deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update create-appcontrol-policy-for-lightly-managed-devices.md

Browse Source
This commit is contained in:
jsuther1974 2025-02-20 07:25:00 -08:00
parent ea2ddb235f
commit 2087dd5646
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md
View File

@ -19,18 +19,20 @@ As we did in [App Control for Business deployment in different scenarios: types
**Alice Pena** is the IT team lead tasked with the rollout of App Control. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to App Control and eventually use different policies for different user segments. But for now, she wants to begin with a policy that can cover the vast majority of users without any modifications.
## Analyze the "circle-of-trust" of the Smart App Control policy and its fit in your organization
## Analyze how Smart App Control's "circle-of-trust" fits for you
Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control, which she finds do a good job defining it's "circle-of-trust". Its policy ensures only signed code runs along with code predicted to be safe by the [Intelligent Security Graph](./use). Unsigned code is blocked from running if the service can't predict that the code is safe to run. And code determined to be unsafe is always blocked.
Alice follows the guidance from the article [Plan for app control policy lifecycle management](./plan-appcontrol-management.md#policy-xml-lifecycle-management), and starts by analyzing the "circle-of-trust" for Smart App Control's policy. Alice reads all of Microsoft's online help articles related to Smart App Control to be sure she understands it well. From her reading, she learns that the Smart App Control allows only publicly-trusted signed code or unsigned code that the [Intelligent Security Graph (ISG)](./use-appcontrol-with-intelligent-security-graph.md) predicts is safe. Publicly-trusted signed code means the signing certificate was issued by one of the certificate authorities (CA) who are in Microsoft's Trusted Root Program. Unsigned code is blocked from running if the ISG can't predict that the code is safe to run. And code determined to be unsafe is always blocked.
Now Alice considers how to adapt the policy for Lamna's use cases. For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. Even though Lamna's leadership would prefer a more restrictive posture, she's been careful not to over-promise how quickly the company can get to that state and has leadership buy-in on her strategy.
Now Alice considers how to adapt the policy for Lamna's use. Alice wants to create an initial policy that is as relaxed as possible to cover more users, avoid user productivity impact, but still provide tangible security value. Even though Lamna's leadership would prefer a more restrictive posture, more rapidly, she's educated key stakeholders on the challenges and complexities ahead. As a result, she has senior leadership buy-in on her strategy.
Alice next identifies the key factors about Lamna's environment that she believes will shape the "circle-of-trust" it needs to operate the business until it can reform its app management processes. They also help her narrow the set of systems she will start with. Alice writes down these factors in her planning worksheet:
### Consider the key factors about your organization
- Most clients are running Windows 11, with small numbers of clients remaining on Windows 10 through the remainder of the fiscal year;
- All clients are managed by Microsoft Intune;
- Most, but not all, apps are deployed using Intune;
- Most users run as standard user, though some have local admin rights on their devices; the people with admin rights are accustomed to the freedom they have to install whatever apps they want;
Alice next identifies the key factors about Lamna's environment that she thinks will shape the company's "circle-of-trust". The policy must be flexible to meet the needs of the business while adjusting its app management processes so that a more restrictive policy is even practical. The key factors also help her choose which systems to include in the first deployment. Alice writes down these factors in her planning worksheet so that whoever follows her knows :
- **Privileges:** Most users operate as standard user, though nearly a quarter still have local admin rights on their devices; the people with admin rights view the freedoms that gives them as essential, including the option to run whatever apps they want;
- **Operating Systems:** Windows 11 runs most user devices, but Windows 10 will remain on roughly 10% of clients at least through the next fiscal year, particularly those in smaller satellite offices; Alice's group doesn't manage Lamna's servers or any specialized equipment; Lamna's server IT group plans to wait to see how the client rollout of App Control unfolds before implementing the technology on the servers they control;
- **Client management:** Lamna uses Microsoft Intune for all Windows 11 devices, deployed as Microsoft Entra cloud-native; they continue to use Microsoft Endpoint Configuration Manager (MEMCM) with Microsoft Entra hybrid join on all Windows 10 devices;
- Most, but not all, apps are deployed using Intune; there's a long tail of business-unit-specific apps, and "Shadow IT" apps that lack an official charter, but are critical to the employees who use them;
- Lamna has hundreds of line-of-business (LOB) apps across its business units; almost all of the apps use unsigned or mostly unsigned code, though the company has started to require codesigning in the past two years; all of the signed LOB apps
Alice is familiar with the App Control Policy Wizard, an open-source policy authoring UI maintained by the team responsible for App Control for Business and Smart App Control. She downloads the tool from its official [download site](https://aka.ms/appcontrolwizard) and runs it.