From 7d9e4abd38c4506746ea6a88e4a26b570415ed81 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 12:29:46 -0700 Subject: [PATCH 01/24] 24538295 - Adding CI Policy Command Docs --- .../TOC.yml | 2 + .../code-integrity-policy-commands.md | 192 ++++++++++++++++++ 2 files changed, 194 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index a7d64bd225..cc2387f639 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -86,6 +86,8 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md + - name: Code Integrity Policy, Token, and Miscellaneous Commands + href: code-integrity-policy-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md new file mode 100644 index 0000000000..ffc8f5349b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -0,0 +1,192 @@ +--- +title: CI Policy, Token, and Miscellaneous Commands +description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. +author: valemieux +ms.author: v-alemieux +ms.service: WDAC +ms.topic: how-to +ms.date: 08/07/2022 +ms.custom: template-how-to +--- + +# CIPolicyCommands + +Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. + +# Policy Commands + +| Command:| --update-policy /Path/To/Policy/File | +| Description: | Add or update a policy on the current system | +| Alias: | -up | + +| Command:| --remove-policy PolicyGUID | +| Description: | Remove a policy indicated by PolicyGUID from the system | +| Alias: | -rp | + +| Command:| --list-policies | +| Description: | Dump information about all policies on the system, whether they be active or not | +| Alias: | -lp | + +# Token Commands + +| Command:| --add-token Path/To/Token/File [--token-id ID] | +| Description: | Deploy a token onto the current system, with an optional specific ID. | +| Alias: | -at | +>[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist. + +| Command:| --remove-token ID | +| Description: | Remove a Token indicated by ID from the system. | +| Alias: | -rt | + +| Command:| --list-tokens | +| Description: | Dump information about all tokens on the system | +| Alias: | -lt | + +# Miscellaneous Commands + +| Command:| --device-id | +| Description: | Dump the Code Integrity Device Id | +| Alias: | -id | + +| Command:| --refresh | +| Description: | Attempt to Refresh CI Policies | +| Alias: | -r | + +| Command:| --help | +| Description: | Display help | +| Alias: | -h | + +#Examples + +#Example 1: Update Policy/Deploy +Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32 +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up + +C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip +Usage: CiTool.exe COMMAND [-json] +Commands: +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File [--token-id ID] + Deploy a token onto the current system, with an optional specific ID + If [ID] is specified, a pre-existing token with [ID] should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +----------------------------- Global Flags--------------------------------- + -json + Format output as json and suppress input +``` + +#Example 2: Refresh the policy +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\Windows\System32>.\CITool.exe --refresh +Operation Successful +``` + +#Example 3: Remove the policy +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} +Usage: CiTool.exe COMMAND [-json] +Commands: +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File [--token-id ID] + Deploy a token onto the current system, with an optional specific ID + If [ID] is specified, a pre-existing token with [ID] should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +----------------------------- Global Flags--------------------------------- + -json + Format output as json and suppress input +Press Enter to Exit +``` + +#Example 4: Display help +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\windows\system32> .\CITool.exe -h + +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File [--token-id ID] + Deploy a token onto the current system, with an optional specific ID + If [ID] is specified, a pre-existing token with [ID] should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +``` \ No newline at end of file From 7cf1059272a5cc7944c094549155dc2f401c6254 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 12:40:06 -0700 Subject: [PATCH 02/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index ffc8f5349b..0c216575ab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -60,7 +60,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m #Example 1: Update Policy/Deploy Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32 -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up @@ -104,14 +104,14 @@ Commands: ``` #Example 2: Refresh the policy -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --refresh Operation Successful ``` #Example 3: Remove the policy -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} Usage: CiTool.exe COMMAND [-json] @@ -154,7 +154,7 @@ Press Enter to Exit ``` #Example 4: Display help -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\CITool.exe -h From 339a934dbe21a9544d55bb06b8f3bbc5a246269b Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 13:02:16 -0700 Subject: [PATCH 03/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 0c216575ab..ec6ca8c21b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -15,53 +15,53 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m # Policy Commands -| Command:| --update-policy /Path/To/Policy/File | +| Command:|--update-policy /Path/To/Policy/File | | Description: | Add or update a policy on the