deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add custom OMA-URI info

Browse Source 
Previously, only had instructions for using built-in Intune WDAC policies
This commit is contained in:
brbrahm
2020-01-21 16:10:52 -08:00
parent 44f13a5a24
commit 1eb9706a82
3 changed files with 74 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -112,24 +112,43 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
## Usage guidance
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
To use ApplicationControl CSP, you must:
- Know a generated policys GUID, which can be found in the policy xml as `<PolicyTypeID>`.
- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file.
## Non-Intune Usage Guidance
In order to leverage the ApplicationControl CSP without using Intune, you must:
1. Know a generated policys GUID, which can be found in the policy xml as <PolicyID> or <PolicyTypeID> for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
Below is a sample certutil invocation:
```cmd
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
```
An alternative to using certutil would be to use the following PowerShell invocation:
```powershell
[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
```
### Deploy Policies
### Deploy policies
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
To deploy base policy and supplemental policies:
- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
- Repeat for each base or supplemental policy (with its own GUID and data).
1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
2. Repeat for each base or supplemental policy (with its own GUID and data).
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
**Example 1: Add first base policy**
#### Example 1: Add first base policy**
```xml
<Add>
<CmdID>1</CmdID>
@ -144,7 +163,9 @@ The following example shows the deployment of two base policies and a supplement
</Item>
</Add>
```
**Example 2: Add second base policy**
#### Example 2: Add second base policy**
```xml
<Add>
<CmdID>1</CmdID>
@ -159,7 +180,9 @@ The following example shows the deployment of two base policies and a supplement
</Item>
</Add>
```
**Example 3: Add supplemental policy**
#### Example 3: Add supplemental policy**
```xml
<Add>
<CmdID>1</CmdID>
@ -174,6 +197,7 @@ The following example shows the deployment of two base policies and a supplement
</Item>
</Add>
```
### Get policies
Perform a GET using a deployed policys GUID to interrogate/inspect the policy itself or information about it.
@ -203,17 +227,20 @@ The following is an example of Get command:
```
### Delete policies
To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**.
> [!Note]
> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
> [!NOTE]
> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
To delete a signed policy:
1. Replace it with a signed update allowing unsigned policy.
2. Deploy another update with unsigned policy.
3. Perform delete.
The following is an example of Delete command:
```xml
<Delete>
<CmdID>1</CmdID>