</strong></p></td>
<td><p>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</p>
<p>The data type is a string. Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="odd">
<td><p><strong>NonInteractiveProcessEnforcement</strong></p></td>
<td><p>The data type is a string.</p>
<p>Supported operations are Add, Delete, Get, and Replace.</p></td>
</tr>
</tbody>
</table>
> [!NOTE] Data type is string.
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP.
Supported operations are Get, Add, Delete, and Replace.
## <a href="" id="productname"></a>Find publisher and product name of apps ## <a href="" id="productname"></a>Find publisher and product name of apps
@ -239,7 +285,6 @@ The following table show the mapping of information to the AppLocker publisher r
</table> </table>
Here is an example AppLocker publisher rule: Here is an example AppLocker publisher rule:
``` syntax ``` syntax