current system | | Alias: | -up | -| Command:| --remove-policy PolicyGUID | +| Command:|--remove-policy PolicyGUID | | Description: | Remove a policy indicated by PolicyGUID from the system | | Alias: | -rp | -| Command:| --list-policies | +| Command:|--list-policies | | Description: | Dump information about all policies on the system, whether they be active or not | | Alias: | -lp | # Token Commands -| Command:| --add-token Path/To/Token/File [--token-id ID] | +| Command:|--add-token Path/To/Token/File [--token-id ID] | | Description: | Deploy a token onto the current system, with an optional specific ID. | | Alias: | -at | >[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist. -| Command:| --remove-token ID | +| Command:|--remove-token ID | | Description: | Remove a Token indicated by ID from the system. | | Alias: | -rt | -| Command:| --list-tokens | +| Command:|--list-tokens | | Description: | Dump information about all tokens on the system | | Alias: | -lt | # Miscellaneous Commands -| Command:| --device-id | +| Command:|--device-id | | Description: | Dump the Code Integrity Device Id | | Alias: | -id | -| Command:| --refresh | +| Command:|--refresh | | Description: | Attempt to Refresh CI Policies | | Alias: | -r | -| Command:| --help | +| Command:|--help | | Description: | Display help | | Alias: | -h | #Examples #Example 1: Update Policy/Deploy -Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32 +Extract policy file to C:\windows\system32 ```powershell -PS C:\Users\[USER] cd \windows\system32 +PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip From 5e833309c0555d2cfcd98a89073028fcbb49c98b Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 14:49:17 -0700 Subject: [PATCH 04/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index ec6ca8c21b..4c153b656b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -13,7 +13,7 @@ ms.custom: template-how-to Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. -# Policy Commands +## Policy Commands | Command:|--update-policy /Path/To/Policy/File | | Description: | Add or update a policy on the current system | @@ -27,7 +27,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Description: | Dump information about all policies on the system, whether they be active or not | | Alias: | -lp | -# Token Commands +## Token Commands | Command:|--add-token Path/To/Token/File [--token-id ID] | | Description: | Deploy a token onto the current system, with an optional specific ID. | @@ -42,7 +42,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Description: | Dump information about all tokens on the system | | Alias: | -lt | -# Miscellaneous Commands +## Miscellaneous Commands | Command:|--device-id | | Description: | Dump the Code Integrity Device Id | @@ -56,16 +56,16 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Description: | Display help | | Alias: | -h | -#Examples +## Examples -#Example 1: Update Policy/Deploy +1. Update Policy/Deploy Extract policy file to C:\windows\system32 ```powershell PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -Usage: CiTool.exe COMMAND [-json] +Usage: CiTool.exe COMMAND [Command-Options] [-json] Commands: ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File @@ -103,18 +103,18 @@ Commands: Format output as json and suppress input ``` -#Example 2: Refresh the policy +2. Refresh the policy ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --refresh Operation Successful ``` -#Example 3: Remove the policy +3. Remove the policy ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} -Usage: CiTool.exe COMMAND [-json] +Usage: CiTool.exe COMMAND [Command-Options] [-json] Commands: ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File @@ -153,7 +153,7 @@ Commands: Press Enter to Exit ``` -#Example 4: Display help +4. Display help ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\CITool.exe -h From 1c0742872c7cd22e4d65fb6523dd15ae6ac08f0f Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 15:50:13 -0700 Subject: [PATCH 05/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 54 +++++++------------ 1 file changed, 20 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 4c153b656b..60d8c53ebe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -3,7 +3,7 @@ title: CI Policy, Token, and Miscellaneous Commands description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. author: valemieux ms.author: v-alemieux -ms.service: WDAC +ms.service: security ms.topic: how-to ms.date: 08/07/2022 ms.custom: template-how-to @@ -15,46 +15,32 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Policy Commands -| Command:|--update-policy /Path/To/Policy/File | -| Description: | Add or update a policy on the current system | -| Alias: | -up | - -| Command:|--remove-policy PolicyGUID | -| Description: | Remove a policy indicated by PolicyGUID from the system | -| Alias: | -rp | - -| Command:|--list-policies | -| Description: | Dump information about all policies on the system, whether they be active or not | -| Alias: | -lp | +| Command | Description | Alias | +| | | | +|--------|---------|---------| +|--update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | +| --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | +| --list-policies | Dump information about all policies on the system, whether they be active or not | -lp | ## Token Commands -| Command:|--add-token Path/To/Token/File [--token-id ID] | -| Description: | Deploy a token onto the current system, with an optional specific ID. | -| Alias: | -at | ->[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist. +| Command | Description | Alias | +| | | | +|--------|---------|---------| +|--add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | +|--remove-token ID | Remove a Token indicated by ID from the system. | -rt | +|--list-tokens | Dump information about all tokens on the system | -lt | -| Command:|--remove-token ID | -| Description: | Remove a Token indicated by ID from the system. | -| Alias: | -rt | - -| Command:|--list-tokens | -| Description: | Dump information about all tokens on the system | -| Alias: | -lt | +>[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with [ID] should not exist. ## Miscellaneous Commands -| Command:|--device-id | -| Description: | Dump the Code Integrity Device Id | -| Alias: | -id | - -| Command:|--refresh | -| Description: | Attempt to Refresh CI Policies | -| Alias: | -r | - -| Command:|--help | -| Description: | Display help | -| Alias: | -h | +| Command | Description | Alias | +| | | | +|--------|---------|---------| +|--device-id | Dump the Code Integrity Device ID | -id | +|--refresh | Attempt to Refresh CI Policies | -r | +|--help | Display help | -h | ## Examples From 983d4176fc6500086c88ffb37f383860b4aa6eeb Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 15:54:18 -0700 Subject: [PATCH 06/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 60d8c53ebe..6e6a566a5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -18,7 +18,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | | | | | |--------|---------|---------| -|--update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | +| --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | | --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | | --list-policies | Dump information about all policies on the system, whether they be active or not | -lp | @@ -27,9 +27,9 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | | | | | |--------|---------|---------| -|--add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | -|--remove-token ID | Remove a Token indicated by ID from the system. | -rt | -|--list-tokens | Dump information about all tokens on the system | -lt | +| --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token ID | Remove a Token indicated by ID from the system. | -rt | +| --list-tokens | Dump information about all tokens on the system | -lt | >[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with [ID] should not exist. @@ -38,9 +38,9 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | | | | | |--------|---------|---------| -|--device-id | Dump the Code Integrity Device ID | -id | -|--refresh | Attempt to Refresh CI Policies | -r | -|--help | Display help | -h | +| --device-id | Dump the Code Integrity Device ID | -id | +| --refresh | Attempt to Refresh CI Policies | -r | +| --help | Display help | -h | ## Examples From 1b6a574a3b1decfe56105fd33c1813a327a156c9 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 16:03:25 -0700 Subject: [PATCH 07/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 6e6a566a5b..5a2860c500 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -16,7 +16,6 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Policy Commands | Command | Description | Alias | -| | | | |--------|---------|---------| | --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | | --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | @@ -25,18 +24,16 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Token Commands | Command | Description | Alias | -| | | | |--------|---------|---------| | --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | | --remove-token ID | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | ->[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with [ID] should not exist. +>[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. ## Miscellaneous Commands | Command | Description | Alias | -| | | | |--------|---------|---------| | --device-id | Dump the Code Integrity Device ID | -id | | --refresh | Attempt to Refresh CI Policies | -r | From 50179c0bbd6ef5f34eec6eb54c18d9fe45ba329e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 16:10:09 -0700 Subject: [PATCH 08/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 5a2860c500..8b250ca2cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -29,7 +29,8 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | --remove-token ID | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | ->[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. +>[!NOTE] +>Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. ## Miscellaneous Commands From d3f84d880855ff613991931f6382308127c5a37e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 23:56:41 -0700 Subject: [PATCH 09/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 8b250ca2cd..0d60465937 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -30,7 +30,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | --list-tokens | Dump information about all tokens on the system | -lt | >[!NOTE] ->Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. +>Regarding --add-token, if [ID] is specified, a pre-existing token with [ID] should not exist. ## Miscellaneous Commands @@ -42,8 +42,11 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Examples -1. Update Policy/Deploy -Extract policy file to C:\windows\system32 +>[!NOTE] +>The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32 + +1. Update Policy + ```powershell PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up From ac2c8afe45fb23442416240ac05719e1e6361df9 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 22 Aug 2022 11:26:07 -0700 Subject: [PATCH 10/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 0d60465937..1f7042ee0c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -2,14 +2,15 @@ title: CI Policy, Token, and Miscellaneous Commands description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. author: valemieux -ms.author: v-alemieux +ms.author: jgeurten ms.service: security +ms.reviewer: jgeurten ms.topic: how-to ms.date: 08/07/2022 ms.custom: template-how-to --- -# CIPolicyCommands +# Manage WDAC Policies with CI Tool Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. @@ -19,7 +20,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m |--------|---------|---------| | --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | | --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | -| --list-policies | Dump information about all policies on the system, whether they be active or not | -lp | +| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | ## Token Commands @@ -37,18 +38,17 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | |--------|---------|---------| | --device-id | Dump the Code Integrity Device ID | -id | -| --refresh | Attempt to Refresh CI Policies | -r | -| --help | Display help | -h | +| --refresh | Attempt to Refresh WDAC Policies | -r | +| --help | Display the tool's help menu | -h | ## Examples >[!NOTE] >The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32 -1. Update Policy +1. Deploy a WDAC policy onto the system ```powershell -PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip @@ -90,14 +90,14 @@ Commands: Format output as json and suppress input ``` -2. Refresh the policy +2. Refresh the WDAC policies in the \Windows\system32\CodeIntegrity\CiPolicies\Active folder ```powershell -PS C:\Users\[USER] cd \windows\system32 -PS C:\Windows\System32>.\CITool.exe --refresh +PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active +PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh Operation Successful ``` -3. Remove the policy +3. Remove a specific WDAC policy by GUID ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} @@ -140,7 +140,7 @@ Commands: Press Enter to Exit ``` -4. Display help +4. Display the help menu ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\CITool.exe -h From acfd907b5b12ca8cd8315e6c0d59eb4d60eff9c7 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 22 Aug 2022 11:37:43 -0700 Subject: [PATCH 11/24] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 1f7042ee0c..b722b9fcff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -2,9 +2,9 @@ title: CI Policy, Token, and Miscellaneous Commands description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. author: valemieux -ms.author: jgeurten +ms.author: jogeurte ms.service: security -ms.reviewer: jgeurten +ms.reviewer: jogeurte ms.topic: how-to ms.date: 08/07/2022 ms.custom: template-how-to From 5162802ca0ba64302851eea4fe306b0002abb09e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Sun, 11 Sep 2022 22:56:37 -0700 Subject: [PATCH 12/24] Updating descriptions, titles, file name, and capitalization --- ...egrity-policy-commands.md => citool-commands.md} | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) rename windows/security/threat-protection/windows-defender-application-control/{code-integrity-policy-commands.md => citool-commands.md} (94%) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md similarity index 94% rename from windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md rename to windows/security/threat-protection/windows-defender-application-control/citool-commands.md index b722b9fcff..86d7700fd0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -1,6 +1,6 @@ --- -title: CI Policy, Token, and Miscellaneous Commands -description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. +title: Managing CI Policies and Tokens with CiTool +description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool author: valemieux ms.author: jogeurte ms.service: security @@ -43,16 +43,13 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Examples ->[!NOTE] ->The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32 - 1. Deploy a WDAC policy onto the system ```powershell PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -Usage: CiTool.exe COMMAND [Command-Options] [-json] +Usage: CiTool COMMAND [Command-Options] [-json] Commands: ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File @@ -90,14 +87,14 @@ Commands: Format output as json and suppress input ``` -2. Refresh the WDAC policies in the \Windows\system32\CodeIntegrity\CiPolicies\Active folder +2. Refresh the WDAC policies in the \Windows\System32\CodeIntegrity\CiPolicies\Active folder ```powershell PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh Operation Successful ``` -3. Remove a specific WDAC policy by GUID +3. Remove a specific WDAC policy by its policy ID ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} From fbe5214a3d411a126818c7fd10650995b8a0607e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Sun, 11 Sep 2022 23:02:01 -0700 Subject: [PATCH 13/24] Update TOC.yml --- .../windows-defender-application-control/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index cc2387f639..e38c8944b3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -86,8 +86,8 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md - - name: Code Integrity Policy, Token, and Miscellaneous Commands - href: code-integrity-policy-commands.md + - name: Managing WDAC Policies with CI Tool + href: citool-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: From eadad34b16f30d1a888db1a8b073a4e6c46f8cce Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 12 Sep 2022 22:14:44 -0700 Subject: [PATCH 14/24] Update citool-commands.md --- .../citool-commands.md | 97 +++---------------- 1 file changed, 12 insertions(+), 85 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 86d7700fd0..94c0be2807 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -10,9 +10,10 @@ ms.date: 08/07/2022 ms.custom: template-how-to --- -# Manage WDAC Policies with CI Tool +# Manage Windows Defender Application Control (WDAC) Policies with CI Tool -Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. +CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. +This article will describe how to use CI Tool to update and manage policies. CI Tool is now included in box as part of Windows and can be interacted with in the command line. ## Policy Commands @@ -46,101 +47,27 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m 1. Deploy a WDAC policy onto the system ```powershell -PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up - -C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -Usage: CiTool COMMAND [Command-Options] [-json] -Commands: ------------------------------ Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp ------------------------------ Token Commands --------------------------------- - --add-token Path/To/Token/File [--token-id ID] - Deploy a token onto the current system, with an optional specific ID - If [ID] is specified, a pre-existing token with [ID] should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt ------------------------------ Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h ------------------------------ Global Flags--------------------------------- - -json - Format output as json and suppress input +PS C:\Users\[USER] CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" +Operation Successful +Press Enter to Continue ``` -2. Refresh the WDAC policies in the \Windows\System32\CodeIntegrity\CiPolicies\Active folder +2. Refresh the WDAC policies ```powershell -PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active -PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh +PS C:\Users\[USER] CITool --refresh Operation Successful ``` 3. Remove a specific WDAC policy by its policy ID ```powershell -PS C:\Users\[USER] cd \windows\system32 -PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} -Usage: CiTool.exe COMMAND [Command-Options] [-json] -Commands: ------------------------------ Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp ------------------------------ Token Commands --------------------------------- - --add-token Path/To/Token/File [--token-id ID] - Deploy a token onto the current system, with an optional specific ID - If [ID] is specified, a pre-existing token with [ID] should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt ------------------------------ Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h ------------------------------ Global Flags--------------------------------- - -json - Format output as json and suppress input -Press Enter to Exit +PS C:\Users\[USER] CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" +Operation Successful +Press Enter to Continue ``` 4. Display the help menu ```powershell -PS C:\Users\[USER] cd \windows\system32 -PS C:\windows\system32> .\CITool.exe -h +PS C:\Users\[USER] CITool -h ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File From 5090368490df98a7b2ce3019598992097b66a421 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Thu, 15 Sep 2022 06:06:46 -0700 Subject: [PATCH 15/24] Update citool-commands.md --- .../citool-commands.md | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 94c0be2807..846e91f229 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -19,20 +19,20 @@ This article will describe how to use CI Tool to update and manage policies. CI | Command | Description | Alias | |--------|---------|---------| -| --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | -| --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | +| --update-policy | Add or update a policy on the current system | -up | +| --remove-policy | Remove a policy indicated by PolicyGUID from the system | -rp | | --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | ## Token Commands | Command | Description | Alias | |--------|---------|---------| -| --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | -| --remove-token ID | Remove a Token indicated by ID from the system. | -rt | +| --add-token <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | >[!NOTE] ->Regarding --add-token, if [ID] is specified, a pre-existing token with [ID] should not exist. +>Regarding --add-token, if is specified, a pre-existing token with should not exist. ## Miscellaneous Commands @@ -46,58 +46,58 @@ This article will describe how to use CI Tool to update and manage policies. CI 1. Deploy a WDAC policy onto the system -```powershell -PS C:\Users\[USER] CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" -Operation Successful -Press Enter to Continue -``` + ```powershell + PS C:\Users\ CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" + Operation Successful + Press Enter to Continue + ``` 2. Refresh the WDAC policies -```powershell -PS C:\Users\[USER] CITool --refresh -Operation Successful -``` + ```powershell + PS C:\Users\ CITool --refresh + Operation Successful + ``` 3. Remove a specific WDAC policy by its policy ID -```powershell -PS C:\Users\[USER] CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" -Operation Successful -Press Enter to Continue -``` + ```powershell + PS C:\Users\ CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" + Operation Successful + Press Enter to Continue + ``` 4. Display the help menu -```powershell -PS C:\Users\[USER] CITool -h - ------------------------------ Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp ------------------------------ Token Commands --------------------------------- - --add-token Path/To/Token/File [--token-id ID] - Deploy a token onto the current system, with an optional specific ID - If [ID] is specified, a pre-existing token with [ID] should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt ------------------------------ Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h -``` \ No newline at end of file + ```powershell + PS C:\Users\ CITool -h + + ----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp + ----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File <--token-id ID> + Deploy a token onto the current system, with an optional specific ID + If is specified, a pre-existing token with should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt + ----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h + ``` \ No newline at end of file From a688596c20e384aeb0d155ee6aea04f88c806dd8 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Thu, 15 Sep 2022 06:20:29 -0700 Subject: [PATCH 16/24] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index c731e404ee..51cbc36d46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -15,7 +15,7 @@ ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 10/11/2021 -ms.technology: mde +ms.technology: m365-security --- # Understanding WDAC Policy Settings From fe57e235a41a04d9aaf0091090a33c1f81ac557c Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 19 Sep 2022 10:22:54 -0700 Subject: [PATCH 17/24] Update citool-commands.md --- .../windows-defender-application-control/citool-commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 846e91f229..0ce1cdebb9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -13,7 +13,7 @@ ms.custom: template-how-to # Manage Windows Defender Application Control (WDAC) Policies with CI Tool CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. -This article will describe how to use CI Tool to update and manage policies. CI Tool is now included in box as part of Windows and can be interacted with in the command line. +This article will describe how to use CI Tool to update and manage policies. CI Tool will be included in box as part of Windows in the January lifecycle update and will be able to be interacted with in the command line. ## Policy Commands From d5c489b33139c3ba32240bd7325d69d567f8ee20 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Oct 2022 12:52:10 -0400 Subject: [PATCH 18/24] migration details added --- .../hello-hybrid-cloud-kerberos-trust.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 7e64879acd..a527856529 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -231,6 +231,24 @@ After a successful MFA, the provisioning flow asks the user to create and valida Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. +## Migrate to cloud Kerberos trust + +If you deployed WHFB using the **key trust** deployment model and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: + +1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails + +There is no migration path from certificate trust deployment to cloud Kerberos trust deployment. You will need to clean up existing deployments and redeploy by following these steps: + +1. Disable the certificate trust policy +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context +1. Reboot or sign out and sign back in +1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) + > [!NOTE] + > For hybrid Azure AD joined devices, sign in with new credential with line of sight to a DC + ## Troubleshooting If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps: From 8fffa31475c4f74e4a633018cba86a275b9b4038 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Oct 2022 13:52:05 -0400 Subject: [PATCH 19/24] updates --- .../hello-hybrid-cloud-kerberos-trust.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index a527856529..7d8fde93c4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -231,23 +231,29 @@ After a successful MFA, the provisioning flow asks the user to create and valida Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. -## Migrate to cloud Kerberos trust +## Migrate from key trust deployment model to cloud Kerberos trust -If you deployed WHFB using the **key trust** deployment model and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: +If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) 1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails -There is no migration path from certificate trust deployment to cloud Kerberos trust deployment. You will need to clean up existing deployments and redeploy by following these steps: +## Migrate from certificate trust deployment model to cloud Kerberos trust + +> [!IMPORTANT] +> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment. + +If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps: 1. Disable the certificate trust policy 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) 1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context 1. Reboot or sign out and sign back in 1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) - > [!NOTE] - > For hybrid Azure AD joined devices, sign in with new credential with line of sight to a DC + +> [!NOTE] +> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC ## Troubleshooting From cd91384d768924fd386756378d9086a90746e78c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Oct 2022 13:58:49 -0400 Subject: [PATCH 20/24] updates --- .../hello-for-business/hello-hybrid-cloud-kerberos-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 7d8fde93c4..b953d1d21e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -253,7 +253,7 @@ If you have deployed WHFB using a **certificate trust** deployment model, and wa 1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) > [!NOTE] -> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC +> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC. ## Troubleshooting From d05c3d058bcd5eae5a5fd6f4e5805ba94f66cce6 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 3 Oct 2022 11:35:56 -0700 Subject: [PATCH 21/24] Update citool-commands.md --- .../windows-defender-application-control/citool-commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 0ce1cdebb9..fa19bafcc1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -13,7 +13,7 @@ ms.custom: template-how-to # Manage Windows Defender Application Control (WDAC) Policies with CI Tool CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. -This article will describe how to use CI Tool to update and manage policies. CI Tool will be included in box as part of Windows in the January lifecycle update and will be able to be interacted with in the command line. +This article will describe how to use CI Tool to update and manage policies. CI Tool is currently included in box in Windows 11 22H2. ## Policy Commands From 22c922368f1855c9a625c59c4257ec4830cf6200 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:18:49 -0400 Subject: [PATCH 22/24] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index f53094948b..c34e12aad8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -2,7 +2,6 @@ title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. ms.prod: windows-client -ms.technology: itpro-security ms.localizationpriority: medium ms.collection: M365-security-compliance author: jgeurten From 6bd03639dffe3486af77a0a2787313d837dad889 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:22:21 -0400 Subject: [PATCH 23/24] Update citool-commands.md --- .../citool-commands.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index fa19bafcc1..5a2d7b7e72 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -12,27 +12,26 @@ ms.custom: template-how-to # Manage Windows Defender Application Control (WDAC) Policies with CI Tool -CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. -This article will describe how to use CI Tool to update and manage policies. CI Tool is currently included in box in Windows 11 22H2. +CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2. ## Policy Commands | Command | Description | Alias | |--------|---------|---------| -| --update-policy | Add or update a policy on the current system | -up | -| --remove-policy | Remove a policy indicated by PolicyGUID from the system | -rp | +| --update-policy `` | Add or update a policy on the current system | -up | +| --remove-policy `` | Remove a policy indicated by PolicyGUID from the system | -rp | | --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | ## Token Commands | Command | Description | Alias | |--------|---------|---------| -| --add-token <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | -| --remove-token | Remove a Token indicated by ID from the system. | -rt | +| --add-token `` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token `` | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | ->[!NOTE] ->Regarding --add-token, if is specified, a pre-existing token with should not exist. +> [!NOTE] +> Regarding --add-token, if `` is specified, a pre-existing token with `` should not exist. ## Miscellaneous Commands @@ -49,16 +48,18 @@ This article will describe how to use CI Tool to update and manage policies. CI ```powershell PS C:\Users\ CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" Operation Successful - Press Enter to Continue + Press Enter to Continue ``` 2. Refresh the WDAC policies + ```powershell PS C:\Users\ CITool --refresh Operation Successful ``` 3. Remove a specific WDAC policy by its policy ID + ```powershell PS C:\Users\ CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" Operation Successful @@ -66,9 +67,10 @@ This article will describe how to use CI Tool to update and manage policies. CI ``` 4. Display the help menu + ```powershell PS C:\Users\ CITool -h - + ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File Add or update a policy on the current system @@ -100,4 +102,4 @@ This article will describe how to use CI Tool to update and manage policies. CI --help Display this message aliases: -h - ``` \ No newline at end of file + ``` From 6404eaa028e9ed7db6036fb82264b2a54e97f3c3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:27:00 -0400 Subject: [PATCH 24/24] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index c34e12aad8..2f9f3c81b4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -9,7 +9,7 @@ ms.reviewer: vinpa ms.author: jogeurte manager: aaroncz ms.date: 10/11/2021 -ms.technology: m365-security +ms.technology: itpro-security --- # Understanding WDAC Policy Settings